Why Russia was less affected by CrowdStrike

 Computer Security, Politics  No Responses »
Jul 252024
 

I heard a rumor: Russia was significantly less affected by the CrowdStrike cyberoutage. Could it be that they were behind it?

Of course not. Never attribute to evil that which you can explain by stupidity. But in this case, backwardness was also on Russia’s side. You might have seen memes about Southwest Airlines, largely unaffected on account of the fact that many of their systems still run on Windows 3.1. Well, it Russia it’s… like that, even more so. As an example, here’s a CrowdStrike-affected display panel from a few days ago at JFK airport in New York City:

In contrast, here’s a departures board from a small Russian airport:

Kind of hard to hack, that one.

 Posted by at 12:29 am

CrowdStrike

 Computer Security  No Responses »
Jul 192024
 

So everyone is talking about the major IT outage today (which actually turned out to be two unrelated outages, the second due to a since-remedied issue with Microsoft Azure platform), namely the fact that millions of physical computers and virtual machines around the world are crashing due to a driver failure in what is known as CrowdStrike Falcon.

I admit I have not heard of CrowdStrike Falcon before. I had to look it up. So I went to the most authoritative source: the company’s Web site.

“Cybersecurity’s AI-native platform for the XDR era,” it tells me, and “We stop breaches”. XDR is supposedly “extended detection and response”. Wikipedia tells me that “the system works by collecting and correlating data across various network points such as servers, email, cloud workloads, and endpoints”. Microsoft tells me that XDR “is a holistic security solution that utilizes automation and AI to reduce response time across multiple workloads”.

Going back to CrowdStrike, I learn that it yields $6 of return for every $1 invested. (How?) That it identifies 96% more potential threats. (More than what? More dentists use…) It tells me that it is leads to 2x as effective security teams with 66% faster investigations… compared to what?

Okay, scrolling down… it’s “cloud-native”, “single-platform” and an “open and extensible ecosystem”. It is “data-centric” and “AI-native” with “workflow automation”.

So far there is one thing I have not yet learned: What the bleepety-bleep does it do?

Of course I can guess. I know what security solutions are supposed to do, and I have no doubt that CrowdStrike delivers… more or less, probably not any better than its major competitors. But they certainly have good marketing, with all the right buzzwords!

Unfortunately, behind these buzzwords there is a flawed mentality. The implication that all it takes is a fancy software solution to protect your enterprise. Never mind that a good chunk of the threats (I was going to say, “vast majority”, but I have no data to back that up) are not in the form of malware. If I communicate with a senior manager at a bank and convince them to initiate an important transfer that later turns out to be fraudulent, no cybersecurity is going to prevent that.

And as today’s example shows, protection from malware and other technological threats is just one element of a successful cybersecurity policy. A comprehensive policy must be based not just on prevention but also the recognition that sometimes, despite your best efforts, excrement can hit the ventilator. How do you detect it? What do you do?

That leaves us to these main points that must be on everyone’s cybersecurity checklist, whether you are a small company or a major international enterprise. Here, in no particular order, and I am sure I left some things out:

  • Threat prevention (technological prevention, such as antivirus software, network firewalls, real-time monitoring)
  • Data collection (comprehensive logs that may be used for threat detection, forensic analysis, mitigation)
  • Compartmentalization (user privileges, user access management, network architectures)
  • User relationships (user education, use management — treating users as partners not as threats)
  • Backup and recovery procedures and policies, tested (!) and validated
  • Intrusion detection
  • Intrusion response (emergency operations, fallback operations including manual operations if needed, notification policy)
  • Mitigation, self and third-party impact
  • Recovery
  • Forensic analysis and prevention
  • Auditing and risk analysis (including third party dependence)

I mean, come on, CrowdStrike’s graphic is eye-catching but I swear I drew much more informative diagrams well over a decade ago when educating customers about the need for comprehensive security. Like these, for instance.

Sure, comprehensive cybersecurity technology can help with some of these points. But not all. For instance, no cybersecurity solution will help you if broad dependence on a third-party component in your enterprise suddenly causes a widespread outage. That dependence can be anywhere, could be a simple messaging app or a complex cybersecurity suite. If it causes systems to crash, and you have no proven, tested policies and practices to detect, mitigate, and recover from an event like that, you’re in deep doo-doo.

Oh wait. That’s exactly what happened to far too many companies today.

 Posted by at 6:33 pm

System upgrades

 Computer Security, Computers, Personal  No Responses »
Jun 212024
 

This consumed far too much of my time.

I had to update my server systems, both “on-premises” (meaning my home office) and “in the cloud” (my small cloud VM hosted by Amazon). They’ve been running CentOS 7 since 2016, and CentOS 7 reached its end-of-life. Back then, I of course anticipated that by this time, I’d have long ago upgraded my systems to CentOS 8. But that was before Red Hat decided to play hardball with all of us, turning CentOS from a robust open version of Red Hat Enterprise Linux into a bleeding edge, more or less experimental/test version.

So I had to switch. And it wasn’t easy.

I eventually opted for Oracle Linux (itself an RHEL derivative), after seriously considering both AlmaLinux and Rocky Linux. It seemed like the best compromise. I wanted an RHEL-compatible distribution to minimize the pain of the upgrade, and I wanted to pick the distribution that was the most likely to have robust long term support. Considering how Red Hat continues to play hardball with others, Oracle seemed the safest choice: They have the requisite in-house resources to “go it alone” if needed, and their cloud infrastructure alone appears to guarantee a long-term commitment. We shall see if I chose wisely.

And yes, it’s OL8 for now, though this time around, I plan an upgrade long before this product line reaches EOL. But first, stability.

I think everything works on my servers, and things are settling down nicely. But some other machines that I am responsible for still need some gentle care and feeding. It was an educational experience. I dare not share my detailed notes here as they contain information that probably should not be publicly disclosed about details of my configuration, but I have dozens of pages of notes detailing the quirks that I encountered.

All is well that ends well. But why do I have the feeling that this forced upgrade represents many days of my life that were lost for no good reason, days that I’ll never get back? Oh well.

 Posted by at 1:19 am

Seriously, who designs these things?

 Computer Security, Personal, Programming  No Responses »
Dec 142023
 

I wanted to check something on IMDB. I looked up the film. I was confronted by an unfamiliar user interface. Now unfamiliar is okay, but the UI I saw is badly organized, key information (e.g., year of release, country of origin) difficult to find, with oversized images at the expense of useful content. And no, I don’t mean the ads; I am comfortable with relevant, respectful ads. It’s the fact that a lot less information is presented, taking up a lot more space.

Fortunately, in the case of IMDB I was able to restore a much more useful design by logging in to my IMDB account, going to account settings, and making sure that the Contributors checkbox was checked. Phew. So much more (SO MUCH MORE) readable, digestible at a glance. Yes, it’s smaller print. Of course. But the information is much better organized, the appearance is more consistent (no widely different font sizes) and the page is dominated by information, not entertainment in the form of images.

IMDB is not the only example. Recently, after I gave it a valiant try, I purposefully downgraded my favorite Android e-mail software as its new user interface was such a letdown. At least I had the foresight to save the APK of the old version, so I was able to install it and then make sure in the Play Store settings that it would not be upgraded. Not that I am comfortable not upgrading software but in this case, it was worth the risk.

All this reminds me of a recent discussion with a friend who works as a software professional himself: he is fed up to his eyeballs with the pervasive “Agile” fad at his workplace, with its mandatory “Scrum” meetings and whatnot. Oh, the blessings of being an independent developer: I could tell him that if a client mentioned “Agile” more than once, it’d be time for me to “Scrum” the hell out of there…

OK, I hope it’s not just grumpy ole’ complaining on my part. But seriously, these trendy fads are not helping. Software becomes less useful. Project management culture reinvents the wheel (I have an almost 50-year old Hungarian-language book on my shelf on project management that discusses iterative management in depth) with buzzwords that no doubt bring shady consultants a lot more money than I ever made actually building things. (Not complaining. I purposefully abandoned that direction in my life 30 years ago when I quietly walked out of a meeting, not having the stomach anymore to wear a $1000 suit and nod wisely while listening to eloquent BS.) The result is all too often a badly managed project, with a management culture that is no less rigid than the old culture (no fads can overcome management incompetence) but with less documentation, less control, less consistent system behavior, more undocumented dependencies, and compromised security. UI design has fads that change with the seasons, united only by results that are about as practical as a Paris fashion designer’s latest collection of “work attire”.

OK, I would be lying if I said that only bad things come out of change. Now that I use AI in software development, not a day goes by without the AI teaching me something I did not know, including tools, language features and whatnot that can help improve the user experience. But it would be so nice if we didn’t take three steps back for every four steps forward.

 Posted by at 10:21 am

The curse of third-party packages

 Computer Security, Internet, Personal, Programming  No Responses »
Aug 082023
 

For the longest time as developers, we were taught not to reinvent the wheel. “There is a library for that,” we were told, so instead of implementing our own solutions for common, recurring tasks, we just imported and linked the library in question.

And sure, it made a lot of sense. Countless hours of development time were saved. Projects were completed on time, within budget. And once the system worked, it, well, worked. So long as there was a need to maintain the software, we just kept the old development tools around for the occasional bug fix and recompile. I remember keeping a Visual Studio 6.0 configuration alive well into the 2010s, to make sure that I could offer support to a long-time customer.

But then… then came the Internet. Which implied several monumental paradigm shifts. One of the most fundamental among them is that a lot of software development no longer targeted cooperating users in a closed environment. Rather, the software was exposed to the public and, well, let’s face it, not all members of the public have the best intentions in mind when they interact with our systems.

Which means that third-party code turned from an asset into a substantial liability. Why? Because of potential security issues. Using old versions of third-party libraries in public-facing systems is an invitation for disaster. Those third-party components must be kept up-to-date. Except…

  • Updating a component may break other things. There is a need for extensive regression testing, especially in complex systems, to ensure that an upgrade does not result in unintended consequences.
  • Updates are not always available. The third-party code may no longer be supported. Source code availability can mitigate this to some extent, but it can still result in a disproportionate level of effort to keep the code secure and functional.
  • Long-term reliance on third-party code implies long-term reliance on the integrity and reliability of the vendor. Code ownership can change, and the new owners may have different objectives. In extreme cases, once reliable third-party code can end up being used as Trojan code in planned cyberattacks.

For a while, there was a great need for third-party code in Web development. HTML4 had limitations, and browser implementations varied wildly. Widely used third-party libraries like jQuery made it possible to prepare code that ran well on all major platforms. But this really is not the case anymore. “Out of the box” HTML5, CSS3 and modern JavaScript are tremendously capable tools and the implementation across major browsers is quite consistent these days, with only minor idiosyncrasies that can be easily dealt with after a modest amount of testing.

So really, my advice these days to anyone developing a new Web application is to avoid third-party libraries when possible. Especially if the application is intended to have a long life-cycle. Third-party code may cut down development time slightly, but the long-term costs may far exceed those savings. And there will still be more than enough to do just to keep up with other changes: witness the changes over time that occurred in browser security models, breaking once functioning Web applications, or the changes between, say, PHP5 and PHP7.

And of course there are still valid, legitimate use cases for specialized third-party libraries. For instance, in a recent project I used both MathJax (for rendering mathematical formulas) and markdown (for rendering displayed code). Developing something like that from scratch is just not an option.

Why am I harping on all this? I am currently facing a minor crisis of sorts (OK, that may be too strong a word) as I am trying to upgrade my Web sites from Joomla 3 to Joomla 4. Serves me right, using a third-party content management system instead of writing my own HTML! Worse yet, I used some once popular extensions with Joomla, extensions that are no longer supported, and which are wholly incompatible with Joomla 4. Dealing with this is difficult and time-consuming.

It would be a lot more time-consuming were it not for the help I get from our LLM AI friends. Thankfully, these tools, GPT-4 in particular, are immensely helpful. E.g., one third-party Joomla extension I used offered a nice way to present images as clickable thumbnails. This extension is now badly broken. However, GPT-4 already helped me write a clean, functional alterative that I’ll be able to use, and thus avoid having to redesign some important pages on my site.

 Posted by at 2:16 am

An insidious scam

 Computer Security, Internet  No Responses »
Sep 282021
 

I began to see this recently. Web sites of dubious lineage, making you wait a few seconds before popping up a request to confirm that you are not a robot, by clicking “Allow”:

Please don’t.

By clicking “allow”, you are simply confirming that you are a gullible, innocent victim who just allowed a scamster to spam you with bogus notifications (and I wouldn’t be surprised if at least some of those notifications were designed to entice you to install software you shouldn’t have or otherwise do something to get yourself scammed.)

Bloody crooks. Yes, I stand by my observation that the overwhelming majority of human beings are decent. But those who aren’t are no longer separated from the rest of us by physical distance. Thanks to the Internet, all the world’s crooks are at your virtual doorstep, aided by their tireless ‘bots.

 Posted by at 2:59 pm

Not so glamorous, part 2

 Computer Security, Internet  No Responses »
Apr 172021
 

Yesterday it was hardware, today it was software.

An e-mail that I sent to a bell.ca address was rejected.

Perhaps I am mistaken but I believe that these Bell/Sympatico mailboxes are managed, handled by Yahoo!. And Yahoo! occasionally made my life difficult by either rejecting mail from my server or dropping it in the recipient’s spam folder. I tried to contact them once, but it was hopeless. Never mind that my domain, vttoth.com, is actually a few months older (July 1, 1994 as opposed to January 18, 1995) than Yahoo!’s and has been continuously owned by a single owner. Never mind that my domain was never used to send spam. Never mind that I get plenty of spam from Yahoo! accounts.

Of course you can’t fight city hall. One thing I can do, instead, is to implement one of the protocols Yahoo wants, the DKIM protocol, to authenticate outgoing e-mail, improving its chances of getting accepted.

But setting it up was a bloody nuisance. So many little traps! In the end, I succeeded, but not before resorting to some rather colorful language.

This little tutorial proved immensely helpful, so helpful in fact that I am going to save its contents, just in case:

https://www.web-workers.ch/index.php/2019/10/21/how-to-configure-dkim-spf-dmarc-on-sendmail-for-multiple-domains-on-centos-7/

Very well. It is time to return to more glamorous activities. It’s not like I don’t have things to do.

 Posted by at 2:57 pm

Bitcoin fraud

 Computer Security, Internet, Personal  No Responses »
Sep 162019
 

Very well, I’ve been had. I lost all my bitcoin savings.

Don’t worry, it was not much. Approximately 0.0113 bitcoins. Just over a hundred US dollars at current exchange rates. And it’s not like I didn’t know from the onset that something fishy was going on. Of course I was not planning to hand over my hundred bucks to a scam artist, but I figured the learning experience was worth the risk. I had no idea how things would play out, except for one thing: I knew I was not going to get richer, but my risk was limited to my meager bitcoin holdings.

Here is how it began. I became acquainted with an Neale H. Spark* on Quora. At first, we exchanged some private messages, in part about some of the answers I wrote. But soon, he started talking about the business he is in, cryptocurrency. He seemed legit: I looked him up. A cryptocurrency expert, member of a listed cryptocurrency company’s advisory board. He asked if I wanted to invest some bitcoins into cloud mining, because supposedly, I can make “8% a day”.

OK, red flags are up. Nobody, and I mean nobody, is paying you 8% daily interest. That this was a scam, of that I had no doubt, but I just couldn’t resist: I had to understand how the scheme worked.

It so happened that I actually had some bitcoins, those 0.0113 BTC, in a bitcoin wallet. So what the heck… let’s play along.

As soon as I agreed to become his victim (not that he called me that, mind you), this Mr. Spark kindly set up a “mining enabled” bitcoin account for me at blockchain.com. He provided me with all necessary details and soon enough, I was able to manage the account. I then transferred my bitcoin holdings from my other wallet to this one.

And within 24 hours, I received about 0.0008 bitcoins. And again, 24, 48, 72 hours later. I was told by Mr. Spark that this money is not completely free money: that there will be a “mining fee”, which sounded odd because how can they charge any fee to my bitcoin account? But you know what, let’s see what happens. Indeed, after about a week of regular, daily payments, four days ago I actually got charged about 0.0008 bitcoins. But the payments continued: after two more payments, my bitcoin holdings were getting close to double my initial investment.

Meanwhile, Mr. Spark called me several times on the phone. It was always a bad connection, suggesting to me that he was using a VoIP phone, but for what it’s worth, his calls came from a California number consistent with his place of residence. He was advising me that I should invest a lot more; that investors who put in a full bitcoin or more (that would be $10,000 US) are doing much better. I told him that I’d think about it. He asked when I might make my decision. I said he’d be the first to know. He did not sound happy.

Indeed, the phone calls stopped and for the past two days, I received no e-mail notification of payments in my bitcoin wallet either. So earlier today, I went to check the wallet, and whoops: all my bitcoins are gone. The wallet has been zeroed out two days ago.

I sent this Mr. Spark a Quora message but I am not expecting a reply. On the other hand, I think I can reconstruct what actually happened, so my bitcoins were, after all, well spent: I did learn some intriguing details.

For starters, I am pretty certain that the Quora account doesn’t actually belong to the real Neale H. Spark. I tried to find information online about Mr. Spark but I was unable to locate a valid e-mail address or social media account. The person is undoubtedly real, mentioned in a 201█ press release by G█████ T███████████ as a newly minted member of their advisory board. But Mr. Spark seems like a rather private person with little visible online presence.

The Quora account was only created about a month ago. It has very low activity.

The aggressive sales tactics seemed odd from a noted expert, and represented another indication of fraud. But how exactly was the fraud committed?

Here is how. It all started when “Mr. Spark” kindly set up that “mining-enabled” Bitcoin wallet for me on blockchain.com. I knew something was not kosher (what exactly is a “mining enabled” account, pray tell?) but in my ignorance of the technical details of cryptocurrency wallets, I could not quite put my finger on it. When I received the account info, everything checked out and I was able to secure the account, restricting transactions with two-factor authentication and even by IP address.

However, unbeknownst to me, “Mr. Spark” must have copied down the blockchain.com wallet backup phrase: twelve words. The company warns me: Anyone with access to my backup phrase can access my funds. What I didn’t know is that the backup phrase can be used anywhere. They need not access the wallet through blockchain.com; with the appropriate cryptocurrency software, they can recreate the wallet and empty it.

Which means that my entire blockchain.com wallet was compromised from the onset. Never mind the steps that I took, setting up two-factor authentication and all… It was never really my wallet to begin with.

The big warning sign was when the crook first processed a “mining fee”. I did not understand the details, but I knew that something was wrong. No third party can take money from your bitcoin wallet, “mining enabled” or otherwise. Yet at the same time, I continued to receive small payments, so I was still waiting for the other shoe to drop.

I guess eventually “Mr. Spark” decided that I am unlikely to invest more into his scheme, but more likely, I was not his only or biggest victim. You don’t set up an elaborate scam like this, with a fake social media account, fake phone number and all to just steal a hundred bucks from someone. (That would be a less effective, and certainly more risky, way of making money than working at minimum wage.)

There is the usual, “if it’s too good to be true” lesson here: Nobody is going to pay you 8% interest a day. OK, I knew that. I also knew that cloud mining is a very risky proposition, the returns are not spectacular and fraud is rampant. I didn’t have to spend a hundred bucks to learn this.

But there is also a valuable technical lesson. I had zero experience with cryptocurrency wallets in the past, and thus I did not realize that anyone setting up the wallet basically has a permanent, irrevocable key to that wallet. And when a sum, however small, goes missing from your bitcoin wallet, it is a guaranteed indicator that the wallet is compromised.

There is also another other thing that I did not realize until today. Namely that the Spark account on Quora is almost certainly a fake, an impersonation. In fact, it was not until I actually asked myself, “how can this chap commit such fraud under his own name?” that I came up instantly with the obvious answer: he didn’t. Rather, a scamster used the name and credentials of a respectable but social media shy expert to set up shop and rip off his victims. That I did not think of this possibility earlier is a consequence of my prejudice. I had very low expectations to begin with, when it comes to people in the speculative cryptocurrency business. So neither the cheap VoIP line nor the pushy behavior raised additional red flags: I was wondering what scam the real Neale Spark was dragging me into, I did not expect to be dealing with an impostor.

*Name altered to protect the privacy and reputation of the person who was impersonated.

 Posted by at 7:49 pm

How not to manage a transcontinental data network

 Computer Security, Internet  No Responses »
Aug 212019
 

I am reading an article in The Register about a major Internet outage that occurred last December, when a handful of rogue packets managed to clog up a backbone network for more than a day and a half, blocking even VoIP 911 calls.

There are two rather frightening aspects of this fiasco. Both rather horrifying, as a matter of fact.

First, that in this day and age, in late 2018, a backbone service provider can still be brought to its knees by something as simple as a malformed packet. What on Earth are you doing, people? Have you heard of penetration testing? Fault tree analysis? Auditing your equipment and system software? Or have these essential steps been dropped just so that you can report some cost savings to your shareholders?

But it really is the second point that I find particularly upsetting. To quote, “the nodes along the fiber network were so flooded, they could not be reached by their administrators”.

Say what? Are you telling me that you had no alternate means to access your nodes? Like, you know, something as crude and simple as a dial-up port with a command-line based management interface? I mean, this is something even my little home office network used to have, and when I dropped it last year, reacting to rising landline costs and the fact that I no longer used that data/Fax phone line at all, I did so because I have dual network connections. To learn that a major backbone provider doesn’t have the kind of redundancy that I take for granted for my own little network is disconcerting, to say the least.

I suppose I should stop rambling now, though. Truth to tell, I am ignorant as to how CenturyLink’s actual network is configured, and I certainly never managed a fiber optic backbone network. I am simply reacting to the main points of The Register‘s article even though I cannot independently confirm its veracity. In my defense, The Register‘s articles tend to be well written and accurate. Even so, criticizing from a position of ignorance is never a smart thing to do.

Nonetheless, if The Register is correct, this really is not how a transcontinental data network should be configured and managed. This also seems to be the FCC’s conclusion.

 Posted by at 5:04 pm

Huawei and end-to-end encryption

 Canada, Computer Security, Internet, Politics  No Responses »
Jun 132019
 

The news this morning is that former PM Jean Chrétien suggested that Canada should stop the extradition proceedings against Huawei CFO Meng Wanzhou, as a means to win back the freedom of the two Canadian hostages in China, Michael Kovrig and Michael Spavor. (Yes, I called them hostages.)

The case against Huawei runs a lot deeper, however, than the financial fraud Ms. Meng is alleged by US authorities to have committed.

There is also the question of espionage, including the possibility that Huawei’s 5G equipment cannot be trusted because of firmware or hardware level backdoors.

I repeatedly encountered the suggestion that this issue can be trivially remedied by using end-to-end encryption. Unfortunately, end-to-end encryption, even if properly implemented (ignoring for the moment our own Western governments’ recurrent pleas to have built-in backdoors in any such encryption algorithms), solves only part of the problem.

It still allows Huawei to steal metadata, such as where calls are routed or the amount and nature of data traffic between specific endpoints. Worse yet, no encryption prevents Huawei from potentially sabotaging the network when called upon to do so by the Chinese government.

For this reason, I reluctantly came to the conclusion that the US ban against Huawei is justified and appropriate. It must, of course, be accompanied by a suitable increase in spending on researching 5G communications technologies, because otherwise, we risk shooting ourselves in the foot by banning the use of equipment that is technologically superior to the available alternatives. This is a new situation for the West: The last time the West faced a great power adversary that matched Western scientific and technological capabilities was in the 1930s, with Nazi Germany.

As for Ms. Meng, I think the suggestion to suspend the extradition process is wholly inappropriate. It would signal to the world that Canada is willing to suspend the rule of law for the sake of hostages. However strongly I feel about Messrs. Kovrig and Spavor, however strongly I desire to see them released, this is not a price Canada should be willing to pay.

 Posted by at 5:56 pm

Blasted PHP 7 and MySQL

 Computer Security, Personal, Programming  No Responses »
Mar 302019
 

Content management software that I use, Joomla! and WordPress in particular, have been complaining for a while now that the PHP version that runs on my servers is outdated and potentially unsecure. Not exactly true, as PHP 5.4 remains part of the official Red Hat/CentOS release, but it would certainly be prudent for me to attempt an upgrade.

I tried to do just that last night, on a test server. And it was a miserable failure, a waste of many hours that I will never get back, to make no mention of the heightened risk of cardiovascular disease due to my elevated blood pressure caused by all that frustration.

The relatively easy part? PHP 7 complaining that its just-in-time compilation feature ran out of memory. Easy-peasy, I can disable JIT. Check.

But then: several of my Joomla! sites refused to run, with a cryptic and ultimately meaningless error message and nothing in the logs. And at least one Joomla! site just got itself into an infinite redirect loop. But why?

I tried many things. I kept looking for answers on Google. Nothing worked. Eventually I took two of my Joomla! sites that are very similar in nature, and began comparing their settings, side-by-side. One worked, the other didn’t. Why?

I then stumbled upon a custom Joomla! module, one that I wrote to support some ads that appear on my sites. This module was installed on the site that failed, but not used on the other. I disabled the module and, presto, the site was working with PHP 7. I re-enabled the module and the site was dead again. So… why?

Well, the module contains some PHP code. Which, after some preamble that allows it to connect to the internal data structures of Joomla!, begins the real work by accessing the MySQL database that contains the actual ads:

$conn = mysql_connect("localhost");
mysql_select_db("www");
$res = mysql_query("SELECT PAGEID,ADTEXT FROM ...

Oops.

You see, mysql_ calls have been deprecated and REMOVED from PHP starting with version 7.

And I have hundreds, if not thousands of lines of legacy code* (including, e.g., my calculator museum at rskey.org) that rely on this old library.

So I guess that PHP 7 upgrade will have to wait a while longer. Looks like I have no choice but to rewrite the affected pieces of code everywhere, as there is no other long-term solution. (Even if I find a third-party PHP plugin that re-enables mysql_ codes, how long will that continue to work? How reliable will it be?)

What a muckup. Grumble. And I do have other work to do.

 Posted by at 10:40 am

Sexually explicit Facebook friend requests

 Computer Security, Personal  No Responses »
Mar 282019
 

Even as Facebook is battling white supremacism and fighting accusations of racial profiling, there is more nonsense going on.

In the past few days, I received several Facebook requests from accounts purportedly owned by young women, whose profiles contain sexually explicit, rather pornographic images and videos.

Here is one of the mildest ones (the majority of the images in this and other accounts from which I received friend requests were far, far more explicit in nature, including images depicting intercourse):

I do not wish to be a prude here; I am, after all, a middle aged male in relatively good health, and certainly not immune to, ahem, shall we say, visually stimulating images (though I admit I was never a fan of hard-core pornography. Not my cup of tea.)

But these Facebook accounts are obviously not accounts owned by bona fide young women trying to seduce older, happily married males like myself. They are probably overweight middle-aged male scam artists doing their shady business from their parents’ basements. Or worse yet, organized crime operating out of shady boiler rooms somewhere in Eastern Europe or Asia.

Thanks but no thanks. I have presently no desire to break my marital vow, but even if I did, there are better, safer ways.

As for these friend requests, I just block them and report the accounts to Facebook.

 Posted by at 2:08 pm

Nineteenth century cybersecurity

 Books, Communication, Computer Security, History  No Responses »
Jun 162018
 

When I was a teenager, the classic novel, The Count of Monte Cristo by Alexandre Dumas, was one of my favorites.

And one of my favorite chapters in that book was a chapter with an uncanny (not to mention unusually long) title: “How a Gardener May Get Rid of the Dormice that Eat His Peaches”. In it, Dumas describes a classic hack: exploiting the human in the system. By bribing an operator of France’s early optical telegraph network, the book’s protagonist is able to plant a false message, which ultimately contributes to the downfall of one of his mortal enemies. In short: a targeted cyberattack on a telecommunications network.

What I did not know, however, is that this chapter may have been inspired by real life events. About ten years before Dumas published his novel, the brothers François and Louis* Blanc managed to hack the telegraph network in a manner even more sophisticated than the hack described in Dumas’s book. Yes, the real-life hack relied on bribing operators, too, but it also involved a case of steganography: inserting a coded message that would piggyback on the original telegraph transmission. Not only did the scheme succeed, like any good hack it remained in place and undetected for two years. And when it was finally detected, the Blanc brothers were charged but never convicted; there were, after all, no laws on the books back in the 1830s against misuse of data networks.

*Well, that’s what Wikipedia tells me. It appears that the twins are misidentified as Francois and Joseph in several English-language publications. Francois was later known as The Magician of Monte Carlo, a casino that he owned and where he first introduced the single-0 style roulette wheel.
 
 Posted by at 7:52 pm

Trump and the Great Firewall

 Computer Security, Internet, Politics  No Responses »
Nov 102017
 

I’ve seen several news reports commenting on the fact that Donald Trump was using Twitter while visiting China. That despite the fact that Twitter is one of those Western services that are blocked by China’s “Great Firewall”. Some even speculated that Trump was using a military communications network or some other exotic technology to circumvent Chinese restrictions. (As if the US military was foolish enough to let this idiot of a president’s unsecure smartphone access their network.)

But reality is much more mundane, as I know quite well from personal experience in China.

When you are traveling with a phone registered to a foreign service provider, your Internet connection initiates from that provider’s network. So insofar as the Internet is concerned, you are not even in China. Your connection initiates from your home country. In my case, whenever I used my phone in China for Internet access, I accessed the Internet from an IP address registered with my Canadian cellular service provider, Rogers. I had unrestricted access to Google, Facebook, CNN and other news sites, with no Chinese restrictions.

Trump probably did exactly what I did, except that he probably worried about international data roaming charges and data caps a little less than I. He grabbed his phone, turned it on, and used it without a second thought. (OK, that’s not exactly like me. Trump was probably not surprised to see Twitter work on his phone in China, because he probably knows very little about the Great Firewall. I was mildly surprised myself, especially as I went there prepared for the worst, with multiple overt and covert VPN options prepared just in case I needed them. Which I did… but only when I was using the hotel Wi-Fi instead of the cellular network.)

 Posted by at 9:21 am

Is your mother proud of you being a crook?

 Computer Security, Internet, Personal  No Responses »
May 292017
 

Is your mother proud of you being a crook?

I have asked this question many times in recent months; basically, every time I receive a call from the “computer support department”, trying to tell me how my computer is full of viruses or whatever.

I usually don’t expect an answer; as a matter of fact, I usually just hang up, although more often than not, the other party hangs up first before I get a chance. Understandable… that’s what they are trained to do by their criminal masters.

Today, for some reason, I chose not to hang up. And the gentleman on the other and of the line asked me to repeat myself instead of hanging up on me. I obliged. After a moment of silence, I actually got an answer.

“Well, sir, I need the money.”

That was an unexpectedly candid admission, not that I was not aware of this basic truth. These callers, usually in boiler rooms somewhere in India or Pakistan, do this because they need to earn a living.

But it’s one thing to earn a living, it’s another to defraud vulnerable people, old ladies and whatnot. I told that much to this agent. He just repeated himself, defensively: “But I need the money.”

So I told him that I understand. That I, too, was a refugee once 30 years ago. (True.) But even when I had no money, I did not start defrauding people. I asked him to think about this, please; then thanked him and hung up.

Did I accomplish anything? I don’t know. Is it valid to compare my situation 30 years ago: granted, a refugee, but a refugee in a first world country (Austria) with no family to worry about and with guaranteed shelter and food at the Traiskirchen refugee camp, which I declined to take advantage of only because I found work (no fraud involved, but it’s true that I had no work permit) and I was able to afford better accommodations?

Yes, I read Les Misérables. No, I do not want the poor to be disproportionately punished, with no grace or mercy.

Still, I think there is an ethical line to be drawn here. No matter how great your need is, I still don’t think this moral justification applies when you work for a criminal enterprise, earning a living from defrauding vulnerable people halfway around the world.

 Posted by at 2:21 pm

Russian hacking and the Podesta e-mails

 Computer Security, Politics  No Responses »
May 062017
 

One of the major events during last year’s presidential campaign was the hacking of e-mails of the Democratic National Congress. In particular, the hacking of the e-mails of campaign chairman John Podesta.

How it happened is simple. Podesta received a bogus e-mail, purportedly from Google, that there was an unauthorized attempt to log in to his account, and that he should change his password. A helpful link in the form of a button was provided.

Podesta’s assistant was suspicious and asked for expert help. The expert inadvertently described the e-mail as “legitimate” (presumably, he meant to write “not legitimate” or “illegitimate”) but advised that Podesta should change his password, and provided the correct (Google) link for password changes.

The assistant forwarded the e-mail to Podesta, adding in her own words that “The gmail one is REAL”. This prompted Podesta to change his password… using the fraudulent link provided to him in the original message. By doing so, Podesta inadvertently disclosed his e-mail password to Russian hackers.

How do we know that they are Russian? There are many reasons to believe this to be the case, but I just noticed another peculiarity. (It is possible that I am not the first to notice this, of course.) Look at the subject line of the Podesta e-mails:

Subject: Sоmeоne has your passwоrd

Now try searching for the word “Someone” on this page using your Web browser’s built-in search feature (hitting Control-F activates this feature in most browsers). Can you see (or rather not see) how nothing in this Subject line is highlighted?

That is because several of the o’s in this subject line were typed on a Cyrillic keyboard, and they are Cyrillic characters. A Cyrillic ‘о’ appears very much the same as a Latin ‘o’, but it has a different code (hexadecimal 043e as opposed to 006f):

Funny thing is… I got this subject line straight from Wikileaks. You know, the same Wikileaks who are protesting high and low that the e-mail dump is not from Russia. Yet on their very own Web site, the e-mails that resulted in the Podesta hack contain Cyrillic characters. Go figure.

 Posted by at 8:34 pm

After a second notices he ran it on db1 instead of db2…

 Computer Security, Internet  No Responses »
Feb 022017
 

“After a second notices he ran it on db1 instead of db2″… This sentence (somewhat shortened, to make a fitting title) describes the beginning of a colossally effed up night at GitLab.com.

In response to a spike in system load, which resulted in lag on a replication server, the operator thought that maybe restarting the replication server with a clean slate is a good idea. So he decided to wipe the replication server’s data directory.

Unfortunately, he entered the command in the wrong window.

I feel his pain. I did make similar mistakes before, albeit on a much smaller scale, and the memories still hurt me, years later.

I have to commend GitLab for their exceptional openness about this incident, offering us all a valuable lesson. I note that others also responded positively, offering sympathy, assistance, and useful advice.

I read their post-mortem with great interest. In reaction, I already implemented something that I should have done years ago: changing the background color of some of the xterm windows that I regularly open to my Linux servers, to distinguish them visually. (“Create issue to change terminal PS1 format/colours to make it clear whether you’re using production or staging”).

Of course similar incidents and near misses also changed my habits over the years. I rarely delete anything these days without making a backup first. I always pause before hitting Enter on a command that is not (easily) reversible. I have multiple backups, and tested procedures for recovery.

Even so… as Forrest Gump says, shit happens. And every little bit helps, especially when we can learn from the valuable lessons of others without having to go through their pain.

 Posted by at 10:13 am

What a waste of a day

 Computer Security, Personal  No Responses »
Dec 132016
 

This morning, when I woke up, the regular status e-mails that my servers greet me with told me that there is a major CentOS update (version 7.3). Cool. Unfortunately, it meant that I needed to upgrade as many as five servers. This includes my main server, its physical backup, my backup server in NYC, another “in cloud” backup, and yet another server that I help administer. I began this process shortly after 8 in the morning, after I finished breakfast.

And as usual, a major upgrade like this brings to the surface little problems, little annoyances such as folders that had incorrectly configured SELinux permissions. No big deal, to be sure, but several such little things can consume hours of your time.

And then, it was also Microsoft Patch Tuesday, the second Tuesday of the month when Microsoft releases scheduled updates to Windows and other products. As soon as I was done with CentOS, my attention turned to my Windows machines, including my main workstation, its backup (actually, the same physical machine that also acts as my server’s backup in a dual-boot configuration), my wife’s desktop computer, two laptops, and last but not least, my old desktop that I still keep around as a backup/test computer.

Moreover, I also decided to update three virtual machines (one running Windows 7, the other two, Windows XP) that I keep around both for test purposes but also to have older software, older configurations available if needed.

Furthermore, when I update Windows, I tend to check and see if any other software packages need updating. On some computers, I run Secunia PSI, which keeps track of many applications. But even on other systems, I had to update Java (if installed), Adobe Flash, Chrome and Firefox.

And on older hardware, the process can be painfully slow.

To make a long story short, by the time I finished the bulk of this work, it was 7:30 in the evening. And one computer (a really low powered old netbook) is still doing its thing, even though it’s well past 11 PM now.

No wonder I didn’t accomplish much today.

Of course all of this needed to be done. Since I am a one-man band, I don’t have an IT department to rely on, but it is still important for me to keep my systems secure and well-maintained.

Nonetheless, it feels like one hell of a waste of a day.

 Posted by at 11:22 pm

Nightmare averted

 Computer Security, Politics  No Responses »
Nov 232016
 

This was a potential nightmare scenario. Imagine if we found out that the swing state results of the Nov. 8 election were altered by hackers. Imagine if an investigation found that Hillary Clinton won these states after all, and hence, won the electoral college.

Remember the hanging chads of the 2000 election?

Remember the hanging chads of the 2000 election?

Why is it a nightmare? Because it would likely lead to a constitutional crisis with unpredictable consequences. Donald Trump would be unlikely to concede. But even he did, tens of millions of his supporters would likely find the results unacceptable. Even the predictable disaster of a Trump presidency is preferable to a crisis of such magnitude.

And last night, the specter of just such a crisis was raised, in the form of a New York Magazine article (which was soon echoed by other news outlets), reporting on the doubts and suspicions of prominent scientists who noted a bias in the county-by-county results, more likely to favor Trump in counties where votes were counted electronically.

But not so fast, says fivethirtyeight.com. You cannot just compare the raw results without accounting for demographics. And once you take demographics into account, the apparent bias disappears. And while fivethirtyeight notes that it is difficult to validate the integrity of the voting system in the United States, nonetheless the burden of proof is on those who claim electoral fraud, and so far, the burden of proof has not been met.

I no more welcome a Trump presidency today than I did two weeks ago, but an orderly transition is still preferable to the chaos of a constitutional crisis.

Meanwhile, Clinton’s lead in the popular vote count increased to over two million votes (yes, they are still counting the votes in some states, including mighty California). This in itself is unprecedented: never in the history of the United States did a candidate win the popular vote with such a wide margin, yet lose the electoral college.

 Posted by at 6:31 pm

Shipping my crap

 Computer Security, Internet  No Responses »
Nov 172016
 

It is rare these days that a piece of spam makes me laugh, but today was an exception. After all, it is not every day that I receive an e-mail notice, pretending (kind of) to be from UPS, informing me that my “crap” has been shipped:

Still trying to figure out though if the language was intentional, or simply a mistake made by a non-native English speaker unfamiliar with certain, ahem, idioms.

 Posted by at 1:16 pm
 Older Entries