October 2008 – Insignificant Bits

October 31, 2008

Hacked

So my wife received a spam from herself. At first I thought it was one of those spams where the “From:” was forged to be the same as the recipient, but a closer look revealed that it was actually from her hotmail to her yahoo account and to another dozen of her friends. Uh-oh.

So what happened? Was this a cross-site request forgery (CSRF) attack? She wasn’t logged into hotmail at the time that the email was sent. However, that doesn’t necessarily mean anything: there have been various CSRF attacks where the account is backdoored to send mail elsewhere, and a subsequent password reminder request could then give the attacker the goods. Or her session could have still been active even though the tab was long gone.

Was it spyware? Windows Defender didn’t find any, and we run XP apps in unprivileged user mode (which is a huge PITA, but that’s another story). It probably was not a dictionary attack, since her password is reasonably strong. It could be the case that her password was simply stolen, possibly from another site where the password was reused.

I’m late to the party, but I imagine CSRF and related attacks are still very under-appreciated at the moment, and that’s particularly worrisome with all of the Web 2.0 applications about. Hotmail should know the score, but who knows. As my mind mulls over the possibilities of such a bug in gmail, and the fact that I have three sessions open in it from various computers at the moment, I’m glad I have nothing of value in my gmail account and still use my own domain with mutt for official email. Stories like this one will only become more common. What if your confidential documents, stored on Google Docs, get surreptitiously emailed to everyone you’ve ever done business with?

So, I guess the moral is: get thee a password generator, and remember to log out of webmail!

October 24, 2008

Open, sorta

I’m glad to see that the not-so-openness of Android is finally getting some press. As someone whose code is included in the phones’ firmware (though surely compiled out, heh), I very much agree with Harald Welte in the first linked article. And that guy bluest on lifehacker sure has really smart comments.

Oh well. I’ll wait for someone to hack it.

October 23, 2008

Breakout

You haven’t played breakout until you’ve played it in all its low-resolution glory on the side of a building. Which is exactly what my wife, my brother-in-law, and I did in Toronto while we were visiting for Canadian Thanksgiving. The installation was part of project blinkenlights by the Chaos Computer Club. Every window in the city hall building had a lamp that would turn on or off to form a giant pixelated screen. You would call a number on a cell phone to start a game, then use the keypad to move the paddle around. Each game would last a minute, or in my case, the 10 secs it took to lose. Very neat!

(I think in this image, the ball is in the lower left corner and the dot above the paddle on the right is just an artifact. But I could be wrong — it could just be me losing, again.)

October 7, 2008

SYSRQ on MacBook

Lately I’ve really needed SysRq in situations where /proc/sysrq-trigger just doesn’t do the job, and my MacBook is missing lots of crusty old XT-era keys. Finally, I know how to do this!

/* includes and error handling omitted for brevity... */
#define USAGE_CODE 0x070044 /* USB hid for F11 */

int main() 
{
int codes[2];
int fd = open("/dev/input/by-id/usb-Apple_Computer_Apple_"
"Internal_Keyboard_._Trackpad-event-kbd", O_NONBLOCK);

codes[0] = USAGE_CODE;
codes[1] = KEY_SYSRQ;  /* from linux/input.h */
ioctl(fd, EVIOCSKEYCODE, codes);
}

Awesome. Supposedly, a tool called keyfuzz is also efficacious.

October 6, 2008

Guitars

Guitars
Originally uploaded by bluesterror

To add a little space to our cozy apartment, I put up a couple of guitar wall hangers over the weekend and put the cases in storage (don’t tell our leasing office). It looks pretty cool, though I do think the guitars want 8 or 9 more friends. I just hope this isn’t the start of the inevitable transition from guitar-as-instrument to guitar-as-display-item.

October 5, 2008

Old soldiers

I had the good fortune to attend a free DC ACM-sponsored lecture by Tony Hoare last week. Hoare is the inventor of quicksort as well as the man behind two of my favorite Computing-related quotes:

Premature optimization is the root of all evil. (via Knuth)

There are two ways of constructing a software design: one way is to make it so simple there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies.

He gave a fairly dry talk on the importance of program correctness and how CS-the-science hopes to eventually figure out proof methods and tools that will some day help CS-the-discipline. But, he notes, we’re still a long way off.

I’m still not a member, but good things are coming out of the local ACM chapter. This is the same series that brought Brian Kernighan earlier in the year. Next month there is a black tie affair with Bjarne Stroustrup as the keynote.

October 1, 2008

OSS, I has it

I just sat in on a conference call as a representative (by default, since no one else called in) of the Linux ath5k community, with Atheros, makers of my MacBook’s wireless ethernet card. Atheros have really done a 180 for supporting the community, first by releasing ath9k, then by releasing the source to their previously-closed HAL last week. Thanks to that, 6 patches have already gone out fixing various problems. BTW, conference calls are just as pointless in the OSS community as they are in real life. But at least I did learn that it is pronounced “uh-THERE-ose”, not “ATH-er-ose.”

Buy laptops with Atheros wireless cards!