Stealing Passwords
All of the recent stories about high-profile sites storing passwords in plain text makes me feel a little bad for picking on people using unsalted MD5 hashes. At least they tried!
The Dangers of Shared Hosting
Web hosting is a pretty saturated market. Software like cPanel and WHM make it easy to rent a server and sell space on it to others, who can then even go on to resell it themselves. Promises of "unlimited bandwidth and disk space" can be had for less than the cost of a nice lunch. Commodity servers end up hosting thousands of disparate websites for thousands of different people all over the world, and nobody involved even needs to know what "shell access" means.
UNIX-like systems were designed for multiple, simultaneous users. Its roots are in an era where computers were too expensive for people to have one of their own, and decades of effort have gone into ensuring that the users of the system are safe from one another. Think of it like having a thousand different housemates. Maybe you trust them, but do you trust everyone they have over? Do you even know who they have over? After enough conflicts and theft, you end up with something like an apartment building, with strong locks, alarm systems, security guards, and so on.
That's how shared hosting environments are today. Some are better than others; most of them have locks, but only a few have alarms, even fewer have actual security personnel. The cheaper it costs to live there, the less they'll have in the way of security. But they all have the same problem: the weakest link is somebody else.
In this article, I'll walk you through a real attack on a real website on a real shared web host. Using various common vulnerabilities, we'll find somebody else to let us in the building, find an abandoned unit, steal someone's keys — and then we'll walk out with everything. It won't be anything new to an experienced hacker or penetration tester, but you might find it interesting if you develop web applications, have a site on a shared hosting service, or have ever wanted an inside look at what "real hacking" in a web2.0 world is like.
Hi WordPress
WordPress is way better than Blogger in pretty much every aspect, especially posting code, so I will post here instead.
edit: Except that it costs more to use a custom domain than it costs to just host the whole stupid thing myself. That's pretty stupid.
Word Games and Slot Machines
I have this thing with games.
For many simple games, especially word games, there is a pretty straightforward strategy to follow to play a "perfect" game. Scrabble is a particularly good example. The simplest strategy is to play the best word you can, which is easily quantifiable by points. Refinements are obvious: try to save high scoring letters for bonus squares, try to make the board worse for your opponent.
Once you've figured the basics out, the most effective way to improve your game is to expand your vocabulary. At first, this seems like a pretty "human" endeavor. However, anyone who's played Scrabble online or competitively is probably familiar with the nonsense Scrabble words you have to memorize to play effectively. Especially important are the ones that help you use Q, X, and Z, and 2 letter words that let you attach to another word: qi, za, qats, mbaqanga. Your spell-checker doesn't have those words, and your dictionary probably doesn't either. You will never use them in a sentence, and you probably won't ever encounter anyone else using them either - unless you're playing or talking about Scrabble.
Memorizing and searching through lists of arbitrary, otherwise meaningless items isn't something humans are very good at. Performing precise calculations isn't something humans are very good at either. They are, however, tasks that computers are particularly good at.
This drives me crazy.
I've been programming for most of my life, so for many games, coding something that can play is more interesting than actually playing myself. I've written bots for Scrabble, Boggle, Sudoku, Poker, and all manner of word/card/number games - many for money.
Lexis
Lexis game machine
Recently, a friend introduced me to a word game on Second Life called Lexis. Lexis is basically 10 rounds of single-word Scrabble. You get 7 letters, and 7 spots to place them in, with the familiar bonus tiles: double word, triple word, double letter, triple letter. Your word must start in the left-most spot, so there is no strategy in how you place the word. The only thing to do is choose the highest-scoring word, taking into account the bonus squares, and input it as fast as possible.
Definitely a game for computers.
With a cash prize.
On one machine, the jackpot was over L$10,000 - which is about USD$35.
SQL Injection and You
A few months ago, I was approached by Pixeleen Mistral, managing editor for The Alphaville Herald (NWS). She had gotten a reputable tip about a security problem on the website of a popular third-party service for Second Life, and asked if I knew anything about it. The service in question was BanLink, which provides a way for groups in Second Life to share their ban lists. Since the whole point of the service is ostensibly to hinder griefers, it seemed like a pretty hot target for exploitation, and a security vulnerability was potentially big news.
The problem ended up being SQL injection: the ability to modify the queries the website makes to the back-end database. SQL injection is among the most prevalent and most dangerous security problems in web applications. OWASP's top ten list placed injection flaws at 6th place in 2004, 2nd place in 2007, and they're going to be 1st place in 2010. This particular application was vulnerable to injection in pretty much every single parameter on every single page, and any errors from the database were reported in full. As far as these things go, it was a gold mine.
Custom xmonad Terminal Layout
My terminal layout
I've been using xmonad as my window manager at work for a while now. xmonad is a minimal tiling window manager written in and configured using Haskell. The main stated advantage of using a tiling wm is that all your windows automatically expand to fill up your screen. What I like most about it is actually the ability to change workspaces (or virtual desktops) on each screen individually, without having to use separate X screens.
Previously, I had used xfce4 and compiz-fusion with all sorts of flashy eye candy, like the rotating cube. I wanted to be able to rotate each monitor separately, which was wasn't possible if you had your desktop stretched across multiple monitors. You had to use separate X screens for each monitor, so windows had to stay on the monitor they were started on.
xmonad works exactly the way I want it to: I have one big desktop, I can move windows back and forth between monitors, and I can switch an entire workspace from one monitor to the other without having to do any kind of rearranging myself. Even if they use different resolutions. It's a big step down in terms of eye-candy and ease of configuration, but a big step up in productivity and efficiency.
One thing that always bothered me is that I didn't really use the tiling capabilities of xmonad at all. Most things I just use full screen: browser, email, editor, etc. I do use a handful of terminals, and those are usually what you see the most of in screenshots of tiling wms. Unfortunately, my screen is too wide for a single terminal but too narrow for two, so I just used a floating layout and manually scrambled them all over the place. There just isn't a way to make tiling work for me without having terminals overlapping or squished.
I tried several layouts, but nothing really fit and I always ended up reverting to the pure floating layout. Eventually, I noticed a pattern in the way I was arranging my floating terminals. I've always been impressed with how simple and short most of the xmonad source code is, so I decided I'd just write my own layout and be done with it.
How hard could it be?