Wednesday, December 12, 2007

battery woes

I'm traveling right now and I am taking along my teeny little 12" PowerBook which has been good to me for many years. Only, this time, I upgraded it to Leopard and I think it messed up my battery stuff. (Also, upgrading may not have been a good idea since Leopard heavily uses CoreImage, and this computer doesn't support it. The 12-incher is also the minimum specs for the OS: 867MHz, 640MB RAM, 32MB GeForce 4MX video).

I noticed that it goes to sleep quickly -- say when the battery was drained less than half -- and it charges quickly. This lead me to believe it might be a power management issue, so I rebooted the machine and reset the PMU and PRAM. No luck. Still problems. I decided to "condition" the battery, or drain it all the way and charge it again, but I planned to monitor the battery status with pmset (a mac os x command line utility). Here's it's output:



sid-stamms-powerbook-g4-12:~ sidstamm$ pmset -g pslog
pmset is in logging mode now. Hit ctrl-c to exit.
12/12/07 4:57:20 AM GMT-05:00
Currently drawing from 'Battery Power'
-InternalBattery-0 98%; discharging; 10:00 remaining
12/12/07 4:57:24 AM GMT-05:00
-InternalBattery-0 97%; discharging; 10:00 remaining
12/12/07 5:05:05 AM GMT-05:00
-InternalBattery-0 96%; discharging; 10:00 remaining
12/12/07 5:14:44 AM GMT-05:00
-InternalBattery-0 95%; discharging; 10:00 remaining
12/12/07 5:25:30 AM GMT-05:00
-InternalBattery-0 94%; discharging; 10:00 remaining
12/12/07 5:34:33 AM GMT-05:00
-InternalBattery-0 93%; discharging; 10:00 remaining
12/12/07 5:45:17 AM GMT-05:00
-InternalBattery-0 92%; discharging; 10:00 remaining
12/12/07 5:54:55 AM GMT-05:00
-InternalBattery-0 91%; discharging; 10:00 remaining
12/12/07 6:03:09 AM GMT-05:00
-InternalBattery-0 90%; discharging; 10:00 remaining
12/12/07 6:11:24 AM GMT-05:00
-InternalBattery-0 89%; discharging; 10:00 remaining
12/12/07 6:19:20 AM GMT-05:00
-InternalBattery-0 88%; discharging; 10:00 remaining
12/12/07 6:20:08 AM GMT-05:00 Sleeping...
12/12/07 6:20:08 AM GMT-05:00
-InternalBattery-0 0%; discharging; 0:00 remaining



Notice how it drops into sleep at 88%, and the perceived status drops to zero... I think either this battery is toast, or Leopard destroyed it. (I verified the full/empty statuses by pushing the meter button on the battery itself, watching the LEDs tell me how full it is.)

Anyhow, I'm going to let it try to charge all night, even though it will surely give up. Maybe the Internets will tell me what's going on, or maybe I'll just use it as a portable desktop computer. I'll follow this post up with results from pmset while charging to see what it tells me.

Here's some info from system profiler about the battery as it begins charging:


Battery Information:

Charge Information:
Charge remaining (mAh): 177
Charging: Yes
Full charge capacity (mAh): 20494
Health Information:
Cycle count: 294
Battery Installed: Yes
Amperage (mA): 2079
Voltage (mV): 12250

Thursday, November 01, 2007

drive-by pharming (kind-of) exists!

TidBITS is reporting a Mac OS X Trojan that masquerades as a QuickTime codec; the idea is that people are told to install this codec to view a sketchy video on the web, then when they do, the "codec" actually manipulates their computer's DNS settings. Very reminiscent of drive-by pharming, but more obvious than a simple CSRF.

Link to more drive-by pharming info.

Friday, September 28, 2007

expensive ice

I have a math problem:

Assume both 1) and 2) are 16 ounce beverages.

1) hot coffee = $1.80
2) iced coffee = $2.30


Let me rephrase:
1) coffee + paper cup = $1.80
2) coffee + plastic cup + ice = $2.30


This means that
plastic cup + ice - paper cup = $2.30 - $1.80 = $0.50

In English, the cost of ice and the cost of using a plastic cup instead of paper is $0.50. But wait, there's more: there is less coffee in the iced coffee since ice replaces roughly 50% of it!

Okay, so this means:
1) 1.0*coffee + paper cup = $1.80
2) 0.5*coffee + plastic cup + ice = $2.30


Thus:
plastic cup + ice = $0.50 + 0.5*coffee


Lets go out on a limb and say that the paper cup costs $0.80, which is probably an extreme upper bound. This makes the equations a bit easier:

1) 1.0*coffee + $0.80 = $1.80 :: 1.0*coffee = $1.00
2) 0.5*coffee + plastic cup + ice = $2.30
  :: $0.50 + plastic cup + ice = $2.30
  :: plastic cup + ice = $1.80


This is friggin' ridiculous. There's no way that a cup costs more than a dollar, you can get a pack of 1000 of the exact cup I'm drinking from for $120; that's twelve cents each. That means that the ice must cost $1.68!!! There's no way it costs that much to make ice, especially when you use it in frappés all day and make it in bulk.

I hope the owner of Java Haute reads this.

Saturday, June 30, 2007

celebrity

This is a random mood construction I wrote after biking along the bay...

The wind tore through the land, causing the million golden, fibers of grass to murmur in gossip. Seagulls hung lazily in the air, craning their necks into the wind, attempting to get ahead of the others. The water rippled, insistently swimming in circles, consuming the algae on the rock-lumped shore.

The hills in the distance slouched in their balcony seats, squinting at the sun as it hung low in the west. The slouching was necessary to avoid the cheese-slice railing of the power lines, long wires segregating the hazy picture into sea and sky.

Alongside the insistent murmurs of the whispering grass stalks, an asphalt carpet rolled out, marking a path for celebrities and holding back the landscape from getting in the way. This swervy pavementrain conducts many elite passengers between venues, allowing a voyeuristic view into the dangerous wild; a view without the bane of submitting to the whispering mass of conspiracy amidst the shores of the bay.

And then: the paparazzi.

Thursday, June 21, 2007

small victory for privacy

"A U.S. appeals court in Ohio has ruled that e-mail messages stored on Internet servers are protected by the Constitution as are telephone conversations and that a federal law permitting warrantless secret searches of e-mail violates the Fourth Amendment."

"ISPs, the ruling states, have 'mere custody' over the e-mail and subpoenaing them 'is insufficient to trump the Fourth Amendment warrant requirement.'"

"[David Rivkin] said that, even given the expectation of privacy, the context of the effort to access the data -- whether it was part of a criminal case or an intelligence-gathering effort, for instance -- had to be considered."

Link

Friday, June 15, 2007

id theif pursuit

The San Francisco Chronicle published an article about an ID-theft victim chasing her ID's thief. The story reads like a great chase scene in a novel! The victim chases the thief for about forty-five minutes through down-town San Francisco.

She didn't really know what she would do if she caught Nelson. "She was a big girl," Lodrick recalled. She told the 911 operator she felt a little scared. The operator said: "If you in any way feel threatened, do not continue the pursuit."

Lodrick told the operator: "No, I'm OK."

San Francisco Chronicle Article

Tuesday, June 05, 2007

the internet is a reflection of self

"The Internet, this place intended for sharing information, has become a place where we go to confirm beliefs we already have."
(on "I read it on the Internet")

"I'm not suggesting we put anonymous bloggers, or anonymous posters in jail..."
(on improving accountability online by jailing originators of anonymous data)

-- Andrew Keen

Thursday, May 31, 2007

interesting visitors


john edwards
Originally uploaded by sidstamm
One of the great benefits of working at Google is the flock of people who come to speak. Yesterday I listened to Michael Griffin, Administrator of NASA, talk about the future of the country's space program. He even showed us pretty pictures of their new plans for a moon rocket.

Later in the day, John Edwards popped in for a "fireside chat," and let us ask him questions. By far, the most interesting part was when he was answering our questions. It was unusual for a politician, but he was more likable when answering off-the-cuff than when he was participating in somewhat scripted discussion with the host. Things I remember: (1) he is going to do fifty billion things in his first six months if he is elected, (2) $3bln for running water, sewer, in other countries, (3) "nice haircut", and (4) "I was a dumbass when I voted for the war in Iraq" [[not a direct quote]].

Friday, May 25, 2007

gsa?

Deep Thought: I wonder if TSA checkpoint guards could use a Google Search Appliance to speed up their bag and pat-down searches. Surely since the GSA allows looking into files' contents, one could see which liquids are dangerous without requiring them to be in a 1-qt see-thru bag...

towel day 07


Towel Day :: A tribute to Douglas Adams (1952-2001)


What are you using your towel for?

Monday, May 21, 2007

Maker Faire


fireballs
Originally uploaded by sidstamm.
Since I'm out in the bay area for the summer (yay!), I'm taking advantage of the events like Maker Faire that are going on. A friend and I popped in on Saturday and had a look around at the cool gadgety-geek things. See my Flickr photo set for more photos...

Anyhow, while there, I ran into Mark Frauenfelder, which was cool, and chatted at him for a little while about this party that he inspired.

Earlier today I was making some coffee in a common area and Cory Doctorow just happened into the same kitchen, sparking a bit of quick conversation before he was whisked away to a meeting.

It's kind of fun being in a place where you can randomly run into all these cool people...

Wednesday, May 02, 2007

09 f9

Two lessons of the day: (1) security by obscurity does not work for simple yet widely popular technologies and (2) if you create the encryption scheme and expect people to keep the key secret, make all the hardware that uses it too (a la Apple's FairPlay).

Thursday, April 12, 2007

fighting the blogger navigation bar

When you host a blog on blogspot or use pretty much any template provided by blogger, an intrusive navigation bar appears at the top of the blog (login button, search box, blog this button, etc). While it's nice, it really prohibits integration with non-blog sites. For example, the blog at Stop-Phishing is hosted on blogspot, but we wanted to integrate it into the main Stop-Phishing webpage to provide a nice seamless design.

Anyhow, this was done with a positioning trick, basically drawing the template and the rest of the blog on top of the navigation bar by setting the z-layer higher than default. Recently, the blogger navbar CSS data changed to put the navigation bar at z-layer 500, drawing it above the template. Of course, we could begin fighting with them and put our template at z-layer 501, but this is a never-ending cycle.

I decided to place our template at z-layer 2147483647 (maximum integer in defined in Mozilla). Now the template is back on top. Lets see what happens next...

Tuesday, February 27, 2007

tax deduction

I started my long journey through this year's very confusing tax situation today. I've got small amounts of income from a decent number of sources, most of which are as an independent contractor, so my work for this year's tax returns jumped threefold. I'm tempted to go to a tax place, but I think I would do just as well on my own (though it would take longer), and I'm too cheap and poor to pay for a CPA.

Anyhow, as I was crunching the numbers, I came across the realization that the 2006 1040 form does not have a line for Tuition and Fees, like the 2005 form did! As a student who makes very little money and has to pay a good chunk of it back into the university for non-remittable fees (roughly 8% of my stipend), I was a bit put out. This was great in the last many years, because I didn't have to itemize my deductions to get the break.

After some digging, I came across IRS publication 970 that describes this deduction MANY times before finally explaining how to take the deduction. For all the other U.S. grad students out there, here's how you do it:

  • Put a T next to the box for line 35. The instructions say to put it on the dotted line, but my copy of form 1040 doesn't have said line.
  • Enter the deduction in the box for line 35.

This is pretty janky. Is it just me, or does this seem like kind of a last-minute "oh crap, we shafted the students, better do something" situation? This thought is further backed up by this tax law change brief that I later found. It mentions how the Tuition and Fees deduction expired, but has been "extended" until 2007.

It's also important to note that there's a cap on how much you can deduct of up to $4000 depending on your gross income. This may or may not be new this year (I don't know).

Monday, February 26, 2007

router attack by analogy

One of the elements of drive-by pharming attacks (or really any attack that attempts to break into your home's router) is router profiling. Basically, once the IP of your router is discovered (say 192.168.0.1), the malicious script attempts to identify what type of router it may be. This can be done in many ways, including image profiling. In essence, some routers will serve images without requiring an administrator to be authenticated, which is really bad. Additionally, http-auth credentials usually remain until a browser window is closed (if you don't often close your browser, you might want to do that now) and will be used by default when accessing pages from a protected resource. This way, even if a password is required, it has previously been entered by the user and can now be used to get into the router.

Anyhow, using this lack of need for password, a script can attempt to load a few images known to be served by different routers, one at a time. If the loads fail, it tries another one. Here's some code that does this:
<img src="http://192.168.0.1/logo.gif" 
onerror="tryNextImage();">

This image tag would be generated and appended to a document by JavaScript, and then when it fails, a new one is plopped in. When one succeeds (you can set an onload event for the image), the router has been profiled, and the default username/password for it can be pulled from a list.

It can sometimes be difficult to access these images on the routers without a password (not all will provide a logo without the user first logging in). It is surely possible to do that on some routers, but not all. So instead of a linear discovery approach (one step at a time), like what an investigating scientist usually does, an attacker can take another approach too: flood the router with configuration change attempts, hoping one works.

Analogy:

The two methods can be considered in this analogy: Say you are flying somewhere with five of your friends who each speak a different foreign language. When you get there, you need to tell the taxi driver who meets you where to take you. You don't know what country you're in, so you don't know which language/friend to use.

A first method is careful: you look at what he's wearing, the car he's driving, and maybe look inside his pockets for an ID or money. Once you've deduced based on this evidence where you are, you can try giving the driver directions in the language that is your best guess. If that doesn't work you can, one at a time, try speaking to the driver in a different language, but if you've done your research you will be right the first time. This is like the one-step-at-a-time approach that you mention. The problem with this is that the driver may not let you see his pockets' contents, so you might need to resort to guessing.

Alternatively, the six of you can all just walk up and start telling him where to go in different languages all at once. He will be a little confused at first, but will respond to one of you, the one speaking the language he recognizes, and that person can tell him where to go. This is the flood approach. It's messy, but you don't have to coordinate your friends and poke around in his car (where he may not let you go).

To take this back to the technology, lets say for example that ten router models make up a good portion of the market. An attacker can take advantage of this. Instead of "profiling" the router (as discussed in the tech report) he can simply try sending the configuration request for one of the ten most popular. If it fails, the code tries again with another request. This keeps going until it works or all requests have been tried. Additionally, all ten might be attempted at once.

Both methods (linear discovery and multiple requests in parallel) are possible, yet the parallel-flooding attempt seems scarier since it requires less investigative work (and much simpler programming) to work.

To boil this down, the drive-by pharming attack is not a completely specified problem. There are many ways to attack home routers from the inside, and many techniques can be used based on the types of targets an attacker may be interested in.


On a lighter note, here are some fun blog comments from Slashdot regarding drive-by pharming:
1) Drive by pharm,
2) Stop. Park.
3) Milk cows.
4) Feed chickens.
5) Slop pigs.
6) Stack hay.
7) Profit.

(Link)

We'll chase off the Pharmers with our phlaming torches and pitchphorks!
(Link)

(Previously: drive-by pharming)

Friday, February 16, 2007

drive-by pharming

If you have not set a hard-to-guess password on your broadband router, do it now. There's a way attackers can compromise your router from the inside using simple JavaScript.

The basic idea is this: you visit a malicious website and it distracts you. While you're distracted (playing a game, reading news, etc), it runs JavaScript code to scan your internal network and identify the IP address of your router. Once discovered, the malicious script can send "reconfiguration requests" to the router to attempt setting the DNS server your network uses. If successful, all DNS queries can be directed through an attacker's server, thus Pharming you. For technical details, please see our tech report, but in brief this attack is not complex.

The solution: make your router's admin password hard to guess.

I recently developed this with Zulfikar Ramzan from Symantec, who forwarded to my advisor (Markus) an interesting Black Hat talk by Jeremiah Grossman. Markus in turn forwarded to me and that's when it struck me that we could similarly mount a pharming attack without playing man-in-the-middle - all it takes is a tweak of the router's DNS server setting, and a whole home network is pharmed. Coupled with the idea that roughly 50% of broadband routers still use the default password, this attack affects a whole lot of people.

Symantec PR picked up on what we did, and issued a press release today:
(Symantec Press Release)

Read More:
(Zully's Blog Post)
(Tech Report)


Select Media Coverage:
(Google aggregate)
(Info World -- IDG article)
(Forbes)
(Appscout)
(BroadbandReports.com -- amusing comments thread)
(Washington Post Blog)
(Red Herring)
(Computer World)

Update (16-Feb-07 9:30am ET): The story got picked up by Forbes ad the Washington Post, and the Google News index on "Drive-by Pharming" is roughly fifty-something.

My Favorite Headlines:
Researchers highlight a router route to pharming
New Drive-By Attack Taking Over Home Routers
Broadband routers welcome drive-by hackers
Change Your Router Password NOW!

Update (16-Feb-07 10:30am ET): Slashdot picked it up.

Wednesday, February 14, 2007

storm predictions (update)

Yesterday I made some storm predictions... so far, here are the results:

My car will freeze shut and to the ground
Kinda. Well, the car froze shut, but with a big stick I was able to crack a door open and get into the car. The hood and trunk were sealed shut with a think coating of snow/sleet/ice mix (see photo). After chipping away half an inch of corrugated ice, the sun and my defroster melted the rest covering the windows. I still can't use my rear view mirrors, and it is incredibly tricky to get my trunk open (and it won't open all the way). To put gas in the car, I had to chip at the edges with a key, then pry it open with a metal keychain. The car also did not stick to the ground -- at least not after I picked away most of the ice that was attached to the tires. After a loud snapping noise, my car pulled out of its icy mount.

Trees will fall over (they are currently caked with snow/sleet/ice)
Wrong. I did not witness any fallen trees. I saw some branches on the ground today, and the trees were VERY droopy, but I saw no downed trees.

Power lines will sag and some older poles will droop or fall causing outages
Right. On the news tonight, they were reporting that 47 people in the Bloomington area were still without power due to downed lines, and report that many lost power earlier. I didn't see the effects IN town, but I'm sure some of the older poles toppled out of town due to the heavy layer of ice on everything.

When we dip below freezing tonight, the frequency of car accidents will skyrocket (there are too many people here in town who don't know when to avoid driving).
Probably. I didn't see any accidents in town, but I heard emergency sirens every ten minutes or so until I fell asleep. In the morning I saw a med-evac helicopter.

The story is completely different in Lafayette, where Purdue has canceled school for the second day in a row, and major intersections now look narrow due to the five to ten foot snow piles all over the place. The news said they got 16 inches of snow in the last day and a half! Driving through Lafayette, I wouldn't be surprised if it were more. It's still a big mess! I guess there's nowhere to put all that snow...

Tuesday, February 13, 2007

storm predictions

My predictions for the Feb. 13-14 winter storm in Bloomington, IN:

  • My car will freeze shut and to the ground

  • Trees will fall over (they are currently caked with snow/sleet/ice)

  • Power lines will sag and some older poles will droop or fall causing outages

  • When we dip below freezing tonight, the frequency car accidents will skyrocket (there are too many people here in town who don't know when to avoid driving).


I know I sound cynical, but lets see how many of these come true.

Monday, February 12, 2007

bad security assumption

Good assumption:
My domain (DNS) name is not safe from forgery. Bad people might "hijack" it and use it to pretend they are me.


Bad assumption:
If my domain name is hijacked or spoofed, then I lose control of all the subdomains too. This means that if someone else pretends to be sidstamm.com then they will also take control over blog.sidstamm.com, mail.sidstamm.com and ohcrap.sidstamm.com.


Bad: DNS spoofing is done on the record level, and since each subdomain happens to be a different record, an attacker might control one subdomain and let you retain control over the rest.

Consequence of this: The same-origin policy enforced by most browsers says this: scripts served by one host cannot access, execute or change data served by another host. In this case b.a.com and a.com are considered different hosts.

There is one exception to the rule: a website may change its "document.domain" property to a suffix of what it currently might be. For example, a page served by b.a.com may set its domain to a.com AFTER it is served. In this case, b.a.com can play with a.com's data.

Your data is no longer safe, unless you control all of your subdomains. The case used to be simpler: a phisher or pharmer must create a complete duplicate of a site to fool with it. Now, he just creates a parasite frame, and watches you interact with the real thing. Beware of visiting update-security.yourbank.com.

Scary.

(Link to Abe Fettig's explanation)
(Link to Same-Origin Policy info)

Friday, February 09, 2007

despicable rebate service

I bought something a while ago that was half-price after rebate. Anyway, proud of my purchase I promptly filed the rebates and went on my way. One of the rebate checks still has not arrived, so I called the company (Parago) today.

After navigating through an annoying options tree, I finally got a person and he confirmed exactly what their website had said: the rebate is valid and is scheduled for "final processing." Last time I had called, the service rep said that the rebate terms required at least ten weeks for processing. They got it on the 13th of October (which is probably a bad sign since that's a Friday too), and I called on week 9. The rep said to wait, and it should be out shortly, but refused to give me a time frame.

It's week 17, so I called and asked about the ridiculous wait and the guy said that it is scheduled to be mailed on March 14. Okay, so that is more than five months, or nearly 21 weeks. If I don't have the check in hand by March 19, I will begin emitting smoke from my ears.

Rebate Rule #45: Do not believe you will receive a rebate unless there is a maximum bound on the time it will take. "8-12 weeks" is tolerable, but "at least 10 weeks" is not. Due to the fine print, they could legally keep my money as long as they want.

[[ removed stupid rant ]]

Tuesday, January 30, 2007

registry cleaner?

I installed some Mac OS X updates today, and after they finished I was asked to restart my computer... so being the faithful computer user I am, I did. When I brought FireFox back up after rebooting, an advertisement for Registry Cleaner popped up warning me that my registry needs to be cleaned. Now, I have FireFox set up to remember the sites I was visiting when it is closed, but I don't recall seeing this before rebooting... also, the two pages I was viewing did not come back.

Maybe I'm wrong, but I don't think there's a registry in Mac OS to clean... where did this ad come from?

Monday, January 15, 2007

fellowships, anyone?

I think it's impossible to get a graduate studies fellowship as a 4th year, White, Male, Computer Science PhD student.

Tuesday, January 02, 2007

top 2006 web hacks

Note to self: Look at all the web hacks Grossman posted in the full list contained in his Top Ten post.

Lots of dirty tricks there.