When I woke up this morning, I noticed an email from this site, congratulating me on setting up a new blog. Wondering what the hell that was supposed to mean, I went to this site, only to be greeted with the WordPress install page (wp-admin/install.php), as if no blog existed.

I figured the MySQL on this server had crashed. I wasn’t too worried about it as I’d backed up all my data late last week anyway. I figured I’d give it an hour for the host to sort out and check back later.

By the time I got to work, the site was indeed back up. I logged into WordPress and immediately noticed that the blog title that usually runs the top of the dashboard was now some long URL with words like “casino” and “gambling in it. All my posts seemed to be there, so I poked around a bit and noticed that the admin email had been changed to a hotmail address.

I quickly fixed this and continued to snoop around, but didn’t find anything else out of the ordinary.

I’m figuring that early this morning, some bot attacked all or a few of the WordPress blogs on my server, ramming it with requests until MySQL bailed. Then, it used the install.php file to try and create a new blog and change the password/contact address. Of course, it failed for the most part, but still…

So, no harm done, but I’m definitely wiser. After an initial blog is created, there’s no reason to keep install.php in your files. I deleted that as well as put several restrictions in place. Much Better.

Here’s a decent list of things you can do to harden and lock down your WordPress install.

This morning, I left my Apartment of Doom and hit the street, heading for the subway. As I exited my building, I noticed this sketchy guy hanging out near the trash bins. he wasn’t homeless looking but kind of shabby and shady. He had a ten speed propped against the side of the building and was in the process of putting on a mismatched pair of dirty, old latex rubber gloves. I’m thinking that maybe the guy’s diving for cans to redeem, but I notice he doesn’t have any bags or anything to haul bottles and cans in. What I do notice is that the guy had a black nylon file case tucked under his arm.

I walked to the mailbox to drop off a Netflix DVD and stopped. Something just wasn’t right. So, I turned back and watched the guy from a few feet away. Sure enough, after the gloves were on, he started going through the building’s trash bins, looking through discarded mail and other papers he could find. The fuckwad was looking to boost someone’s identity, maybe get a credit card in their name or some other bullshit. I wish I had my camera with me so I could have grabbed a photo of the shithead. I figured there was no point in calling the cops, since going through trash left street-side is not illegal and if I’d said anything to the guy, he’d have either tripped on me or just biked off to some other building.

I’m really glad there’s a paper shredder at home. I destroy all my mail, except for the junk shit, along with anything else that might have any sensitive information in it. If you don’t have a shredder…get one.

I am officially the coolest dude in Brooklyn (in my head at least). I have my very own Tor t-shirt! A few weeks ago one of the developers of the software emailed me to let me know that I had been running a fast Tor server for some time now and he asked me if I wanted a free t-shirt. Naturally I said yes. Soon after, I received a package with the shirt. It’s the coolest, ever. Click the thumbnails if you want a better look at the front and back.

Tor is a free program that provides onion routing anonymity for just about any program using the TCP protocol (browsing, blogging, instant messaging, IRC and SSH to name a few of the uses). In this day and age, with privacy rights getting raped, prison-style and draconian governments throwing people in prisons for thought crimes, it’s a good and necessary thing to have and to support. I run Tor on a Linux server (Ubuntu) I rent somewhere in Florida to give back to the network I occasionally use. I don’t really use the server for much, so I don’t limit the bandwidth I give to Tor, allowing it to be one of the faster middlemen in the web of servers that make up the Tor network. I think it’s pretty cool shit.

Tor is available for Linux, Windows and Mac. The project is non-profit and is supported by the Electronic Frontier Foundation and people like you (if you’re cool) and me (I’m so totally neat). You should download Tor, in case you should ever need it. If you have some free bandwidth, consider running a Tor server. You can also help the project by donation. If all of this isn’t your bag of nuts, you might want to think about becoming a member of the EFF and supporting the fight to protect digital rights and privacy. It’s all good shit.

I’ve been waiting for an extension like this for years. FireGPG lets you encrypt, decrypt, sign and verify text using GPG from the context menu. Currently, it only works with Gmail, but that’s fine since that’s what I use for most of my important email.

At some point last year, I switched from Gmail’s browser interface to using it with Thunderbird, so I could make use of the Enigmail extension, as well as pull in all my other email addresses (work, domains, spam-pits) in one place and I think I’ll continue to use it, but the ability to just browse to Gmail and not have to copy, paste, fire up a terminal, copy and paste again is absolutely great.

FireGPG currently works with Windows and Linux. OSX is out of luck, but I see on that on the exension’s page that the developers are actively looking for help in porting it. Awesome.

I’ve got a black feeling this morning after reading that the Supreme Court is requiring all US companies to store employee email and instant messaging. It’s fucking ridiculous, not only in burden of cost for companies to store that data, but in the loss of privacy and reality of it’s usefulness.

Anyway you look at it, it’s a punch in the balls for personal privacy. Slap a jock strap on that shit and be a man. Start using encryption. Check out GPG for encrypting email and personal files. If you use Thunderbird as an email client, there’s a real handy plugin called Enigmail that makes phasing in encryption pretty damn simple. For Instant messaging, switch to GAIM (cross-platform), Adium (OSX) or Kopete (KDE Linux). All three have some form of built-in encryption or plugin available. Adium and GAIM both can run OTR, an encryption and plausible deniability plugin. Kopete uses GPG to encrypt and as far as I know, there’s not another client that does that (there’s a plugin for GAIM, but I hear it doesn’t work well with more recent versions).

All these programs are free and open source. If you’re not using anything, I’d suggest you seriously consider it. For web browsing, think about using a proxy, like Tor or if you have the skills or patience to set it up, SSH tunnel to an outside server running squid (here’s a link to how I do it). If you don’t have access to a server like I’ve got, you can run squid on your home computer and connect to it from work. If you don’t have a static IP at home, you can use a free service like No-IP to get access. ISPs don’t like customers running servers out of their home, but if you SSH tunnel it, your chances of getting noticed are pretty nil. I tunnel squid to a remote server I keep and it works very well. I also have Tor installed on all my machines and run it as a server on my remote machine to give back to the network. It’s doubtful you need a proxy for all the web browsing you do in the course of a day at the office, but the option for security and privacy is good to have (not to mention the ability to get around restrictive firewalls).

If you don’t care about all this, so be it. Maybe that’s fine for you. But, depending on who you are and what you do in your life and for a living, you might want to take heed especially if you give a damn about your personal rights and privacy.

You know someone’s got their head up their ass when they demand you hand over a photo ID to get some pancakes. You’ve got your head shoved even farther up your own ass if you actually hand your driver’s license off just because you need some shitty breakfast.

I’ve never been to an IHOP and never plan on it. I do enjoy the occasional pancake, but asking me to hand over my identification to some minimum wage tool of a security guard will generate a clear directive to go fuck yourself with a rusty, sharp object. I noticed that in the article linked above there’s a quote that the IHOP dude had around forty IDs in his hand, which I find to be completely ridiculous. People in Quincy, Mass. are either really fucking stupid or they really, really love their IHOP.

I just read this article on security advice by Kevin Mitnick and I’m equal parts pissed and laughing at it. It’s a classic case of ignoring the elephant in the room and it really makes me wonder where Mitnick’s integrity is since I don’t think he’s a particularly stupid person.

He starts the article with the old “We live in dangerous times. Evil hackers can attack you with their viruses!” line and then proceeds to outline ten steps he feels will increase your safety and security. Some are common sense recommendations that I agree with:

1. Back up everything
2. Choose strong passwords
3. Be diligent with applying security updates
4. Use encryption for sensitive data
5. Disable unused services
6. Use a firewall/router to restrict/limit access to your machine
7. Encrypt your wireless networks with uber-strong passwords using WPA

All these points I agree with. All are basic, simple, common sense things everyone should do, but often do not. His other recommendations are what give me pause:

8. Use commercial antivirus products
9. Use one or more anti-spyware applications
10. Avoid Internet Explorer and disable scripts in your email client

This is where I completely disagree. Recommendations 8-10 can be simplified to one step:

1. Stop fucking using Windows already

(more…)

Several times a day, computers somewhere in India or China (usually) launch brute force and dictionary attacks on my server to try and get SSH access. To anyone running their own server who regularly browses their SSH logs (/var/log/secure or /var/log/auth.log, depending on your distro) this is old news. Checking my logs, I’d see 80-100 failed login attempts from a single IP address trying a whole ass-load of non-existant user names and passwords.

I have SSH locked down fairly well, with remote root logins off and disabling password authentication in favor of RSA based keys. However, I opted to leave SSH on the default port 22, which undoubtedly accounts for all the attacks. Usually, I’d place the offending IP in my /etc/hosts.deny file, banning it for eternity with an “ALL:[bad IP address]“. Still, this meant that I banned them after the fact.

So, I installed DenyHosts. It’s a python script that can run as a daemon, monitoring my /var/log/auth.log for login attempts using non-valid users and/or passwords. After a few failed or invalid logins, the attacking IP is automatically added to /etc/hosts.deny, nipping a prolonged attack in the bud—just the way I like it.

DenyHosts is highly configurable, letting you you specify all types of rules such as how many failed logins are allowed before banning, specifics of what services to ban and for how long (hours, years, eternity). You can have DenyHosts email reports to you and also have it synchronize against a master list of bad IPs that’s bolstered by over 4,000 users. It’s pretty damn cool. In one day, I had three separate attacks, promptly caught and banned.

I’ve been running Tor, the anonymous proxy service championed by the Electronic Frontier Foundation, on a remote server I rent. I wanted to chip in to the Tor project and effort and I thought that one of the easiest ways to do it would be to run a Tor server and help strengthen the network. For a brief but detailed explanation of what Tor is, how it works and why you should use it, check this.

So, I set it up, letting Tor run as an exit node, meaning that my server was allowed to be one of the exits among the chain of servers that work together as the Tor network. To paint a picture, this means that if someone in China requests a web page through the Tor network, my server could be one of several out there that make that request at the end of the chain and delivers the page into the network and ultimately, back to the person. Hence, my server’s IP address would show in the logs of the site hosting said page as having requested it.

Over the past few months, it’s been fine. Tor runs along, does it’s thing and I pay it no mind. I received one polite email from a guy in Germany concerned that someone had used my server to abuse his message board, but after clarifying that I run Tor and occasionally someone might abuse the proxy service, I keep no logs and therefore cannot be responsible, nor provide any information about who did what, when and whatnot. The likelihood of the offending person coming back to his message board for further mischief, using my server was very unlikely given the way Tor works. He replied that he checked his logs and yes, it did look like the person used Tor and further scrutiny showed that he had in fact come back a few times, using other Tor servers. I recommended that if he was concerned and didn’t want to deal with it, he could block Tor users from his site. it ended amicably and all went back to normal.

Yesterday, I came home to find a terse email from my server host, telling me my account was in jeopardy of being shut down due to abuse complaints received. Slightly alarmed, I read through and noticed that the complaints were attached.

Apparently, some guy in the UK is complaining that someone with my server’s IP address (I don’t think he realizes it’s a server and thinks it an end-user…basically me) “hacked” his website and downloaded some of the products he sells without paying. The guy demanded that I be banned immediately or “legal action will ensue”. Here, read it yourself:
(more…)

I was doing some reading about EXIF data and came across a quirk that I’ve been having some fun fooling around with.

Most digital cameras embed EXIF data into every image, listing such things as the type of camera, date and time the photo was taken and other details as well as a thumbnail of the image so that the file previews faster.

Most of the time, this information is lost or at least updated when an image is edited. However, sometimes the original EXIF data will carry over. Depending on the editing tool or circumstance, an image file that’s been cropped, re-sized, oriented or otherwise edited will sometimes still carry an embedded thumbnail of it’s original state, fresh off the digital camera.

There’s a few tools out there for pulling he thumbnails out of an image’s EXIF data. I decided to use jhead with my Kubuntu laptop (there are OSX and Windows clients as well, but I’ve never used them). After installing, fire up a terminal and type:

jhead -st 'thumbnail-output-filename' 'desired-image.jpg'

If there is a thumbnail embedded in the image it will be extracted to whatever filename you specify. You can then view it with whichever program you choose.

Now understand that there may not be a thumbnail and nine out of ten photos that do have them will be exact miniatures of their parent files. Still, one out of those ten photos can yield some interesting shit. Just take a minute to think of the various and plentiful reasons why a person or organization may need to edit, obscure or otherwise change an image’s original state and you might get the point of this.

To give an example, I took this image from Wikipedia, (mainly because of it’s not under some restrictive copyright and work safe) and after saving it locally, used jhead to extrat the EXIF thumbnail giving me the image below.

If you compare the thumbnail below to the image linked in the paragraph above, you can clearly see that it has been rotated ninety degrees right with parts of two additional statues and a window being completely cropped out of the image.

Here’s a link to a page where someone uses a script to search the internet, checking for and displaying images with EXIF thumbnails whose dimensions are not perfectly scaled (like the file has been cropped or otherwise changed since it’s creation) and displays them for your amazement/boredom.

So many wacky possibilities. Go spend some time on Flickr, Friendster, or MySpace. Try it on documents that have had sections digitally blacked out for confidential reasons. Go forth and be snoopy.