Thu, 18 Feb 2010
Tripping Myself Up
Caught with My Pants Down
At about 4:15 yesterday afternoon I received an unusal phone call. The guy at the other end didn’t identify himself at first. He just asked me if I was the site admin for eldoradotech.org, which I am. He then somewhat murkily explained that he’d received a phishing email from a third party. Further, the email linked to my web site. No big deal, except that my web site was in fact serving up a page that looked just like a JPMorgan Chase login page. Not good.
After determining that there was a problem, I immediately deleted the
unauthorized files from the server and then shut it down. Unfortunately, this
resulted in all of my web sites, email, and other services being unavailable,
which is a hassle for my millions thousands legions hundreds scores
dozens of two friends and fans. However, it was necessary because
whoever had put those files on my server the first time could always put them
back a second, and could further exploit not only that server, but the other
servers in my gleaming, high-tech ghetto basement datacenter
as well as the desktops and laptops around the house.
Fortunately, my workday was largely over; so I rushed out to my car at 5:05 to get home and check things out. All the way there I considered the many possible vectors an attacker might have used to break in to my server. Some of them are difficult and unlikely, while others would simply require access to my password. I generally keep close tabs on my password, but you can never rule out some kind of a slip-up. This is why changing your password regularly is a good idea, even if it is a pain in the ass.
During transit I also thought about the varying consequences of the attack: if it was just the one system, damage could be limited. However, if the attacker had been in the system a long time before using it for nefarious purposes, he or she might have logged other passwords, confidential business information, financial records, or other valuable data. This worried me.
When I arrived at home, I first turned off all the other computers in the house. That’s three other servers, three desktops, and two laptops, currently. This was to prevent the attacker from using one of them to re-infect the first system if he or she was already loose on my network.
After this first step, I booted up the infected server from a clean Knoppix CD image and analyzed the logs. It looks like two IPs were running a dictionary attack against a weakly-passworded mythtv user account:
58.177.188.213
172.173.83.246
Neither IP is responding to ping, now.
The attacker appears to have gained access to the brand-spanking-new mythtv account (no this server wasn’t being used for MythTV, but I keep accounts synchronized across my hosts to keep things simple) and then used a privilege escalation exploit to create a new user, ‘ftpd’. Then the attacker gave the new ftpd account a UID of ‘0’ (essentially, the same access level as root). From there, it was all down hill.
Logs don’t always tell the truth, because they can be edited, deleted, or corrupted. Having something to track back through was nice, but it’s not sufficient. Because for all I know the attacker was leaving a false trail, I elected to nuke the site from orbit. It’s the only way to be sure. So, for remediation, I wiped the system and reinstalled the OS and applications from known clean sources, removed the unauthorized ftpd account, changed passwords left-and-right, then restored user data from my latest backup.
I’m lucky that this was all it took. If my not-quite-anonymous caller hadn’t clued me in, it might’ve been several hours, or possibly several days, before I noticed a problem. And if the attacker had been more sophisticated about covering tracks, I might still not know what vector had been used to break in to my system. In other words, relatively little damage was done (at least to me; I can’t speak for people who may have been phished) and this was a relatively easy system to get back up and running. Now I just need to be more conscientious about my passwords.
posted at: 13:48 | permanent link to this entryMon, 08 Feb 2010
Money is Speech?
The Free Speech Rights of Corporations
The Supreme Court is divided on this issue, with a “conservative” majority of five overruling the other four justices. The five also are the youngest and (mostly) newest members of the high court. One result of this is that none of them are likely to die or retire any time soon. My expectation is that this decision, then, will stand for at least a decade and possibly much, much longer.
Despite the clearly superior legal and scholarly credentials of the majority justices, I believe they have missed three critical issues in making their ruling:
- Corporations are not “natural people”, whatever Santa Clara County v. Southern Pacific Railroad says. Rather, they are groups of people operating in aggregate for a common goal. The legal organization is simply a shield that prevents any individual investor from sufering a liability larger than his or her investment in the corporation. Individuals within the larger group are free, as always, to voice their opinions however they wish. Further, corporations are for all intents and purposes immortal; they can act on strategies that may take multiple human generations to execute (although, it seems, they frequently are unable to see past the next quarter’s financial results).
- Regardless of one’s view on coporate personhood, the right to free speech does not include a guarantee to individuals of a right to an audience. Moreover, governments are empowered, both morally and legally, to prevent speech that infringes on the public’s right to be left alone. For example, noise ordinances may prohibit amplified music from public areas, and proselytizers may be prevented from trespassing to deliver their messages.
- Money is not speech. Money is property, symbolically representing economic value. As such, Congress has the power to regulate it under the Commerce Clause. Although Thomas Jefferson wrote in the Declaration of Independence that we are entitled to Life and Liberty, all but the final draft (which uses the word “happiness” instead) only specified the “pursuit of property.” Pursuit, meaning a striving for, a searching for, a chase after. Not the posession of. True, the Declaration of Independence does not have the force of law; however, it is a founding document explicitly stating the principles upon which this nation was — and is — established.
The media have been in a frenzy about this decision ever since, each outlet with its own slant.
However, other organizations are not so sanguine. The New York Sun reports that the ACLU may flip-flop on regulation of campaign spending limits.The Daily Show’s Jon Stewart apparently believes that this decision will be disasterous.
National Public Radio reports that President Obama and the Democratic Party are very unhappy about the decision.
In all, then, this decision appears to represent a watershed moment, when the current way of funding campaigns will be entirely restructured. Time will tell.
Related Links
The Supreme Court Rejects a Limit on Corporate-Funded Campaign Speech
Despite court ruling, Congress can still limit campaign finance
A Quest to End Spending Rules for Campaigns
A bold conservative step by Supreme Court
ACLU May Reverse Course On Campaign Finance Limits After Supreme Court Ruling
Jon Stewart slams recent Supreme Court ruling giving corporations free speech rights
Court Ignores Precedent, Creates Corporate Monster
Supreme Court Lifts Campaign Spending Limits
Campaign Finance Ruling: Hard To Reverse
Democrats Follow Obama’s Lead On Finance Ruling
Supreme Court Left Donor Disclosure Rules Intact
posted at: 16:02 | permanent link to this entryTue, 19 Jan 2010
Blog Coding Updated
Although I've based the code for this blog on the Blosxom framework, and use the Tiny MCE JavaScript library to handle editing chores, the fundamentals are significantly modified from the original.
Among other things, I've custom-coded the blog to support picture uploads, automagically create thumbnails and link to the full-sized images; added an authentication mechanism; and configured custom blogs for each member of the family.
Unfortunately, due to a misconfiguration on my part, Tiny MCE was substituting a relative path for the absolute path on each of the image includes and links. This worked just fine, until I added the ability to browse the blog by category or by date. When these features are active, it causes the blog script to generate temporary subdirectories in the URL, and in conjunction with Apache, redirects requests for the category- or calendar-based pages, breaking the images.
When I discovered this problem, I did a little research and determined that I could simply tweak the Tiny MCE configuration to eliminate the issue on all new blog posts. However, this did not fix any existing entries.
Because Blosxom generates web pages based on the datestamp on the individual files created when a user writes a post, simply running a search-and-replace against all files to change the relative paths to absolute paths would result in all existing blog entries showing up as being new as of the time I executed the change.
Obviously, this is not good.
Further, although I could individually modify the files one at a time to restore their original datestamps, the volume of files involved made that a non-starter.
To resolve the issue, I have written a Perl script that parses through all of the existing blog entries, corrects the paths, and then saves the file with the original datestamp. This wasn't rocket surgery; but it was a new endeavor for me. On the off-chance that you might encounter a similar problem, I am making this script available under the GPL. Feel free to use it, but be sure to make a backup copy of your data before executing it.
Marc Elliot Hall St. Peters, Missouri
Page created: 21 January 2002
Page modified: 31 December 2009
