2008

There were 303 posts published in 2008 (this is page 7 of 16).

Dream: An Alternate World

I had an interesting dream a few weeks ago but haven't had a chance to write about it until now (I jotted down the main points to remind of the details). I don't dream often, but when I do the dreams are vivid and full of detail.

I was somehow thrown into an alternate dimension where Earth's history had taken a different path (must have come from FMA!). When I came to, I found myself in a forest at the edge of a dirt road. Suddenly, I heard the sound of horses approaching and hid behind a thick bush. The horses were mounted by these creatures, wearing all black and sitting very ridged; very little movement. As they passed, I noticed blue lights on the side of their heads but couldn't figure out what they were (cyborgs perhaps?). I followed the road for a bit and it eventually lead to a tunnel in the side of a mountain. Just as I entered, I heard something behind me and before I could turn around, I felt a sharp pain on the back of my head.

When I woke up, my head hurt like hell. I looked around to find myself in a dimly lit prison-like room, with wet stone walls and big metal doors. I was a bit surprised to see a girl in the room with me (she looked very much like a girl that works at the register in the Whole Foods near my workplace). Apparently, she was the one who knocked me out. She explained the tunnel was crawling with guards and that she was trying to save me from being caught by them -- she seemed to know that I came from an alternate world. When I asked about the lack of technology she laughed and said there was tons of technology. She explained the blue lights I saw on the horsemen were from the bluetooth headsets they were wearing!

Then I woke up (for real) and realized that was a cool dream. So I went back to sleep to see if I could continue it...

The next thing I knew, I found myself in a giant mall. It looked a lot like today's malls except that it was the size of a small town. I was being chased by a group of government agents who knew I was from an alternate world and didn't want me to disrupt their control over the citizens. The girl who "saved" me in the tunnel was apparently part of a resistance of sorts. She was undercover and was trying to help me escape from the "men in black" (while maintaining her cover).

I found myself running up gigantic 5-story escalators, hiding inside random stores that seemed to always have a front and back entrance, avoiding random people in the mall who thought I was crazy, and looking for differences in technology between that world and my own (I couldn't find any differences!).

Then I woke up again and realized that imaginary dreams, no matter how adventurous, were still dreams and that real life work is more important.

Could this be the future of touchpads?

Future MacBook Pro Touchpad?

A multi-touch color screen touchpad using the same touchscreen as the iPhone? It could replace the OS X dock and provide a whole new method of interacting with your computer! Fingerprint security device, electronic signature pad, an electronic sketch pad for better photo editing accuracy... the possibilities are endless!

Fixing Boot-Time Dialog Display Issues

Dialog is a really useful utility for creating professional looking dialog boxes and menus within a shell script. I'm working on a boot-time script that allows the user to make system-level changes before the system has fully booted.

When testing my script from the command line, the dialog menu looked fine. However, whenever I set the script to start during boot (update-rc.d myscript.sh defaults, on Debian-based systems) here is what the menu looked like:

dialog display issues

UGH! It was barely usable. At first, I thought this would be an endlessly difficult problem to solve given my limited in-depth knowledge of Linux (I'm getting there!), but then I realized the main difference between the script running during boot and the script running after I had logged in was that my environment variables had not been loaded.

From the command line, I ran the env command to display all my current environment variables:

debian_vm:~# env
TERM=xterm-color
SHELL=/bin/bash
SSH_CLIENT=172.16.168.1 61315 22
SSH_TTY=/dev/pts/0
USER=root
MAIL=/var/mail/root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
PWD=/root
LANG=en_US.UTF-8
PS1=h:w$
SHLVL=1
HOME=/root
LANGUAGE=en_US:en_GB:en
LOGNAME=root
SSH_CONNECTION=172.16.168.1 61315 172.16.168.132 22
_=/usr/bin/env

The three variables that caught my eye were TERM, SHELL, and LANG. After a little trial and error, I discovered setting the LANG variable fixed the display issues with dialog! I added the following near the top of my script:

export LANG=en_US.UTF-8

Now when my script loads during boot, everything looks correct:

dialog display issues fixed

I Killed a Bird Yesterday

I killed a bird yesterday. He was dancing around on the road in front of me, trying to catch a bug in mid-air. He was so preoccupied by the bug he didn't see my big Chevy heading straight for him at 40 MPH. BAM! I glanced in my rearview mirror to see him laying motionless on the ground. I thought about his last few seconds; he was probably hungry.

Using CURL to Upload Files via POST to Amazon S3

A few months ago I wrote a post about creating Amazon S3 HMAC Signatures without PEAR or PHP5. One of the things I was using that PHP script for was to feed the necessary information to a bash script hosted on a remote machine. The bash script was to upload a file via POST to Amazon S3 using the information provided.

Since CURL was already installed on the remote machine, I wanted to use that to do the actual uploading. I found very little help on the net regarding how to do this with CURL so here you go:

eris:~ raam$ curl
-F "key=screenshots/current_screenshot.jpg"
-F "acl=public-read"
-F "AWSAccessKeyId=2EO6H8MX1X8YWEA0V432"
-F "Policy=eyAiZXhwaXshdGlvbpI6ICIyMDA4LTErLTAxVDtyOjAwOjAwLjAsMFoiLAogICJjb25kaXRpb25zPjogWwoJeyJidWNrZXQiOiAiczNwaG90b3MubW9hcHAubmV0IiB9LAogICAgWyJzdGFydHMtd2l0aCIsICIka2V5IiwgIkxpdmVTaG90cy8iXSwKICAgIHsiYWNsIjogInB1YmxpYy1yZWFkIiB9LAoJWyJlcSIsICIkQ29udGVudC1UeXBlIiwgImltYWdlL2pwZWciXSwKICBdCn0K"
-F "Signature=20uh08kU75ADHL49NyhYRgZW8BY="
-F "Content-Type=image/jpeg"
-F "file=@current_screenshot.jpg"
http://screenshots.ekarma.net

Keep in mind this assumes the current_screenshot.jpg file is in your current directory.

Leaving Send2Fax and Switching to FaxPipe

I canceled my Send2Fax account after a visitor to this blog recommended I take a look at FaxPipe and I realized I could be saving some money. When I started using Send2Fax back in 2006 I believe I was paying around $3 a month. Since I signed up, they have increased the price to $12 a month.

I don't send or receive faxes very often (maybe once or twice a month) but it's nice to have such a service. At the same time, it's not something I depend on so if I can save money by switching then I should.

After signing up for FaxPipe I sent in a request to cancel my Send2Fax account. Within 48 hours, I got a response that included this:

Did you know that you can keep your Send2Fax number for just $2.95 per month? This is a great way for you to keep your fax number and it costs less than a cup of coffee! For just $2.95 per month you get to keep your assigned fax number AND get 20 FREE pages each month, while overage pages are just $0.25 per page*.

That's $1.00 a month less than FaxPipe and about the same amount it was costing me when I signed up 2 years ago. This pissed me off because it seemed like they intentionally increased the price over time hoping I wouldn't notice and then offered to lower price again when I was ready to cancel. I sent them a reply saying I still want to cancel and then along with the confirmation I received this:

Before you go, though, we wanted to let you know about an easy way to get an unlimited FREE online fax service through one of our partners, eFax. You can sign up for an eFax Free account and pay nothing at all to receive up to 20 fax pages a month with your own personal eFax fax number.

I looked into this "free" service and not only is it meant to be used as a trial, but the fax number they give you will be outside your local calling area.

If Send2Fax had left the monthly price low in the first place, I would have stayed with them.

My Notes from The Last HOPE

Here are my notes from The Last HOPE. I started taking notes late, so unfortunately I don't have notes from all the talks I attended.

Ghetto IDS and Honeypots
* An Evening with Berferd
* Low interaction honeypots: Nepenthes, honeyd, Honeytrap
* Monitor both Honeyd and Nepenthes with Prelude IDS

Monitoring Snort
* SGUIL
* BASE
* SnortSnarf

Remember, tcpdump (a common packet sniffer) writes data in pcap format which ngrep, WireShark, or Snort can process.

Kevin Mitnick - Featured Speaker
* Flowroute + Asterisks can be used to unmask Caller ID (I tested Mitnick's setup by calling his phone... my blocked number showed up!)

PenTest Labs Using LiveCDs by Thomas Wilhelm
* de-ice.net
* BackTrack, Slax

PenTesting from Firefox URLs:
* isecom.org/osstmm/
* owasp.org/index.php/Main_Page/
* csrc.nist.gov/publications/PubsSPs.html
* vulnerabilityassessment.co.uk/Penetration Test.html
* centralops.net
* nmap-online.com
* hackerwhacker.com (similar to GRC)

Remember, use TOR when doing active tests!

More useful URLs:
* gdataonline.com/seekhash.php
* passcracking.com
* hash.insidepro.com
* md5this.com
* gdataonline.com
* us.md5.crysm.net
* md5.rednoize.com
* milw0rm.com
* freerainbowtables.com
* netcraft.com

Pen Testing the Web with Firefox

Firefox Extensions:
* FireCat
* ExploitMe (XSS-Me, SQL Inject-Me, Access-Me)
* Tamper Data
* Passive Recon
* Add N Edit Cookies
* Firebug
* HackBar
* Web Developer
* xssed.com

Using Firefox as a Front-End: Proxies
* Tor Button
* Paros Proxy
* SPIKE Proxy
* Burp Proxy

Web Frontends
* Metasploit
* FastTrack
* Inprotect (web interface for Nessus and Nmap)
* BASE (web front-end for Snort)

Use Firefox profile manager to install different selections of extensions to help with memory concerns.

FEBE (Firefox Environment Backup Extension)
CLEO (Compact Library Extension Organizer)
OPIE (Import/Export extension preferences)

Places/Things to hack "safely"
* OWASP WebGoat Project
* PwnOS (VMWare image, requires forum login)
* Your own VMWare lab

Identification Card Security: Past, Present, Future

The Complete Amature - ID Making Operating Guide by Doug Farre

* Epson Stylus R800 photo printer
* Laminator
* Dye cutter
* Magnetic stripe encoder
* Custom rubber stamp (simonstamp.com)
* Black light
* Scanner
* Signature pad
* Photoshop
* Brainstorm ID Supply

Minimal needed materials:
* Teslin Paper
* Pearl-Ex pigment powders
* Ultraviolet pigment powder
* Transparent base

(Get these from practicingperfection.7p.com. That site is down as of right now, so you need the guy's email address to contact him.)

Documentation on ID security can be found at idsysgroup.com.

Books to Read
* 1491: New Revelations of the Americas Before Columbus
* Hackers: Heroes of the Computer Revolution
* The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Random URLs:
* foodhacking.com
* hackerspaces.org
* telephreak.org

Girl behind me

The girl behind me on the bus was telling her friend a story; suddenly I was visualizing her words & dreaming while partially still conscious; my brain was being fed dream food!

Calling Kevin Mitnick

During Kevin Mitnick's talk, he demonstrated how to unblock CallerID. He announced his phone number, put his iPhone on the big screen, and asked the audience to call him with a blocked number. Being a hacker conference, not many were willing to risk disclosing their number on the big screen to the 800+ people watching. After a long 20 seconds one guy called and sure enough his number showed up.

After some really quick mental risk assessment, I decided to call too, since my number is also blocked and I was curious. Sure enough, my number also showed up on the big screen. (I quickly hung up hoping to prevent anyone from writing it down. No prank calls yet, *knock on wood*.) I added Kevin Mitnick to my phone's contacts list and it's really weird seeing his name in my call history.