A Contemporary Technology Catches Up With Ancient Rome

colliseumIt’s generally accepted that the contemporary world is more technologically advanced than the ancient one. The Etruscans may have dreamed of space travel, but they were unable to transport themselves to Schenectady, New York, let alone the moon. Yet we can’t be too smug. Sure we carry the Internets in our pockets and heat our meals in seconds, but we can’t touch ancient Rome when it comes to concrete.

Throughout the Mediterranean basin, there are ancient harbors constructed with 2000 year old Roman concrete that remain more or less is perfect functioning condition. And as we gaze about the remnants of the ancient world, we see aqueducts, roads and buildings that have survived remarkably well over time. When we compare these structures with our own, we find contemporary concrete sadly lacking.

Roman concrete was superior to our own and now scientists understand why:

The secret to Roman concrete lies in its unique mineral formulation and production technique. As the researchers explain in a press release outlining their findings, “The Romans made concrete by mixing lime and volcanic rock. For underwater structures, lime and volcanic ash were mixed to form mortar, and this mortar and volcanic tuff were packed into wooden forms. The seawater instantly triggered a hot chemical reaction. The lime was hydrated — incorporating water molecules into its structure — and reacted with the ash to cement the whole mixture together.”

The Portland cement formula crucially lacks the lyme and volcanic ash mixture. As a result, it doesn’t bind quite as well when compared with the Roman concrete, researchers found. It is this inferior binding property that explains why structures made of Portland cement tend to weaken and crack after a few decades of use, Jackson says.

 

Posted in Technology | Leave a comment



How To Stop A WordPress Dictionary Attack

You guys! Lest we forget, Your Joe Dog was under attack!

Apparently there’s a widespread dictionary attack that uses tens of thousands of malwared computers to attack WordPress sites. Your Joe Dog uses WordPress as a CMS. Your Joe Dog was attacked!

The extent of the attack was not initially clear. I was alerted by sluggish performance. I noticed a lot of POSTs to wp-login.php. Those POSTs appeared in the access log like this:

92.47.65.37 - - [17/Jun/2013:09:06:42 -0400] "POST /wp-login.php HTTP/1.0" 
200 3444 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/2010 Firefox/19.0"

I have a script that allows me to quickly block IP addresses with iptables. So I started harvesting addresses and blocking them. Done and done.

Except the attacker seemed to have an endless supply of IP addresses. The attack persisted no matter how many addresses I blocked.

Take a look at the log entry above. The referer field is empty. A Joe Dog Fellow suggested I block all POSTs that don’t include a referer. Afterall, you don’t POST out of the blue – you submit a form in your browser. I blocked those types of requests with a simple mod_rewrite rule:

 RewriteCond %{REQUEST_METHOD} =POST
 RewriteCond %{HTTP_REFERER} ^-?$
 RewriteRule ^/(wp-login.php|wp-admin) - [F,NS,L]

Done and done. Amiright? Sadly, no….

Continue reading “How To Stop A WordPress Dictionary Attack” »

Posted in Security, Wordpress | 5 Comments



Quick Trivia

Q: Who are the highest paid employees on the Pentagon budget?
A: The football coaches at Army, Navy and Air Force.

Posted in Uncategorized | Leave a comment



Your Joe Dog Is Under Attack

Wanted: Kevin MitnickThis site has been under attack for several weeks now. The attacker is using an unthrottled brute force dictionary attack. He seems to have an unlimited supply of IP addresses. After examining some of the source addresses, I’ve concluded that we’re on the wrong end of a bot net.

I’ve been harvesting IP addresses and blocking them as fast as I can. I’ve also added Rewrite rules to deny these attempts based on his request signature. Those rules reduce overhead since his requests won’t generate database transactions. Yet no matter how many timeouts he gets and no matter how many Access Denied responses he endures, the attacks persist.

Because this dictionary attack is unthrottled, the affect is, at times, not unlike a DOS attack. Your Joe Dog is a public service with shallow pockets. We simply don’t have the resources to eat these attacks and provide you with snappy service. Bare with us as we deal with this asshole.

UPDATE: While it provides additional inconvenience, I applied an access control to the page he’s attacking. You can protect a single file inside a FilesMatch block like this:

 <FilesMatch "wp-login.php">
   AuthType Basic
   AuthName "Kiss my fscking ass"
   AuthUserFile /path/to/my/file
   Require user franklindelanoroosevelt
 </FilesMatch>

Obviously, some of that information was obfuscated but “Kiss my fscking ass” really is the realm I’m using.

The benefit to this approach is two-fold: 1. Apache doesn’t expend much effort to say, “401 gimme a password!” 2. If this layer is cracked, he still has to bust the next one before I reset the password on the first one….

 

Posted in Security, Wordpress | 1 Comment



Digging His Grave

“He’s digging his own grave with a very large spade.”

– Kevin Egan, an extradition attorney, on the revelation that Edward Snowden divulged NSA hacking activity inside China.

Posted in Security | Leave a comment



Mountains of NSA Data

Get SmartLast week the Guardian broke the news about Prism, an NSA data mining project in which the security agency harvests transaction records with the cooperation of private telecoms and internet companies. While it’s illegal to eavesdrop without a warrant, the NSA is harvesting conversational meta-data: calling records, email transactions and credit card swipes. This is basically the stuff you’d find in server logs.

The news was greeted with simultaneous outrage and indifference. Some were tremendously bothered by the news while others shrugged and said “meh.” Your Joe Dog’s congressman emailed to say he was greatly bothered by the news. Really? Then why didn’t you email constituents after any one of the thirteen briefings you had on the subject?

Five years ago, the NSA was probably incapable of doing much with all the data it collected. Just managing its information would have been a full time job. Since it began its surveillance programs, the NSA has brought up a series of large data centers to warehouse its records. The biggest, its Death Star, was constructed at Camp Williams, Utah.

The agency also improved its ability to effectively use this information. As the New York Times reports, NSA is working with Silicon Valley big data experts to efficiently sift through its transaction records. Its algorithms search for patterns and alert human agents when they match the hallmarks of terrorist activity.

And this is where it gets eerie.

From a study published in Nature, we learn that just four points of phone data are necessary to pinpoint the caller’s location with 95% accuracy. The average person leaves many breadcrumbs that reveal his whereabouts: cell phone data, EZ-Pass transactions, credit card purchases, ATM transactions, etc. Using information from cell towers, the agency can pinpoint your altitude right to the floor you’re sitting on at this moment. (I’ll save you some trouble: I’m currently on the third).

If you’d prefer to keep your location a secret, then, yes, this program is a concern. Unfortunately, it appears to be perfectly legal. You can have modern conveniences like cell phones, EZ-Pass, credit and debit cards or privacy. Pick one.

 

 

Posted in Security | Leave a comment



Siege and the Single Cookie

An emailer wondered if siege could be configured to refuse cookies. I had a vague recollection on the matter. My brain cells were all, “Yeah, sure, you can disable cookies.”

The best place to look for more esoteric features is inside $HOME/.siegerc If you don’t have one, you can generate a new one with this command: siege.config That command will place a new one inside your home directory. ‘siege.config’ is designed to build a resource file which is compatible with your version of the program.

I checked the latest version of that file and I found nothing to disable cookies. Really? That seems like a no-brainer. Why wouldn’t we allow users to disable that? “Sorry,” I replied. “Siege can’t disable cookies.”

Yet my own response was bothersome. I was certain you could turn that off so I checked the code with ‘egrep cooki *.c’ Sure enough, siege parses siegerc for ‘cookie’ which accepts true or false. The latter disables cookie support.

Documentation for this feature has been added to siege-3.0.1-beta4. The feature itself is available in just about every contemporary version of siege that’s floating around the Internets. Just add ‘cookies = false’ to your siegerc file to disable their support.

Posted in Applications, Siege | 2 Comments



The Chinese Military Is Hacking US Infrastructure

chicoms

The New York Times reports that a large percentage of Chinese cyber attacks on American targets originate from inside a same small neighborhood that features a Chinese army headquarters building. The headquarters, a large white office tower in Shanghai, is surrounded by restaurants, massage parlors and a wine importer. It is the only structure in the neighborhood capable of housing a large number of sophisticated cyber attackers. This all but confirms the Chinese army is behind the American attacks.

The hackers, known in the US as the Comment Crew, were traced to Shanghai by Mandiant, a US security firm hired by the NY Times. The New York paper hired Mandiant to end infiltration of its network last year. The Virginia firm traced that attack and hundreds like it to the Shanghai neighborhood that houses the base, known as P.L.A. Unit 61398.

The firm were not able to confirm the attacks originated inside the building but the probability is very high.

“Either they are coming from inside Unit 61398,” said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”

Sure, it’s possible that an enterprise scale hacking effort led by mainland Chinese with direct access to Shanghai telecom infrastructure has setup shop inside one of the restaurants by Unit 61398. Now that they’ve been exposed we’ll just wait for the Chinese government to shut them down. That should happen any minute now. Yep … any … minute … now. Who are we kidding? The Chinese are attacking us!!

Posted in Security | Leave a comment



We’re Number One!

nixCraft selected siege as the Number One Greatest Open Source Terminal Application of 2012. We’re not sure what that means other than AWESOME! It’s been a long road to 2012 greatness. The project began in late 1999 and was released into the wild in early 2000. Since then, it has been developed shaped by countless people from all corners of the globe.

Even though siege is a very esoteric program, its source code is downloaded around 50,000 times a year. Binaries are distributed by most major Linux vendors.  One day  a co-worker wanted to run a test from a new server so he asked if I could get him some binaries. Before I could react to the request, he said, “Nevermind.” He ran ‘apt-get install siege’ and got it from the vendor. That was a pretty cool moment for reasons other than the fact that it saved me some work.

Let’s be clear. This isn’t my recognition. It’s our recognition. For twelve years siege has been a community project and its direction will continue to be shaped by the people who use it. “Now let’s eat a god damn snack.” — Rex Ryan to the siege community.

Posted in Applications, Siege | 1 Comment



Apple’s New Locking Screws

As residents in the Information Age, we consider ourselves clever sorts. We no longer waste hours on bar stools arguing about the year of Joe DiMaggio’s 56 game hitting streak. Before someone rebuts with his second “nuh-uh” we’ve smart-phoned the answer: 1941

But are we right?

I just got the answer by Googling. Like most people, I clicked the first link of the search results. In many cases, that link goes to Wikipedia and this was no exception. The free encylopedia is an excellent source of information but like all sources, it’s prone to error. So unless our bar bet is substantial, we probably won’t cross reference the findings. “I guess the next round is on me…”

Apple's locking screws keep users out of their phones

Was this new Apple new proprietary locking screw designed to keep customers from opening their phones? (© 2012 Imgur, LLC)

That was certainly the case when a Swedish firm broke the news about Apple’s new iPhone screws. They were designed specifically to prevent its owner from opening the phone. Given Apple’s penchant for limiting access to the owners of its products, the story struck a nerve. It was picked up by MacWorld, Wired and Yahoo and spread across the Internets.

There was just one problem: the story wasn’t true. Oh, it was truthy. It struck most readers as the type of thing Apple would do but it was a hoax all the same.

The locking screws were fabricated by a Swedish company named Day4. Their intent was to see how easiliy they could spread disinformation. They designed a peculiar screw and posted it to Reddit  along with the following message: “A friend took a photo a while ago at that fruit company, they are obviously even creating their own screws.”

That’s it. Neither Apple nor its phone were mentioned in the message. But Day4’s timing was excellent. iPhone 5 is expected to be announced in September and tech media outlets are jonsing for information. If those outlets would have cross-referenced their information, they would have discovered it was all from a single source. That should have raised red flags. Would those flags have halted publication? I don’t know. Everyone wants to be first with a scoop.

In the Information Age, it is too frequently consumers – not distributors – who must perform integrity checks. When a politician stone-cold misrepresents information, the media rarely corrects his inaccuracies. Instead it notes that the other side disagrees. Instead of a debate in which we’ve established the facts, we tend to argue with two separate sets of “facts.”

On this site, I’m not driven to publish scoops. The Day4 prank is already several days old. All the code and configurations you’ll find here were tested before publication. My facts are generally double-checked. And with regard to the event that accompanies this story, you can confidently assert that Joe DiMaggio batted safely in 56 straight games back in 1941. That information is confirmed by multiple sources….

Posted in Tech Media | Leave a comment



Recent Comments

  • program antyplagiatowy: Definitely consider that which you stated. Your favourite justification seemed to be at the...
  • Mike Smith: I find that Dunning-Kruger explains a lot. The difficult part is getting help to those that suffer from...
  • Sohan: I am using node-js http server. I created http request to hit the server and log the message. In that case...
  • Jeff Fulmer: I don’t know what “simple http server” means. If you’re using apache out of the...
  • Sohan: MY server is simple http server. Can you tell me what thresol paramter or property is used in siegerc file.