Joe Dog Software

So imagine — because why the hell not — you returned to your vehicle after a concert in Washington D.C. Police are everywhere. Your windows are bashed in and your new cookware is exploded into little tiny pieces. That would be odd, huh? Well, that’s what happened to an Alexandria man this week. He returned to his car and found his shit was destroyed by local law enforcement.

Huh?

Your JoeDog read many accounts of this incident. As best as he can tell this is what happened: Around 5:00 p.m. on Sunday, officers on foot noticed a vehicle that they characterized as “suspicious in nature.” It was parked along a public street. What made it suspicious? The vehicle contained a pressure cooker and other “items of concern.”

What’s not clear is how those items were stored. Were they in bags or out in the open? Was this the result of a shopping trip or something more nefarious? The investigation continued and officers became more suspicious. An “odor of gasoline was detected.” Interesting. A vehicle with an internal combustion engine omitted an odor of gasoline. So then what happened?

The bomb squad arrived and police broke into the vehicle and blew up all the shit inside. Catastrophe averted! The country remains safe and sound. So what did they protect us from? After destroying everything in the car, police conducted a thorough investigation to determine exactly what they saved us from. They conducted  thorough “hand search” of the vehicle and concluded their investigation “with negative results and nothing hazardous found.”

In other words, they saved us from a shopping trip.

LabMD is a cancer testing center in Atlanta, GA.  In 2010, someone compromised its security and pulled its medical records. Soon after the break-in, LabMD was contacted by Tiversa, a cyber security firm who offered to sell them emergency incident response services. LabMD refused. Tiversa told the firm they’d notify the FTC unless the company hired its services. Again, LabMD refused.

Tiversa made good on its promise and contacted the FTC. The government agency pursued the measure to its fullest. LabMd was sucked into a lengthy legal battle which eventually bankrupted the company. There’s just one problem with this story: the hack never happened.  Tiversa made the whole thing up….

Things that would suck for one thousand, please, Alex.

Imagine — and why the hell not? — that you need an emergency appendectomy. Yours is about to explode because why-do-we-even-have-those-things? You are rushed into the operating room and placed on a table beneath a curious apparatus. “Get me a nerd, stat!” Somebody shouts.

A man in surgical clothing greets you. “Relax,” he says. “I’ve done a million of these.” He pushes a button and mask drops and smothers your face. The man’s credentials don’t match what your parents expected from their emergency room staff. The “doctor” is a computer operator, a Microsoft Certified Surgeon from ITT Tech. Your procedure begins when he selects “Appendectomy” from a drop-down menu. It is performed by a robot that immediately goes to work, carving into your body in search of an inflamed appendix.

Suddenly the robot orders silicon. Unexpected noises fill the room as the augmentation unit fires up. “WTF?” the operator types into his IRC session. “This thing’s going haywire.” Everyone in the channel responds in a similar manner: “LOL!” they type back. “This is serious shit!!!1!1!”, he anger-types. “ROTFLMAO!” they reply.

The robotic knives withdraw from your abdomen. The apparatus glides on tracks as it works its way towards your chest. It starts to make cuts around your nipples. The operator is agog; his jaw drops and he’s unsure what to do. The augmentation unit descends and attaches to your chest. Silicon starts flowing. The operator starts smashing his keyboard. “Why does this shit always happen on a Friday afternoon??!!” he screams. “LOL!” the IRC channel says.

So what happened? The hospital didn’t keep its goddam software up-to-date. The surgical robot was hacked. And now you have lady tits because 4Chan was in need of some afternoon LOLz.

Sound far-fetched? A team of researchers at the University of Washington in Seattle just hijacked a teleoperated surgical robot and documented its security vulnerabilities in a new white paper. Great! As if surgery wasn’t stressing enough, here’s one more thing to think about.

At least the guys at 4Chan gave you big ones. (They’re a little obsessed with breasts over there…)

As you may have noticed, here at JoeDog Enterprises Incorporated Ltd ESQ Inc., we switched from http to https last weekend. Exciting!

We warned you that such a move could be accompanied by unintended consequences. But keep in mind, not all side effects are bad. Just like painkillers can provide a little glow along with relief, some changes can provide unintentional benefits. Here’s the story of one of them.

This morning we noticed skiddie activity. That’s not unusual. Every morning we notice skiddie activity. Some asshole from 192.210.220.2  in Williamsville, NY is running an attack right now. Our http logs are filling with this activity:

192.210.220.2 - - [20/Apr/2015:08:32:35 -0400] "POST /xmlrpc.php HTTP/1.1" 
302 213 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

See that 302? That means our http virtual host is issuing a redirect to https. Here’s the thing: He doesn’t appear in the https logs. That means his stupid skiddie script is too dumb to follow the redirect. For the past hour he’s done nothing but causing meaningless redirects …

… and now he’s blocked.

UPDATE: Those 302s are now 301s as per Tim Funk’s recommendation. If skiddie can’t follow 302, he can’t follow 301 either….

UPDATE: That’s weird. My linky text is recommendation — as in “Tim Funk’s recommendation” — but magic is turning it into “Tim Funk’s 1 comment.”

During the First World War, the Ottoman government systematically killed 1.5 million Armenians. If you ever want to anger a large number of Turkish people, refer to that event as “genocide.”

On Sunday, New Pope did exactly that.

“In the past century, our human family has lived through three massive and unprecedented tragedies,” the Pope said at a mass to commemorate the 100th anniversary of the Armenian massacres. “The first, which is widely considered ‘the first genocide of the 20th century,’ struck your own Armenian people.”

It was a sentiment that didn’t sit well with a Turkish “hacker” known on twitter as @THTHerakles. On Monday, he brought down New Pope’s website. Writing in first person plural, he explained that it will remain down until New Pope appologizes.

“Taking sides and calling what happened with the Armenians genocide is not true. We want Pope to apologise for his words or we will make sure the website remains offline,” he said.

I suppose there are two sides to every issue — even genocide. The pope’s against it. Which side are you on, @THTHerakles?

As of this writing, the Pope’s website remains unreachable.

UPDATE: As of 10:38 EDT, New Pope is back online. It looks like he scaled vertically. There are now four A records for www.vatican.va. On each he has an apache server which is forwarding requests back to Oracle iPlanet. It’s just like New Pope to straddle the worlds of open source and corporate opulence.

On April 24, 1980 the Maragos Brothers, Peter and Jack, walked into a Philadelphia bar with a platinum-blonde and a fistful of dollars. While Peter wagered large sums of money on the Pennsylvania lottery, Jack spoke loudly in a foreign  language on a pay phone near the bar. At one point, he turned the phone toward his brother so it could capture the sound of the lottery machine as it printed daily number tickets.

This struck the bartender as odd.

That night Nick Perry was working the Pennsylvania lottery as an on-camera announcer. The first drawing was the daily number. “Six,”  Perry said as a ball was selected on the first machine. And now the second  number: “Six,” he said. Finally the third number matched the other two. Six-six-six was one of the numbers the Maragos Brothers wagered a lot of money on.

Nick Perry was born Nicholas Pericles Katsafanas, a son of Greek immigrants. He spoke the language fluently. So did Jack Maragos. It was the language he used on the pay phone in that Philadelphia bar. The bartender started to put two-and-two together and alerted authorities. Nick Perry and the Maragos brothers had rigged the Pennsylvania lottery.

Perry enlisted the help of WTAE art director Joseph Bock who created weighted ping-pong balls to use in the drawing. Bock weighted all the balls except four and six. In Philadelphia, the Maragos Brothers bet every combination of those numbers: 444, 446, 464, 466, 644, 646, 664, and 666. It was the devil’s own number that delivered that day.

Now Eddie Raymond Tipton appears to be walking in Nick Perry’s footsteps. The former information-security director of the Multi-State Lottery Association is accused of tampering with the lottery. As a condition of employment, Tipton was not allowed to play the lottery but on Dec. 23, 2010 he appears to have done exactly that. Tipton was filmed buying a ticket at a QuikTrip convenience store. That night, his number hit. The ticket was suddenly worth $14.3 million dollars.

Iowa authorities accused Tipton of using his privileged position to tamper with the machine. According to them, he inserted a thumb drive with altered the random number generator and allowed him to control the outcome. Good stuff.

His trial is now under way….

The FBI released a Public Service Announcement, you guys. According to the bulletin, ISIS skiddies have started attacking WordPress installations. They’re trying to exploit known vulnerabilities in an attempt to grab your personal and financial information.

Well, tell them to join the fscking club.

This site has been attacked so many times, that we’ve applied for Veterans’ benefits. Without checking the logs, we can confidently say that some asshole’s attacking it now. Why can we confidently say that? Because some asshole’s always attacking it!

The most frequent assault is a dictionary login attack. They pound the login page with an endless stream of login attempts. Here’s how we thwarted that one.

Your best defense against against these dicks is to keep your software up-to-date. If you operate in a specific region, you could always firewall off large parts of the globe. If we blocked Asia, we’d reduce attacks by over 50%. Don’t worry, Asia. We love you. But please get your software up-to-date.

Let’s face it. Online appliances are designed for the lowest common denominator. Consider an average person’s intelligence. Half of a manufacturer’s customers are dumber than that. If they lock-down a device too securely, they’re just setting themselves up for a lot of service calls. We all know how manufacturers feel about service calls.

Last week a Minnesota couple got a lesson in device security. One night they were lying in bed and music starting wafting into their bedroom. It appeared to come from the nursery where their infant slept. That’s odd, right? When an infant get its hands on music it’s more likely to eat the CD than put it in a player and hit “start.”

It turns out the music was coming from the Netherlands. Wait a second – you said they lived in Minnesota! Here’s what happened: The couple entered the room to investigate. The music stopped when they opened the door. Suspecting a speaker associated with their Foscam nanny-cam, they used its software to check for web sessions. They found one associated with an IP address registered in Amsterdam. Someone from that city had attached themselves to their nanny-cam and was watching them inside their house. Creepy!

This couple wasn’t alone. They discovered private interior scenes from inside homes throughout the world. “There’s at least fifteen different countries listed and it’s not just nurseries — it’s people’s living rooms, their bedrooms, their kitchens,” she told KTTC. “Every place that people think is sacred and private in their home is being accessed.”

It’s not clear how the camera was compromised. Foscam recommends your firmware be upgraded to the latest version so it could have been a bug. But they also recommend you change the default username and password so it could have been user negligence. Beyond that, they recommend placing the daemon on an alternative port and checking your logs at regular intervals. Sounds like these things were pretty insecure….

[KTTC: Nanny-cam Hacked For World To See]

[Foscam: How To Secure Your Device]

NQ Vault is an extremely popular app. It has more than 30 million users worldwide and it’s the recipient of many great reviews on Google Play. It’s a free download and pro upgrade costs $19.99.

The app is supposed to help secure your personal data. NQ’s website refers to the mechanism that protects those files as “strong encryption.” Is it? That depends. Do you consider XOR strong encryption?

XOR is a pretty common component in complex ciphers. By itself, XOR is easy to implement and requires little processing power. With a constant repeating key, it can be a quaint hack with which to hide files. As a security hacker recently discovered, this is how NQ implements its file protection.

ninjadoge24 encrypted a small png image using NQ Vault. He then examined the file in a hex editor. To his surprised it was only partially encrypted. It struck him as a substitution pattern. A thought quickly entered his head: “What if it’s just XOR? Like just fuckin’ XOR?”

To test his hunch, he entered the hex value of the unencrypted file into a hex calculator and applied XOR to it. Guess what? It matched the NQ Vault’s “encrypted” values.

Decrypting XOR is trivial. If you visit ninjadoge24’s blog, he’ll show you how to brute force your way through it.

Honestly, this should be considered a mother fscking crime. NQ claimed this app used “strong encryption” but you could bust it with all the computing power that’s generated by a hamster wheel.