Evading security logging when logging into DigitalOcean (Fixed)

I noticed a while back that when I carelessly entered my login credentials to the form for registering a new user account on the front page of the DigitalOcean site, it would still log me in. Neato.

However, I was slightly less amused when I noticed that the login event didn’t show an IP address in my security history.

Security history page with IP address conspicuously missing

User.login event with IP address conspicuously missing

I reported this at the time the screenshot was taken several months ago. It appears they have recently fixed the issue.

Just a reminder that not all vulnerabilities are obvious, and you can’t find them all with BURP.

Using GNTP for remote notifications? I wouldn’t

Earlier today I wanted to explore using Growl / GNTP to listen for notifications from a remote server. I checked out the Growl developer bindings page, found the Python implementation, and started working on a simple app to send me notifications about various things.

I was planning on running this on my server so I could also interface with Twilio and accept callbacks, without having to expose a webserver on my local machine to the internet. To do this, I was going to accept remote notifications in Growl using a password. I realized pretty quickly this was a worse idea.

I started poking around in the source code, and found that the password is hashed using MD5 by default. In fact, it’s quite a pain to change from the default, since there is no configuration option to change the algorithm within the basic helper methods that are actually documented. This appears to be the case for all the other language bindings as well. This isn’t necessarily the end of the world, but it’s definitely not great.

More poking revealed that the packet contents are not encrypted with the password, but the password is merely used to determine whether the listening Growl instance will accept notifications from the remote source. A notification will actually come across the wire looking like this:

19:32:20.244428 IP (tos 0x0, ttl 64, id 53700, offset 0, flags [DF], proto TCP (6), length 13716, bad cksum 0 (->359d)!)
 localhost.60465 > localhost.23053: Flags [P.], cksum 0x3389 (incorrect -> 0xe50a), seq 1:13665, ack 1, win 12759, options [nop,nop,TS val 266111329 ecr 266111329], length 13664
x.L$......1.3........1Z
...a...aGNTP/1.0 NOTIFY NONE MD5:B80803CFA6C2F303266DC99501ED837D.D89A5B677CDA639FDF3305D233FA0487
Application-Name: poke
Origin-Software-Name: gntp.py
Notification-Sticky: True
Notification-Name: Timer
Notification-Text: Derp?
Origin-Platform-Version: ...
Origin-Software-Version: ...
Origin-Machine-Name: ...
Notification-Icon: x-growl-resource://fcaeca33ea9ee6fa902f79aa47f980f0
Notification-Title: Timer Alert
Origin-Platform-Name: Darwin

...

As you can see, the name of the application, the name of the notification, the actual contents of that notification, and the title of the notification are easily readable (in blue).

What about that weird string starting with “MD5” (in red)?

The meat of the password hashing algorithm can be seen here. Basically, they use a hash of the system’s time as a salt (which they call a “seed”), and include it with messages sent to the server (D89A…0487 above). The other component of the string is a hash of the concatenation of the password and the salt’s hash (B808…837D above).

To see if it was really as easy as it appeared to crack these hashes, I wrote a quick script called Growl Crack that will first bruteforce the “seed” (timestamp/salt), then the “secret” (password + salt). Obviously the difficulty of cracking the password is dependent on its complexity, but the seed is usually cracked pretty much instantly.

In short, if you’re using Growl remotely, you should probably stop unless you want all your notifications being read, or want to expose your password for easy cracking to anyone listening to your communications.

Are we ready for the next 3 scientific revolutions?

Innovation is accelerating and entropy is increasing (as always). Several huge scientific revolutions are peeking at us from the horizon of the future. Looking at how we’ve dealt with the Internet revolution, I’m not sure we’re ready for them.

What 3 revolutions am I talking about? When are they going to happen? It’s impossible to predict which of these revolutions will happen first, or exactly when, but I suspect that it is safe to assume that all of them will come to pass in the next 100 years. I won’t focus on providing every tiny piece of evidence and analysis of these phenomena in this post, but I will examine them in much greater detail in the future.

Read More

25 Node.js Nuggets

Node.js

My last Nuggets post, “50 Linux Resources for Developers” was pretty well-received, so I figured I’d try to do the same thing I did there for Node.js. Hopefully something here gives you some inspiration to make the next great Javascript app. It’s not meant to be an all-inclusive guide to learning Node, but more of a look at my journey with Node and some things I’ve found useful which you might find useful as well.

For a little background, here’s the synopsis of Node.js from their website:

Node.js is a platform built on Chrome’s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Read More

7 Small Reasons to Love Vim

These are some cool things you can do with Vim that save time and can help prevent mistakes from mouse selection. They’re mostly little things, but altogether they make up an editing environment that I simply love.

1. NERDTree (Docs) file deletion

<Ctrl-L> to open NERDTree, hjkl to move, mdy to delete

2. Easymotion (Docs). Check out their example GIFs, and you’ll never see movement with the keyboard the same again.

3. Executing shell commands without changing windows

:!ls ~  :!rm -rf ~/old.txt

4. Deleting everything inside quotation marks, function blocks, parameters lists, or tags

di" di' di` di{  di(  di[  di< (Delete text within first matched pair)
dit   (Delete text inside first matched "tag" e.g.: <div>TEXT</div>)

5. Selecting/deleting large blocks of text

Selecting: V <Ctrl-F> (page by page)
           V 500j (select 500 lines)
Deleting: d500d (delete 500 lines)

6. Searching Dash (paid app, but worth it) using dash.vim (Docs)

:Dash each underscore  :Dash Vim

7. Deleting only blank lines on either side of the cursor

In ~/.vimrc:
" Ctrl-up/down deletes blank line below/above, and Ctrl-k/j inserts.
nnoremap <silent><C-Down> m`:silent +g/\m^\s*$/d<CR>``:noh<CR>
nnoremap <silent><C-Up> m`:silent -g/\m^\s*$/d<CR>``:noh<CR>
nnoremap <silent><C-j> :set paste<CR>m`o<Esc>``:set nopaste<CR>
nnoremap <silent><C-k> :set paste<CR>m`O<Esc>``:set nopaste<CR>

If you have more awesome Vim tricks, shoot them to me in the comments!

You wouldn’t have a maximum account balance, would you?

I recently paid for something online using what I considered a secure online payments processor, and they asked that I provide a password to create an account to complete the transaction. You will understand in a second (if you don’t already) why I was so angry when, a few seconds later, I got this:

NOOOOOOOOO

Noooooo

random-ness.wikia.com

I couldn’t believe it. Please enter a shorter password.

Read More

Is the FCC purposely making their comments section unavailable?

Tonight on the program “Last Week Tonight” on HBO, John Oliver exhorted his audience to go file comments on the FCC website to address their proposed rules that many believe will destroy Net Neutrality. In visiting the page, it is clear that people are interested in commenting on this particular item.

fcc

A few more comments than usual. I suspect this didn’t happen in the 5 minutes between when John Oliver made his comments and when I visited the site. What if we look back in time? Did this all happen very quickly and overwhelm their servers?

Screen Shot 2014-06-01 at 10.40.06 PM

 

No.

So then why are they down? Try posting a comment right now. You can’t. Try pinging the server it’s on, apps.fcc.gov. You can’t. It’s hard to imagine that they couldn’t have seen that this might be something that needed some load balancing to allow comments from the huge number of people who obviously want to make their voices heard.

Is the FCC using the same tactics the cable companies are – creating artificial “scarcity”? I don’t know, but I’m very curious. A neutral content policy is what has made the Internet great. If bullies like the worst company in America can just congest sites that it doesn’t like, it can control speech. I can’t prove that the FCC is doing this here, but this is A PERFECT EXAMPLE of what would be possible if the cable companies get their way. “Sorry, we couldn’t possibly build more capacity to deliver the stuff you want. That would cost money, and we’re too busy swimming in a pool of ours.”

No thanks.

Edit 6/2 – The site still isn’t allowing comments, and appears to have actually lost a number of them! 1,162 to be exact.

Screen Shot 2014-06-02 at 8.06.49 PM

 

If you care about Net Neutrality and want to voice your concerns, first go complain on the FCC bug tracker about not being able to.

50 Linux Resources For Developers

I try to always bookmark interesting things I find as I bumble around the internet. I’ve collected thousands of bookmarks over the years, and I want to share some of the cool stuff I’ve found. I call these Nuggets.

Today, I want to bring you a list of links that might help you on your path to understanding and appreciating Linux. I don’t consider myself some wizened Linux guru, but I have spent many, many hours looking for guides and tools to make my life easier while using it.

If you’ve ever struggled to find information about Linux basics, or you just want to polish up your skills, there’s probably something here for you. This guide will be particularly focused on developers, but there will be information here that’s applicable to many other Linux users. Some of it is specific to Ubuntu users, but much of it is applicable across the board.

I’ve by no means covered everything, so comment or tweet to me if you have any you think I should include.

Read More

Killing patents, part 2

If you’re like at least a quarter of the people who read my original article, “Am I evil, or is killing patents just plain fun?” a few days ago, you probably read the title of this post as “Killing parents part 2” or “Killing patients part 2.” I have to wonder how many people originally clicked it simply for that reason.

This is but one of the many responses I got, however. Overwhelmingly, people who responded to the article were in favor of at least reforming software patents, and many favored getting rid of software patents altogether. I expected at least a few responses to my challenge, but so far the only patent posted is one that hasn’t yet been granted, and I suspect won’t be.

This may be sampling bias, as there are relatively few people producing software patents, and even fewer who actually want to be. Most people don’t have any real motivation to go find them, unless they want to win the prize of forcing me to write a post about how great patents are. Regardless, the fact that not a single one of the nearly 40 thousand people (almost all software developers, and smartasses too, if I had to guess) who saw this article pointed to one good patent is fairly telling, at least to me.

Several people were skeptical that submitting prior art to Ask Patents would have any effect at all. Well, while it isn’t a landslide victory for patent reformers, there’s a tag for rejected patents that suggests that 24 patents have been denied so far, with several drawing at least partially on answers from Ask Patents. Here‘s one example from 2010:

A computerized method of analyzing weather data to improve the selection of contextually relevant communication, the method comprising:
 1. Automatically receiving geolocation information of a viewer's location;
 2. Receiving weather data relevant to the viewer's location;
 3. Analyzing the weather data to identify a weather condition;
 4. Accessing a database containing multiple available advertisements assigned to weather conditions; and
 5. Selecting a communication associated with the identified weather condition based on a viewer's preference.

In English? Sending ads based on the weather. Sounds boring. Also sounds an awful lot like Weatherbug, an application which has been around since at least 2000, and about a million other weather sites. And, thankfully, the patent office agreed.

24 patents doesn’t sound like a lot, but that represents tens or hundreds of thousands of dollars likely wasted by these companies. That makes me happy!  Why? Because the biggest thing I want out of all this is for companies to stop treating patents as weapons to use against competitors, and status symbols for managers with no direct involvement.

Right now, it’s a gamble, not dissimilar to the VC industry: Apply for a patent and spend a little money upfront, for the potential to make a boatload down the road. It’s a moonshot, but every once in a while they hit the jackpot. The problem is that money is made via dubiously ethical behavior like waiting for lots of people to infringe and then suing when they get successful, instead of actually creating value. At least their lawyers make a lot of money. Direct costs to U.S. businesses have been estimated at $29 billion a year, indirect costs as much as $83. This is grade-A sleezeball material.

So, will my humble daily search for prior art on relatively few patents help? Maybe, maybe not.

Either way, I’d rather do something than nothing.