The MonKey juNGle

Directory Traversal Fun

2010-02-12T13:06:00.000-08:00

I came across a few interesting posts today on this topic today and I thought I would share. The first one I landed on was an interesting read about a poorly secured malicious server from Russ McRee at HolisticInfoSec.com.

http://holisticinfosec.blogspot.com/2010/02/directory-traversal-as-reconnaisance.html

Next, I ended up on the OWASP page on testing for these kinds of vulnerabilities:

http://www.owasp.org/index.php/Testing_for_Path_Traversal

Then finally, a nice NMAP script for the VMware directory traversal vulnerability (CVE-2009-3733) recently discussed at Shmoocon:

http://www.skullsecurity.org/blog/?p=436

good times.

TrueCrypt Ubuntu 9.10

2010-02-05T09:00:00.000-08:00

http://www.truecrypt.org/downloads

get deb package

untar file

sudo sh ./truecrypt-6.3a-setup-ubuntu-x64

two calls to comcast

2009-12-29T20:17:00.001-08:00

one of our accounts got shut off. I called comcast business support to make a payment.

800-391-3000

1st prompt: new or existing crusty

2nd prompt: Zip Code

3rd prompt: tech support, billing....

4th prompt: account details menu

so comcast takes your phone number and zip code, then authenticates you into an account.

In this particular case it happed to not be my account. I before I realized what was happening, I heard info on last payment date/amount, total balance due. hung up.

call #2

existing crust
zip
tech support --> Human

name, address, phone number

three accounts pop (account from 1st call was not one of them).

tech support explanation was that phone number links accounts across all comcast boards (biz/residential).

busted.

new gmail privacy feature

2009-12-27T19:25:00.000-08:00

Hey, this is important: We don't have a password recovery email address or phone number for your account. If you lose access, we may not be able to help you.

ubuntu security

2009-12-23T15:03:00.000-08:00

this is not a guide.

1. automated sniffing: Snort

2. View Log Files:

sudo gedit /var/log/XXX

3. manual sniffing: TCPDump & WireShark

sudo tcpdump -vvi eth1

installing wireShark ubuntu:

sudo apt-get install wireshark

4.

vulnerability scanner:Nessus

http://ubuntuforums.org/showthread.php?t=27674

sudo apt-get install nessusd nessus nessus-plugins

sudo /etc/init.d/nessusd restart

register nessus.

use this path if you used apt-get:

sudo /bin/nessus-fetch XXXXXXX

sudo update-nessus-plugins

not sure of your path?

dpkg -L nessus

scan result break down

checks for rootKits.

http://www.chkrootkit.org/

./chkrootkit -x | more

examine suspicious strings in the
binary programs that may indicate a trojan

RooTkit Hunter:

sudo apt-get install rkhunter

sudo rkhunter --propupd


then:

sudo rkhunter --check


5. AV

http://www.itsecurity.com/features/ubuntu-secure-install-resource/

Antivirus

Clam AntiVirus - One of the most popular UNIX based antivirus solutions. Works well with email gateways.
AVG Anti-Virus - Free version of a popular commercial virus scanner.
BitDefender - On demand command line/shell script scanner.
Panda Antivirus - Uses sophisticated software to remove viruses from workstations connected to a Linux server.

6. fine tune the os

turn off bonjour -->

sudo /etc/init.d/avahi-daemon stop

sudo nano /etc/default/avahi-daemon

AVAHI_DAEMON_START=0

sudo /etc/init.d/cups stop


http://www.zolved.com/synapse/view_content/27995/Top_Ten_basic_things_to_know_about_securing_Ubuntu
1. http://ubuntuforums.org/showthread.php?t=7353

youtube's Privacy Options

2009-12-22T21:56:00.000-08:00

I noticed today that there is flag for "privacy mode" in the "customize" options menu for embedding a youTube video. According to google this feature is designed to give user's more control:

We've been working to give our users more options and control over these cookies. One such option is the privacy-enhanced mode for our embed player. This mode restricts YouTube's ability to set cookies for a user who views a web page that contains a privacy-enhanced YouTube embed video player, but does not click on the video to begin playback. YouTube may still set cookies on the user's computer once the visitor clicks on the YouTube video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode.

Awesome, thanks for the option. But hey, wait. If privacy mode "on" means that you don't set cookies when a "user" views the page (instead when they actually click play), the past, and often current method, privacy mode "off", is that you set cookies on a "user" machine every time someone views a web page with a youtube video embedded (regardless of whether or not they actually click play).

Ok, so tracking cookies, no big deal right. Old news. Just wanted to point that out.

chess.com + meebo

2009-12-07T19:47:00.000-08:00

noticed today that chess.com (who I recently paid for a membership too) slipped a meebo on me when I saw a small but crafty ad on the bottom left hand corner of my browser. some of those lowKey pop up toolbars work great, like on the hype machine, but in this case because I was not expecting it, it put me off.

I told her many stories about how the world could be, and she listened calmly. she knew right when I was going to finish my sentences, and saw my words in a clear and distant vision. we stood on the deck looking out into the valley. the cold mountain air was no match for our combined warmth. i held her close to me and felt the future from many years away. before I could see it up close, my attention snapped and I was tugged back to the evening. Maybe I wasnt supposed to get that close? We stepped back in side, having seen something beautiful, strange and frightening.

mount dirty windows drive in slax

2009-05-07T09:11:00.000-07:00

mount -t ntfs-3g -o force /dev/xxx /mnt/xxx

random text from CIPAV PDF

2009-04-18T20:57:00.000-07:00

3 b o r t e d that residential address 6133 Winhwood Loop SE, Olympia, WA, 98515
received Comcast Internet services for the following subscriber:
14
Sam Spiering
:IS
6133 W i w o o d Loop SE, Lacey, WA 98513
Telephdne (360) 455-0569
17
Dynamically Assigned Active Account
Account Number: 8498380070269681
19

On June 4.2007. Cioogle provided subscriber, registration. and IF Address
25
log history for e-mail address "douebriggS11236email.corn"with the following results:
26
E a l d (user deleted account)
nbe
27 Status:
Setvims: Talk, Search History, Gmail
28
*

On June 7,2007, a request to MySpace for subscriber and IP
b.
)
ddress l&s for Myspace user "Timberlinebombinfo"provided the foilowing results:
User I :
D 199219316
Fs Name:
it
r Doug
last Name: , Briggs
Male
Gender; .
Dt of B r h
ae i t : 12110J1992
Age; 14
"
US
couq:
Law
City:

stal Code: 985003
Western Australia
Region:
Email'Address:' tirnberljne.sucksB~mai1
.corn
User Name: timberlinebambinfo
Sign up I Address:
P 80.76.80.103
Sign up Date: Juae 7,2007 7:49PM
NIA
Delete Date:
June 7,20077:49:32:247 PM I Address 80.76.80.103
P
Login Date

:page 76:

15. The C P A V will be deployed through an electronic messaging program
,
conaolled by the FBI. The computers sending and receiving the
CIPVA will be machines controlled by the FBI. The electtonic message deploying the
CIPAV will be directed to the administrator(s) of the "Timberlinebambinfo"

Electronic messaging accouuts commonly require a unique user
a).
same and password.
Once the CIPAV is successfully deployed, it will conduct a one-
b.
)
time search of the activat'ing computer and capture the information
desctibed in paragraph seven.
The captured information will be forwarded to a computer
c).
conmlled by the FBI located within the Eastern Disuicc of
,
Virginia.
After the onetime search, the CIPAV will function asa pen register
d).
device anxl record the muting and destination addressing information
for electronic communications originating f o the activahg
rm
computer.

The pen register will recod PB address, dates, m d times of the
e).
electronic comwnicatiom, but not the aoutents of such
ccmmunieatioas or the contents contained on the computer, and
address data to a computer cantroned by bhye
U'mard the
FBI,P r p d o d of (60) days.
w

more info released on FBI's home brewed malware, CIPAV

2009-04-18T18:11:00.000-07:00

Recently, the Freedom of Information Act was invoked by the EFF, CNET and Wired to declassify documents relating to the FBI's home brewed malware, CIPAV.

The newly released PDF weighs in at a healthy 150 pages, with info on various requests and cases where CIPAV was used.

At this time it does not seem to be public knowledge exactly what the software does and more importantly, how it gets on the "victims" machine.

After a 2007 affidavit some of the security community's finest had put together a pretty good profile of what the software was likely doing:

The full capabilities of the FBI's "computer and internet protocol address verifier" are closely guarded secrets, but here's some of the data the malware collects from a computer immediately after infiltrating it, according to a bureau affidavit acquired by Wired News.

IP address
MAC address of ethernet cards
A list of open TCP and UDP ports
A list of running programs
The operating system type, version and serial number
The default internet browser and version
The registered user of the operating system, and registered company name, if any
The current logged-in user name
The last visited URL

http://www.schneier.com/blog/archives/2007/07/federal_agents_1.html

More clues are likely to emerge from the recently released documents, but my guess is that it will still remain a guessing game as to what exactly the software does.

Regardless of what information the malware collects, the new documents shed some interesting light on the complicated and precise environment that the malware is supposed to run in on one particular case. On page 78 of the PDF it is noted that the software should only be deployed between the hours of 6AM and 10PM PST. Once deployed, messages can read coming from the infected machine at any time. Interesting for sure, perhaps even a bit strange. My guess is that the deployment hours correlate to previous bomb threats, and thus the regulated window, but thats purely speculation.

In the following page of the PDF, 79 it is noted that if the CIPAV does not activate on the victims machine, they will attempt to deploy and activate until successful. This with in the 10 day allotted window for deployment. This seems to be a key factor in understanding how this malware works. An application to collect the above mentioned data could be written in any number of languages and hidden on the machine in an overwhelming number of ways. When you consider the infection from the FBI's point of view, it would probably make the most sense to send a windows based app first, but maybe its all universal now anway?. First thing it does after activation is open up an SSL connection and phone home, IP, MAC, last URL and so on... Now, if activation does not occur right away, they act quickly while the Myspace vunerablilty is still active and send over a totally different app, wait for phone home and repeat.

The Wired article does a great job of looking at the attack vector.

Lots more interesting info coming out of that PDF. I'm looking forward to the next fews days.

Malware String Analysis Part 1 - Getting the Strings

2009-04-14T15:54:00.000-07:00

String analysis can be very useful when it comes to researching and gathering information on suspicious or unknown files. There is all different kinds of information that can be gathered from the strings of a file, and there are of course any number of ways to obtain and process this information. In this "part 1" i'm going to go over some of the more common ways to extract the strings from a file.

If you are doing your research on a windows machine, one of the easiest ways to extract the strings of a file is to use the Sysinternals tool Strings. I like to run application against files with a batch file in the "send to" folder. This allows me to simply right click on the file in question and click "send to", then, Strings". As instructed by my batch file, the app pushes the extracted strings into a txt file for me. You can set your research box up in a similar fashion by doing the following:

click start, run, the type "sendto"

This will open the sendto folder. Right click, "new", "text document". Here's what I use, but you could of course modify as you like:

strings -a %1 >"C:\strings.txt"
"C:\strings.txt"
exit

Make sure you save the file with the extension .bat, and not .txt. Strings.bat is a pretty good name.

As stated on the man page on in the link above, there are various options you can use with the Strings command:

Using Strings

Usage: strings.exe [-a] [-b bytes] [-n length] [-o] [-q] [-s] [-u]

Strings takes wild-card expressions for file names, and additional command line parameters are defined as follows:

-s	Recurse subdirectories.
-o	Print offset in file string is located.
-a	Scan for ASCII only.
-u	Scan for UNICODE only.
-b bytes	Bytes of file to scan.
-n X	Strings must be a minimum of X characters in length.

To search one or more files for the presence of a particular string using strings use a command like this:

strings * | findstr /i TextToSearchFor

Using the above method you should be able to extract the strings of a file pretty quickly with out much of a hassle.

If you want to do the same on Linux, chances are that you already have the necessary tool. If you type "strings" at the command prompt you know pretty quickly. In order to get this working the same as the Sysinternals tool you will need to add some extra arguments as its defualt output is pretty raw. I'm not entierly sure what those are as I usually just rip the strings off my windows research box, but if anyone know the equivilant command please post it up.

Really basic stuff, but there is all kinds of interesting things that can come from those strings. Next time we'll looks at some output files and a cool tool called Yara, that helps parse the strings all quick like.

Virtual box w/Ubuntu 8.10 x64

2009-01-08T11:37:00.000-08:00

Started here:http://www.howtoforge.com/installing-virtualbox-2.0.0-on-ubuntu-8.10-desktop

Ok, well that was so easy and worked exactly as expected that there is no need to write anything up. awesome.

TDSS Rootkit Removal

2008-11-27T09:25:00.000-08:00

I got a call the other day from a friend asking if I could take a look at his computer. Based on what he described, it sounded like a pretty standard combo infection of Anti-Virus 2009 and FakeAlert. He gave me the box, and a few days later I took a look.

The box would only boot into Windows successfully about one out of every 4 times. Once into windows, I found Antivirus 2009 and FakeAlert. As always, I tried the easiest things first, install Spy Sweeper and or Hijack This. Neither would install normally, so I changed the HJT folder name and .exe name, still would not run. Although Spy Sweeper would install, upon reboot it would say that the install was corrupt or something. At this point I should have realized there was a Rootkit.

I booted the box into a Slax live CD and went about removing AntiVirus2009 manually. Slax doesn't mount NTFS drives with write privileges by default, in order to accomplish this I ran the following commands:

umount /dev/hda2
ntfsmount /dev/hda2 /mnt/hda2

Now, had I know there was a rootkit and know a little about it TDSS, I could have probably killed it this time around. As I didn't, the process ended up taking quite a bit longer. Instead of simply removing Antivirus2009, I should have tried something like:

cd /mnt/hda2/windows/system32/drivers
ls tdss*
rm tdss*

cd ..
ls

and delete all .exe and .dll files with dates of 2009 on them (this may not work in a few months!)

Since I didn't realize there was a rootkit I simply removed Antivirus 2009 and rebooted.

Once I booted back into Windows I saw that fakealert was still there (and re-installing Antivirus2009) I decided to run rootkit revealer and see what it came up with. Sure enough there were a few entries for TDSSserv.sys and TDSSdata, and then two errors where it said it couldn't mount the the C and D driver. Did a little research on TDSS and realized that the box was most definitely rootkitted.

I played with the registry through regedit, but guess what, the only TDSS entries that were showing up were legacy data that would not stop the rootkit. No surprise. I searched the intewebs, read a variety of posts, grabbed a bunch of tools, Gmer, Icesword, and a bunch of others that I didn't end up using. I also created a UBCD4WIN boot disk based on this http://www.s-t-f-u.com/2008/10/29/rootkit-tdsssys-sucks-worse-than-a-2-dollar-whore-remove-it/ excellent post.

Now since I removed antivirus 2009 manually through Slax, I had created some discrepancies or problems with the disk. It still booted, into windows, but would not run a scheduled CHKDSK and I could no longer mount the volume in Slax because it gave some error, saying the volume was dirty and needed a chkdsk run.

I guess I really didnt need the UBCD4Win, as after like 15 mins it still hadn't booted, and because I'm impatient I just killed it and and used it to boot into the recovery console, but still, seems like something I will most definitely be using in the future.

After booting into the recovery console, I did what I should have done though Slax the first time around, and went to system32 removed all .exe's and .dll's with 2009 timestamps on them (at the time of this writing, that worked great, but probably wont soon as its almost 2009), and then into system32/ drivers got rid of all the TdssXXXX.sys files (where X= equals random characters). There were also some .ini files with 2009 dates on them that I probably could have removed, but didn't.

Rebooted into windows, to find that fakealert was still there. Opened Icesword (which is a fuking cool app) and killed the fakealert .exe manually (bratsk.exe or something). Since I couldn't find a way to search the registry though Icesword I just used regedit to search for "tdss" then navigated to those locations in IceSword (it takes care of permissions so deleting keys is far easier than in regedit) and delete the fuk out of anything tdss. The most interesting by far was the disallow section of TDSSDATA (I think that was it). It contained all the hooks that kept SS, Gmer, and all those other apps from running. I was able delete all TDSS entries. Rebooted.

Still had Fakealert. Searched the registry for TDSS. TDSSDATA was still there, but it looked like it hadn't fully set up as the keys were not there. Deleted it. At this point I was able to successfully install my prefered malware removal app (and inserted newest def set manually cause I work for them) and when I rebooted, the CHKDSK that I had scheduled many boot cycles actually kicked off.
The malware removal app install went through this time and I ran a full scan. Still waiting to see what all it found and removed, but at this point i'm pretty confident that the TDSS rootkit is dead. Big ups to the TDSS guy though, thats a pretty nice rootkit, and I know for a fact that you have at least one major malware vendor re-working their engine to accommodate removal (even if you hit after the engine was installed).

So, for the first time after getting the box, i feel safe connecting it up to the intewebs to get some likely much needed updates which is my guess where this came from.

Also, I heard that Microsoft released an update this week that removed over 1 million copies of rogue Antivirus apps? very interesting.

Enabling VNC in Ubuntu Intrepid

2008-11-11T09:50:00.000-08:00

If you want to use the VNC viewer client in Ubuntu Intrepid but its greyed out, simply run:

sudo apt-get install xtightvncviewer

and you should be all set.

DarkIce with Darksnow Debian Etch

2008-11-08T09:43:00.000-08:00

Ugh. This was slightly painful process, heres what I ended up doing:

apt-get source darkice
apt-get install liblame-dev
apt-get build-dep darkice
cd darkice*
vi debian/rules
# remove --without-lame
dpkg-buildpackage
cd ../
dpkg -i darkice*.deb

apt-get install libgtk2.0-dev

Find and download Darksnow, as of this writing, i was able to get the latest deb release here:http://www.twiki.ufba.br/twiki/pub/RadioFACED/ComoFunciona/darksnow_0.5.2-1_i386.deb

unzip

cd darksnow-0.X.X
./configure
make
make install

Added these to /etc/apt/sources.list

deb http://archive.ubuntu.com/ubuntu dapper main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu dapper main restricted universe multiverse

sudo apt-get install lame liblame0

This will need some updating, still tweaking...use at your own risk.

Upgrading Snort Schema from 1.06 to 1.07

2008-11-05T16:08:00.000-08:00

Use this if you need to update you snort DB Schema from 1.06 to 1.07:

USE snort;
ALTER TABLE signature ADD sig_gid INT UNSIGNED;
INSERT INTO `schema` (vseq, ctime) VALUES ('107', now());
DELETE FROM `schema` where vseq = '106';

The only change to the tables comes from the second line. The last two lines are just for updating the version number.

Install Base and Apache2 Ubuntu 8.10 interpid

2008-11-05T08:27:00.000-08:00

sudo apt-get install apache2 php5-mysql libphp-adodb

If you get a message about the path to adodb changing, take note on what the new path is.

cd /var/www
sudo wget http://downloads.sourceforge.net/secureideas/base-1.4.1.tar.gz?modtime=1217804205&big_mirror=0

You might not want to copy and paste the above code as it could be outdated. Just download the newest version and drop it in /var/www and unpack.

sudo tar -xvzf base-1.4.1.tar.gz
sudo rm base-1.4.1.tar.gz
sudo mv base-php4 base

Change "base" to whatever you want your path to base to be: IE http://mywebserver/base

sudo apt-get install php-pear php5-gd
sudo pear install Mail Mail_Mime Image_Color Image_Canvas-alpha Image_Graph-alpha

Open a web browser and navigate to you website, http://localhost/base/ which should take you to, http://localhost/base/setup/setup1.php

Make sure it says that your config file is writable. If not, you could try something like:

sudo chmod -R 777 base

The next screen will ask you for the path to adodb. If you are not sure what that is, you could try something like:

sudo find / -name adodb

The next screen will ask for your DB connection information. Since this guide does not cover getting snort set up I will assume you already have snort set up and know you database information. Add information as necessary.

The final screen will ask if you want would like to require authentication to access the BASE website. I highly recommend setting up a user.

Should be all set up after that. Depending on how many snort alerts are in your DB and various other hardware related factors, it could take some time for BASE to query the data in the database, so be patient if it doesn't come up right away!

Keys not working In VMware

2008-10-30T12:40:00.000-07:00

I'm posting this primarily as a reminder to me, but perhaps it will help some else as well. I just upgraded to Ubuntu 8.10 beta 64bit, installed VMware 6.5 and my up and down arrows were not working (one was opening the windows menu and some other crazy stuff). A co-worker of mine pointed me towards this handy little fix:

Function/arrow keys, etc. not working

This is an upstream bug in VMware’s code. If your keyboard is not functioning correctly in VMware, add this line to ~/.vmware/config (create file if necessary):

xkeymap.nokeycodeMap = true

http://www.ultimalinux.com/wiki/VMware


Worked like a charm. Awesome.

Microsoft Emergency Patch

2008-10-23T09:08:00.000-07:00

"Microsoft is about to issue an emergency security update to plug a vulnerability which could allow an internet worm to be spread via a computer without the user doing anything.

The update is rated as critical for users of Windows 2000, XP and Server 2003 and the less severe rating of "important" for users of Windows Server 2008 and Windows Vista. The patch is scheduled for 10.00am Pacific Time (6pm BST).

There will be a webcast at 1.00pm Pacific Time (9pm BST) explaining the issue in more detail.

The exploit potentially allows remote code to be executed.

The Advance Notification is here.

Microsoft tries to make life easier for administrators by bundling its updates into one monthly slot, known as Patch Tuesday, in the second week of every month. It has broken this cycle before, but it is unusual. "

http://www.theregister.co.uk/2008/10/23/windows_emergency_update/

I'm Not Allowed In Canada

2007-10-01T19:47:00.000-07:00

As a kid, I always wanted to travel for business. The lure of distant cities and strange adventures has always had a mysterious glowing appeal to me. A month or so ago I was promoted, and with the promotion came the opportunity to do just that. Now I would get to travel, and I'd be getting paid to do it.

My first trip was to a relatively small island North West of Seattle. Not bad for getting my feet wet. Throw a ferry in there, a cool rent a car, a nice little hotel, and it was a pretty nice trip overall.

The thing is though, when I think of travel, be it business or leisure, I'm looking for some action. I don't mean that like A-Team style action either, just a little good old fashioned excitement. Upon making my way up to a small city of Regina, in the Canadian province of Saskatchewan I got a little more than I bargained for.

I walked out of my front door at the brisk hour of 5AM. I began the 10 minute walk to the airport bus in style, nodding my head un-rhythmically to Tool's epic 46 and 2.

I wanna feel the change consume me,
Feel the outside turning in.
I wanna feel the metamorphosis and
Cleansing I've endured within

My timing was bad, as I approached the intersection upon where I would catch the elusive AB bus to DIA. As I began to cross the street, going a list of items in my head. At that moment, it struck my sharply and painfully. My passport was still sitting on my desk at home. This seemed to set the tone of the day. If I only knew what I was in for.

I angrily walked home grabbed my passport and caught the next bus. This put me at the air port about 60 minutes before departure. Not ideal for an international flight, but it would do. As I snaked though the rapidly moving and dreadfully long lines of security I recalled an unfortunate even that had landed me in a Denver court a little over a year before. How I had forgot to remove a knife from my book bag I can't say. Why I had an illegal switch blade in the first place is easy. It was a gift from a friend a few years ago who was leaving town on a plane and knew better than taking it to the air port. As I put my shoes back on and headed for the terminal I felt a sigh of relief move though my body, no arguing with the TSA goons about what constitutes an illegal knife this time. Things were looking up.

Upon arriving in Calgary, I quickly made my way to customs and started in on the rat race. Upon refection, this is the one place I could have strategically avoided the mess I was about to be in. "I'm just visiting a friend" is all I would have had to say. Instead I said I was on business, which then lead to the inevitable "what kind of business?" and catastrophically to "you ever been arrested?". At this point I did what I have done for the past 9 years when asked that question, or at least some situational variation there of. I though of course he was looking at my conviction for brining an illegal switch blade into the airport. I threw it out there, being truthful, "I accidentally brought a knife to the air port". He pried, "what kind of kife?" I dropped the bomb. "a switch blade". A tense silence gripped the air. "ever been arrested for anything else?" he dropped nonchalantly. "uhh yeah, I stumbled" quickly catching pace. "Once in Ohio, for disturbing the peace." "and what happened there" he quickly questioned. I knew I could leave out the details on this one. There was no need for me to dip into the gritty details. What good would do for him to know about how we were snaked from the back and chased down that icy river bank by an unknown number of cops with lazer guided tazers. "Oh you know, my and a buddy drank a little to much, just out side causing a ruckus." I though about sitting in that cop car on Christmas eve, as the cops tried to mad dog me. "we know what you did, if you admit we'll let you go" there wasn't a chance I was going to fess up. Apparently my buddy already had, and even though I refused to break, they let us go with a pay out ticket. It was then that the real bomb dropped. "what about 99, you get in any trouble then?" I knew right away this was a problem. Confused and shook, I answered with a question "in 99?", in the same way that Ron Burgandy might if some one were to throw a question mark on his teleprompter. "yeah it uhh says here you have a felony, trafficking a controlled substance, Marijuana". The last time I had heard or seen a word about this case was just over 9 years ago, and I was signing away some plea, that apparently I did not read closely enough. For the last 9 years I was under the impression that as my lawyer told me, the charge was dropped to some minuscule offense, "attempting to bring prescription pills into interstate commerce with out a prescription." This apparently was not the case. I pushed the confusion aside to deal with the matter at hand. If I was denied entry into Canada it could potentially have a relatively unsavory effect on my job. I was not prepared to let this happen. I was search and questioned relentlessly. Every credit card was removed from my wallet, the bottoms of my pockets searched for residue. I realized how bad things could really get it they were to run some swabs on my ID or probably half the cards in my wallet. I stared coldly into the air as the woman sifted though my underwear. I was taken back to the customs officer and asked to wait while they discussed what was to happen next. I pondered the Canadian law that kept felons from entering the country. I pondered the idea that I had been felon for the last 9 years and not known it. I was called to the desk by the customs official. I was convinced I was going home. He engaged me in some conversation about the quantity of marijuana I had on my possession at the time. "funny thing is I told him, we didnt even have any", Which is entirely true. (we did have Hash but they didn't even know what it was) He looked at me blankly. I though about explaining to him what had actually happened on that cool Nevada night. I though about the cute blond girl back home that I had a crush on, and couldn't stop thinking about. "two grams" I corrected. "thats it?" he said. "Yeah, Nevada is no tolerance state there is no such thing as a 'personal amount'." I said. "Really?" he said, "well in Canada there is, and there is also a thing up here that we practice called balance, I'm going to seize your passport, and let you go do your business, but I'm not actually admitting you into Canada". For that moment, I had a small amount of faith in humanity temporarily restored. I signed a few papers, he took my passport, I headed to nearest airport bar, gulped down two large Heineken's just in time to jump on my connecting flight to Regina.

I hate Myspace

2007-07-19T20:50:00.001-07:00

Yes I did have a profile or two for some time, but for the love all things holy. Now that my job involves me to work on the internet all day, I don't get the same pleasure out of surfing the web. Its no secret the way these things work, its fun until it becomes your job and then no more right? Well maybe not. These days I am permitted to flow as I please across networks across the world. For the most part I am confined to the states, but on special occasions I make connections abroad. Dealing with IT folks is for the most part a pleasure. I guess that part of it is really relative to who you are though right? Back to the subject at hand though. I am convinced that internet is by far the most amazing and strange change we will ever see in our life time, or I should say has the greatest impact on the largest amount of people that we have ever seen. What that impact is or whether is good or bad is not my place to say. I am a participant, along for the ride so to speak. So where does myspace fit into this? And when I say myspace, I don't mean literally "my", "space" on the web. Funny thing is, I know that anyone and everyone who reads this knows what I am talking about. There are catchy buzz words to categorize this concept of interactive web, shedding light for the masses on transition of life and culture. But does it really matter where you lie in the whole spectrum of these things? At a company meeting/party today (yeah my work kicks ass) the president discussed with us Mircosoft's four postitions one can take on soft ware in respect to age. Cutting edge, not cutting edge, slow but steady, and 19 80. Well at least thats what I remember from it. Where do you stand? Does it really matter? Does it change? Myspace is so 2000 and I hate it. Perhaps I should make a list.

I hate Myspace because:

1. I did not come up with the idea.
2. I wasn't friends with the person that did.
3. If I add all my real friends I will be taken to court and my child support will go up.
4. Advertisements.
5. I thought I was bleeding edge because I made a fake profile to sell VIOP service.
6. It further complicate strange social circles that I never understood in the first place.
7. They sold out.
8. It introduced HTML to the masses.

Well thats about all I can come up with. Can anybody help me out with some of the finer points that I have missed?

Aftermath

2007-05-02T10:41:00.000-07:00

I have to say I am incredibly disappointed with the direction or lack there of that the this the user revolt has taken. Kevin Rose posted this,

"But now, after seeing hundreds of stories and reading thousands of comments, you ’ve made it clear. You’d rather see Digg go down fighting than bow down to a bigger company. We hear you, and effective immediately we won’t delete stories or comments containing the code and will deal with whatever the consequences might be."

Everyone dugg it, then Kevin himself posted the numbers, and now all I see is a bunch of whiny ass people babbling out shit like this,

...
I truly cannot believe how many people decided they were going to stand up (while sitting down mind you) for a cause that 50% of them were not going to actively participate in anyway. If "protesting" or "sticking it to the man" as they call it, is in fact possible by simply clicking your mouse a few hundred times then I for one welcome our new carpal-tunnel ridden overlords.

IF we're all done acting like 5 year olds, I'm sure someone's got a great picture of a cute kitten in a computer to submit.

That's REAL Digg frontpage news... :)

For the love of all things holy. It was obvious that diggers DID recognize the importance of the issue at hand, but less than 24hrs later comments like the one above are getting Dugg hand over foot. I just don't get it? And for the record, let be clear on one thing, "protesting" and "sticking it to the man" can ABSOLUTELY, with out a doubt be accomplished with a few hundred clicks. A few million people clicking something a few hundred times.....hmmm that sound like a political bot net of sorts. Why wait for someone to create a bot net that actually stands behind a real cause or idea, not just extortion and greed, when we could do it with out all the zombie boxes? (Although I must say, Zombie box's are cool with me as long and they are not spamming and extorting).

Then there is this comment in direct response to Kevin's story, which it would seem by the number of Digg's clearly represents the overall attitude of the digg community.

"Well said. Can we move on now?"

This to me is what is really sad. Maybe the guy was right in the first comment above? Most of the people who were out there digging like mad last night were just a bunch of coffee shop revolutionaries, attention spans no longer than a few hours who have already moved on to the newest IPhone pictures , but I refuse to adopt that attitude (even though it may very well be true) simply because I am stubborn and I have faith in both political and conscious movement.
Really, if you sit back and look at it for a few minutes, what happened on Digg on May, 1st 2007 has some pretty interesting implications in the grand scheme of things. I encourage those of you who have yet to see it to take a closer look.

Internet Riot! 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

2007-05-01T21:10:00.000-07:00

I am purposing to take this thing beyond digg have a full blown Internet Riot! If you don't know whats going on yet, I'm not going to explain the numbers, 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 but you can head over to digg.com and read up on it. Lets really open our vocal chords and yell this time. Go to every Blog you can find (including this one) and post the numbers! Hit fourms, and fill out contact forms loaded with the numbers. Don't forget to be crafty and throw in the MD5 of the numbers for good form. Lets make sure that we make our selves clear this time! You cannot stop us! Your censorship is useless!

What a beautiful screen shot of Digg.com's infamous front page:

Bust a Spammer In The Grill

2007-03-20T08:22:00.000-07:00

Heres a good post from Craigslist that a friend of mine made some time ago. The success rate to this method is not 100%, but it will work a good amount of the time. This is written with the average end internet user in mind, but if you read past the part about how to identify spam it gets into the good stuff.

"I have not been on here a for awhile, and I am amazed to see how much spam is flooding this section.

Just quick heads up for those that don't know:

If a posting takes you to a link that has no where to click except for on advertisements then it is spam!

For example this site,
http://www.lowincomebostonapartments.com/portland.htm
which was posted earlier today on portland craigslist IS SPAM!!
There are no apartments at all for rent, what they are trying to do is trick you into clicking on the google advertisement, which intern earns them money for each click you make. Also, try swapping the the /portland.htm to any major city for example, /denver.htm and look what happens! These people are making good money off abusing CL!!

(white hat method)
CL is a great service, and the best way to keep it that way and stop greedy spammers (who are to lazy to make a decent living) is being informed about what you are clicking on, AND recognizing and flagging these posts as SPAM.

(black hat method)
Now, if you are like me, and you dont have any problems fighting fire with fire, there is another way to cripple these spammers and render their scam useless. Now, a little heads up. IF you choose to undertake this, I warn you now that this is may or may not be legal, and it IS NOT the most up and up way to stop this particular kind of spam. Also if you get in trouble, dont blame me because you are on you own with this!!!

Now on to the good stuff:
According to wiki, Click fraud is defined as the following,

"Click fraud occurs in pay per click online advertising when a person, automated script, or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad's link. Click fraud is the subject of some controversy and increasing litigation due to the advertising networks being a key beneficiary of the fraud whether they like it or not."

So, what you do it take about five minutes of your day, and click on the SAME ad as over and over and over again on one of these sites (make SURE it IS a spamming site) and then just wait. It may take some time, upwards of a day for anything to happen, so be patient.;
Now, what happens is that this sets off red flags with the google people, and the person who owns that account (spammer) will have there google ad sense account frozen. Now for the good part, all the money that they have made and not been paid for up until this point, (which could be a whole lot) will be frozen as well. These ad sense accounts are bound to and confirmed by social security # and other things that are not easily scammed. So, although they may be able to setup another account and get back at it, it will not be easy and it will probably take time. "

Exposing a Script Kiddie

2007-02-14T10:49:00.000-08:00

I'm not a huge myspace fan. I had a profile for awhile, but recently bailed on the whole thing. A few days ago I was checking out the myspace page for Radio Discon and I noticed that a comment had just been made from a friend of the station that obviously was not real.

"Oh, my fault I must have gave you the wrong link then. The people I use to
make make money should be just go here (click here).
Well I hope it works for you this time, remember that
if the site is not up they are not excepting anyone else. I told you I'm making
about $900 a week and it's consistent. Just make sure that you take taxes into
consideration, it's a little different than that job your always complaining
about.LOL anyways that is funny about Laura, what else did
she say about it? I'm not even going to worry about it ya know? Oh well,
call me later or I'll catch you on here, see ya. "

My curiosity set in and I decided to do a little research on the nature of this beast. The click here link directed you to game-blast.net/paidetc.php. Before clicking on the link I headed over to the root of the domain. game-blast.net/. It was an Apache server directory listing;

By navigating to the admin folder, game-blast/admin you end up at at jumbled up web page that will happily generate errors for you when clicking on some of the different links. At this point I went ahead and clicked on one of the PHP pages. game-blast.net/scout2.php. The page redirects you to some online money making scam. Not bad, considering it does not appear to be infecting you with malware or anything of the sort. I checked out a couple of the other pages from directory listing, including the original link that came in the myspace comment. What really got this scavenger hunt going was when I noticed the affiliate account being passed in plain text in the address bar of the scout2.php redirect.

Now I had someone to look for, Ksruckman. I started off with a simple Google search. Within 20 minutes I felt like I knew ksruckman, or Ralph Ruckman as he's known to Uncle Sam. After seeing that his PHP scripts were nothing but redirects to cheesy money making sites, I began the profile of ksruckman as a low end Internet scammer, or to be nice, marketeer. Most of my initial information came from forum posts. For example, on one site in the fall of 2006 he had some serious issues with premissions on his wordress blog. Someone kindly explained to him the CHMOD command and he was back on track. This lead me to believe that he likely knows very little about the back ends of websites, html, and/ or FTP. At this point I had pretty much pinned him as a script kiddie. As I read through various forum posts and searched popular photo sharing sites my profile became more in depth. On one set of forums he boasted on recent earnings of a Craiglist scam and then about his earning mantra of three dollars per site within the first five days. It really makes me wonder how different the Internet would be with out all the junk sites. Who's to judge though I guess? Moving along, just a few pages in to the Google search I stumbled across another huge piece of the puzzle, Ralph's eBay profile. For the most part he was purchasing Xbox live cards and the like. One auction in particular brought the search full circle:

Yes that's right, he bought the script off EBay. For less than $20 none the less. I'd imagine that he probably made a pretty good little stash of cash off the exploit. At this point, I'm feeling pretty satisfied, although I do still have a few questions about the specific exploit.

!EDIT!
I decided enough was enough, your name has been removed. Google should be clear of it soon.
Sorry Bro It Had to Be Done.

DRM and the new world order.

2007-01-30T13:01:00.000-08:00

As a tech support representative I have been asked quite a few times in the past few months what I think about Windows Vista. As a side note, it should be noted that average caller in my support center tends to know about as much about computers as a squirrel does toasters. I have no problem with this as it pays my bills and I have reasonably good time doing it. In the past my responses to this dreaded question have remained trivial and and far from honest. I have found it much easier to respond with a simple "I'm curious to see" than to dig deeper into my philosophy on operating systems, open source, pirates and end users. Truth be told, aside from an episode of Security Now and a few articles here and there, I don't know much about Vista other than that it supports IPV6 and 64 bit processors.
What little faith I did have in Windows took a serious blow today when I read this article I found on Digg. http://polishlinux.com/gnu/drm-vista-and-your-rights/. I strongly recommend reading over this article. I used to think of DRM like the barking dog that never shuts up in your neighbors yard, yes its annoying, but if the music is turned up loud enough you won't hear it anyway. I am now realizing that this is not the case. The serious implementation of DRM into operating systems is a huge problem and will likely mark a whole new era of hell and headaches for the average end user. While companies like Microsoft and Sony struggle, kicking and screaming to hang on to old ways of doing business, it becomes more and more clear that the model of taking advantage people who don't know any better is not that all that cool. What I don't understand is how these companies really think that by implementing DRM they will be able to protect there products. The fact of the matter remains, no matter how hard they try, or how stiff the punishment, there will always be crackers and pirates. The end result to me really seems like Windows is polarizing the internet universe like never before. While typing this up at work, I recieved my first call on a Vista Machine. It was unable to connect to the internet, and I sent him off to the OEM for support. I only have one more day of work here and as far as I'm concerned I have no desire to learn about Vista unless I really have to.