Hackers Have Your Ashley-Madison Account Information

It’s a bad time for cheaters. Two months after Adult Friend Finder was compromised, Ashley-Madison was also hacked. The online infidelity broker was breached by a group known as “The Impact Team.” They now have account information for all of Ashley-Madison’s thirty-seven million users. Unless the website is permanently shut down, the “group” plans to release this information to the public:

Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.

How many members do you think comprise “The Impact Team”? Their demand sounds like the work of a nerd scorned. It sounds like a guy whose woman hooked-up with help from Ashley-Madison. He’s bitter and he wants the site removed. Your JoeDog will answer that question with his guess: it’s a team of one.

Ashley-Madison is a multi-million dollar industry. There’s no chance that Avid Life Media shuts down the site. The Impact Team will soon release that data and we’ll be treated to a lively news cycle. The list probably includes a sitting Senator or two….

Note: You can find the Adult Friend Finder database information here.

[Krebs: Online Cheating Site Ashley-Madison Hacked]



There’s Room For One More

Daying Sead SeaThe Daying Dead Sea is a man-made pool beneath a very large dome in Sichuan, China. The pool was constructed at the same latitude as the Middle Eastern dead sea. Its water is treated so matches its natural counterpart. With forty-three different minerals and microelements and twenty-two percent salinity, bathers float freely on the surface much like they do in the Middle East.

On July 11th, over 8000 people from all parts of China flocked to the pool for relief from this summer’s punishing heat. As far as we can tell, the pool’s motto is “There’s always room for one more.” Enjoy.

[The Economist]



Siege and NTLM Authentication

Sorry about the radio silence. Your JoeDog has been turning caffeine into code again. We’ve applied some patches to siege. Thanks to Rob, we fixed a potential segfault. Thanks to Kaspar, you guys can post from files that contain null bytes.

We’re also working on NTLM authentication. That’s the stuff Microsofties like to use when they configure IIS. At the moment, support is next to worthless. You can successfully authenticate but it doesn’t maintain session. So it works great for -g/–get requests but don’t expect to lay siege with it.

Your JoeDog wanted this code in the main branch so it was available to other developers. It does no harm to include this partially broken implementation. NTLM Authentication didn’t before today. Now it partially works. Baby steps, people. Baby steps.

Much of the implementation was stolen from wget-1.16. Their implementation was stolen from libcurl. The first rule of open source is this: never reinvent the wheel. Our problem does not involve hashing passwords into something IIS understands. The wget/libcurl code performs just fine. We’re having trouble maintaining session after authentication.

There’s a chance we’ll bundle a source distribution soon but in the meantime, siege-3.1.1 is available on GitHub:  JoeDog / Siege



New York City Skyline During Easter 1956

The NYC skyline during Easter of 1956.
The NYC skyline during Easter of 1956. There would probably be an uproar today. ‪ #‎HeIsRisen‬.

See that photograph at the top of this here blog entry? It’s currently making the rounds through social media along with the caption below it. A fellow Dogger brought it to our attention. There was something about the image that didn’t sit well with him. We agree.

First things first. Yes, there would be some uproar if this happened today. The US is more diverse now than it was sixty years ago. There might be fewer gripes if they celebrated all religious holidays along with Easter. Although that might be even messier. If contemporary uproar is your concern, imagine what would happen if they displayed a crescent during Ramadan.

Second things second. It’s entirely possible that something like this did occur in 1950s New York. Your JoeDog used to live in Manhattan and he’s seen a wide array of light-oriented messages. It wouldn’t surprise him at all if Easter was crossy then.

New York City skyline 1950s postcard

Still, something doesn’t sit right. The tall building in the middle no longer exists but Your JoeDog found it in a contemporary postcard for sale on eBay.

We can see that structure here on the right. Of the three tallest buildings depicted here, the Chrysler Building is in the foreground and the Empire State Building (ESB) is to the rear. This means we’re looking at Manhattan over the East River from Brooklyn. Therefore the third tallest building in this group sits to the south.

In the photo with the Easter crosses, we find ESB on the left and Chrysler on the right. That means the crosses are north of us. Now consider the middle building. It’s north of both ESB and Chrysler. How is that possible? In the postcard it’s clearly to the south. Was the photo reversed? That’s possible but then buildings get taller as you near the river. That may have been accurate in 1956 but it’s not now.

So Your JoeDog isn’t sure what to make of this viral photograph. If the thought of a crossy New York puts a spring in your step, then who is he to harsh your mellow? At the same time, he wishes we would apply a little more scrutiny to items we pass through social media. It’s jungle of misinformation out there.



Leap Seconds And Siege

If you’re the kind of person who likes to close a bar on a Tuesday night, then good news for you! There are discrepancies between the amount of time it takes us to round the sun and the clocks we use to measure it. In order to correct those discrepancies, we add a second every once-in-a-while. That once-in-a-while is now! We add a second at midnight.

If this was a normal night, the sequence to midnight would look like this:

  2015-06-30 23.59.57
  2015-06-30 23.59.58
  2015-06-30 23.59.59
  2015-07-01 00.00.00
  2015-07-01 00.00.01

But this ain’t no normal night, mister. Tonight we add an additional second. That sequence looks like this:

  2015-06-30 23.59.57
  2015-06-30 23.59.58
  2015-06-30 23.59.59
  2015-06-30 23.59.60 <-- leap second
  2015-07-01 00.00.00
  2015-07-01 00.00.01

So if closing time arrives at Midnight, you can say to the bartender, “Not so fast, Jeeves! I’ve got another second!”

But let’s say — and why the hell not? — that instead of drinking beer, you like testing servers into the wee hours of the morning. What is siege going to do at 23:59:60? To be honest, I have no idea. Chances are your server won’t leap until its next NTP update. All transactions that occur during the adjustment will probably be skewed a second too long. (It might be a good idea to run the update manually)

NOTE: So how do you sync your Linux laptop with one of the government’s atomic clocks? Just use the time server at the National Institute of Standards. You can do that with the ntpdate command like this:

Bully # ntpdate time.nist.gov 
30 Jun 17:34:36 ntpdate[3977]: adjust time server 128.138.141.172 offset -0.026286 sec


Did The St. Louis Cardinals Hack Into Another Team’s Database?

Get A Brain! Morans - Did St. Louis Hack the Astro's databaseYour JoeDog roots for the Pittsburgh Pirates. They are a major league baseball team in the same division as the St. Louis Cardinals. On June 16, the New York Times broke a bombshell story about the Cardinals. They were under investigation by the FBI for breaking into a Houston Astros database.

That seems like an odd choice, right? At the time of the 2013 breach, the Astros weren’t particularly good. They weren’t even in the same division as the Cardinals. Yet they did have something with which St. Louis was familiar, a General Manager named Jeff Luhnow. He worked with the Cardinals before he was hired by Houston in 2011.

When Luhnow was with the Cardinals, he built a computer system known as Redbird. It was a large database filled with scouting information and player analysis. In Houston, he built a similar system called Ground Control. It was basically Redbird under a different name. So St. Louis was familiar with the system but by 2013 they didn’t have Luhnow’s updated information. Did they breach Houston’s computers in order to obtain it? The FBI thinks that’s possible.

One of FBI’s supoenas sought information on the IP addresses from which the attackers logged into Ground Control. It is believed those addresses point directly to the Cardinals or Cardinals’ personnel. The breach itself wasn’t particularly sophisticated. The attacker just stone cold logged in with a password. Again, this takes us back to St. Louis.

Remember, Luhnow used to work with the Cardinals. He brought several Cardinals’ employees with him to Houston. There’s a pretty good chance they had dormant accounts back in St. Louis. Those accounts had login credentials. If any of those former Cardinals employees reused their credentials in Houston, St. Louis had everything it needed to break in.

In the worst case for computer security, St. Louis stored its passwords in the clear (or an employee left a sticky note on his desk). With this information, all they needed to do was log in. If passwords were stored in a secure hash, then St. Louis could have downloaded a password cracker like John The Ripper to get the goods.

This goes beyond anything Tom Brady did. This is no Deflategate. If the accusations hold, then people in St. Louis committed wire fraud, computer hacking, corporate espionage and theft of trade secrets. Those crimes are punishable with incarceration. The guilty won’t find a low level equipment manager to take the fall for this one. The stakes are way too high for that.



We’re Here, We’re Rainbowy. Get Used To It.

GitHub prideIf you’re the sort of person who gets fifty kinds of upset over boys marryin’ boys, then Your JoeDog has a helpful tip: don’t visit GitHub.com today. The company changed its logo background so it would be all rainbowy — OMG, that’s the queer color!!1! You have to be logged in to see it. The main page still contains a boring grey background.

The Pridetocat image — which appears in the upper left corner of this post — actually pre-dates Friday’s ruling. In early June, GitHub began selling Pridetocat t-shirts. All proceeds from the sales of those shirts go to Lesbians Who Tech, Maven, and Trans*H4CK (pronounced “transhack”). According to GitHub, those organizations help educate, connect and empower LGBTQ people in tech.

Now Your JoeDog is generally on top of contemporary anagrams but he never saw a Q in LGBT before. What does that stand for? According to a The USA Today article it can be either Queer or Questioning. At JoeDog Industries, we feel it’s not our place to decide which Q applies to any particular person. And who cares, really? We’re busy turning coffee into code. So back to hacking….



A YouTube Algorithm Can Award Your Channel To Others

Matthew Lush lost his youtube channel to an algorithmYour JoeDog doesn’t have a YouTube channel but he certainly wastes enough time on there. He loves tennis instruction videos, Ramones shows and old George Carlin specials. It’s an amazing repository of video archives.

Matthew Lush, on the other hand, does have a YouTube channel. He’s a UK video blogger who’s been distributing content on that website since 2005. In that year, he registered a channel under his last name. To his fans, he was /lush as in youtube.com/lush. Easy to find, easy to remember.

Matthew Lush makes a living from advertisements associated with his channel. In order to drive traffic to it, he embeds the address in all his videos. He sold bracelets and other merchandise with the URL on it. For Matthew Lush the URL was everything.

A few weeks ago, a UK company named Lush Cosmetics set up its own YouTube channel. They requested and received /lush for their channel name. The decision to transfer Matthew Lush’s URL to Lush Cosmetics was made by an algorithm.

Google told the BBC that a program awarded Lush Cosmetics the URL based on data from YouTube, Google+, its search engine and other sources.

Matthew Lush wants the URL back but his options are limited. To begin with, it was never his property. YouTube’s namespace belongs to YouTube. They can manage it as they please. His fans have petitioned Lush Cosmetics to return it to him but that relies on the benevolence of a board of directors.

YouTube considers Matthew Lush a valued creator and they’ve agreed to help pay marketing costs associated with the move. On some level that seems pretty generous we don’t have enough detail to make a fair assessment.

There really are no good options for this type of namespace distribution. If you award URLs on a first come, first serve basis, then you invite squatters to sit on namespace for ransom. If you award them by other means then you risk this type of situation.

Your JoeDog suggests you don’t rely on the kindness corporations. If namespace is important, then make sure you own it. Matthew Lush could have bought a domain and redirected it to his YouTube channel. You should do the same.



How Much Is Your Site Worth?

joedog.org is worth $23.5KAccording to Site Price, Your JoeDog is worth $23,503.00 Awesome! They arrived at this price based on a variety of factors: Google PageRank, Daily Visitors, Facebook Shares and Ad Revenues. According to Site Price, Your JoeDog makes $9.00 a day in ad revenue. Double awesome!

Hey, wait a minute!!! This site makes considerably less than that. Who’s siphoning Your JoeDog’s ad revenues?? Could it be: GOOOOO-GLE??!!

To discover how many bazillions of dollars your site is worth, just enter it’s main URL at siteprice.org



Parse The Version Number With Ant

“The best programmers are all alike; every shitty programmer is shitty in his own special way.” –Anna Karenina

Earlier Your JoeDog mentioned a trait of good programmers. They model data so each element is stored in only one location. This principle is known as a Single Source of Truth. To illustrate that principle, he pointed to siege’s version numbering. The number had to be available in both the program and its helper scripts. In order to uphold SSoT, he stored the number in version.c and parsed that file with a helper script.

Here’s an astonishing fact: not everyone loves the C programming language. Some of you are Java weenies! Fear not, weenies, for you we have another example.

Same problem, different language. We want to store the version number in one location but it must be available for two mechanisms. The first mechanism is the program itself. That’s important, right? It helps answer the question “Which fscking version am I running?” The other mechanism is ant. When we build our jar file we’d like to add the version number to its name, i.e., pinochle-1.0.7.jar.

Let’s examine this is closer detail after the jump.

Continue reading Parse The Version Number With Ant