Archive for February, 2005

Make Spam [sorta] Useful

Sunday, February 27th, 2005

I get a lot of spam. Huge amounts. Fortunately, Mail is quite good at filtering it into a mailbox that I periodically delete. But, still, if the damned stuff is going to pass through my system, it might as well do something useful along the way.

So I wrote a little Apple Script that can be used in a filter rule that sucks out the first 2084 characters each message filtered into Junk Mail and writes those characters to /dev/random, thus contributing to the entropy– the randomness– of the system’s pseudo-random number generator. Lots of things use random numbers, including various encryption mechanisms, so increasing the quality of the random numbers generated by the system should also increase system security.

In practice, it is just a silly hack that won’t make much of a difference.

You can grab the script and install it by adding it as an action on any filter, including the junk mail filter rules.

Update: Peatey asks if this script is subject to Benford’s Laaw.

Actually, the first few bytes of every message generally be identical in that every message will almost always start with “Return-Path: “.

But that shouldn’t actually matter.

First, a little over 2K of data will be written to /dev/random every time a piece of mail is processed via the script. While the first few bytes are likely going to be identical, the rest of the data is pretty random save for that it is all ASCII and generally all printable data.

However, the data– both quantity at once and exact time of arrival– will arrive at fairly random intervals. In my case, whenever I hit shift-cmd-N or Mail decides to go check for new messages on the various servers.

This is because /dev/random generates a single random number stream that is used by all processes on the system using the Yarrow algorithm. The data written to /dev/random effectively perturbs that stream by smudging the internal state of the random number generator.

As such, both the time of the arrival of the data and the values themselves matter. Since the arrival time of the spam is fairly inconsistent– bursty even– that fact alone will contribute to the entropy of the random number generator fairly significantly.

RIP: Jef Raskin (1943-2005)

Sunday, February 27th, 2005

Jef Raskin passed away on February 26th, 2005.

Sad now.

Tinkerbell, Social Engineering & Fred Durst

Friday, February 25th, 2005

Now, Fred Durst of Limp Bizkit has had his T-Mobile account hacked. Someone claiming to be the T-Mobile Terrorist ripped down a 3-minute hardcore porn-style video/audio clip of Durst having sex with an unidentified female.

Update: Nope. Didn’t have anything to do with T-Mobile. Fred claims that someone grabbed the clip from his hard drive when he took his busted PC in for service. Gotta appreciate his optimism — he hopes that the whole experience will raise awareness of security related issues.

OK. Whatever. I have no doubt that the female will be identified, will likely do a stint on Howard Stern’s show or the like, and will rake in some serious $$s for being in the right place at the right time or the wrong place/wrong time, depending on your culturethink. For those looking for the actual video, Gawker has the goods.

The interesting bit is that the site with the video claims: The previous information was obtained using social engineering tactics.

It wouldn’t surprise me if the social engineering tactis would involve the “forgot my password” feature. T-Mobile, like many e-commerce sites, has a question/answer challenge if you lose your password. That is, if you don’t remember your password, you just need your phone number and the answer to one of five questions to access your account.

The questions are:

  • What is your mother’s maiden name?
  • What is your favorite pet’s name?
  • On what street did you grow up?
  • In what city did you grow up?
  • What is your favourite movie?

In other words, T-Mobile is relying entirely upon security through obscurity to protect their user’s accounts.

And, of course, what is the one thing every famous person completely lacks (unless their career has already circled the bowl and left the building)?


I would bet that a handful of Google searches would turn up answers to most of those questions for just about any Pop Star given that the sanitized interviews that show up on MTV and through other media channels focus on nothing but trivialities.

All it takes is for someone to get a hold of just one phone number of a non-obscure person. Once compromised, the contact list of that person is most likely going to reveal other phone numbers of other vulnerable accounts. Given the ‘star bling’ power of the SideKick, it is likely that at least some of those numbers will lead to T-Mobile accounts with even more information.


As a matter of fact, it would not surprise me at all to learn that Paris Hilton’s question/answer pair were What is your favorite pet’s name? and Tinkerbell. Tinkerbell & Ms. Hilton have been in the press frequently and it is clear that she has a bit of an attachment to the dog, given that the dog is a published “author” and all.

Security through obscurity only works for as long as the veil of obscurity is not penetrated. If you happen to be the focus of the public eye, obscurity is already gone.

In other words: If you are famous, nothing is secret. Do not trust your secrets to be protected by answers to questions that are common knowledge!

RIP: Hunter S. Thompson

Wednesday, February 23rd, 2005

Hunter S. Thompson took himself out rather violently over the weekend.

If you haven’t read Fear and Loathing in Las Vegas, you should. Even if you don’t like the book– and many people don’t– consider it for the thought provoking, wild, rebellious ride that it is.

Hunter always challenged the norms and expectations of those he encountered. Clearly, boredom was his worst enemy and he quite successfully fended off any signs of boredom throughout the prime of his life.

Maybe boredom is what pushed him over the edge in the end.

Or maybe it was the current political climate. Hunter was quite outspoken about his opinions of modern politics.

Or maybe he was just sick and tired of the current state of journalism. What with 37 news channels to choose from and every channel vying for eyeballs by sensationalizing dumbass stories that do not actually have any impact on our lives.

We had the summer of shark attacks (the actual number of attacks were down over the previous years). The summer of child kidnappings (again, number of incidences were down over previous year). The Peterson trial? Yeah, like that actually changes any of our lives. All stories shoved down our throats by profit driven news reporting. End result? Millions of your tax dollars at work to protect you from risks that don’t exist all the while the real stories are largely ignored.

For example, how about the Paris Hilton Phoneplosion? Yes, that again. How many of the people with their empty little brains glued to MTV/ETV/People remember that just a few months before a cracker broke into the same network and ripped off a bunch of national security related documents? … or that the agents were stupid enough to put classified materials into an un-approved, insecure, unprotected network? Once again, your tax dollars at “work”.

Yeah, I could see how a man who changed the face of journalism could be sick of the shit they are currently passing as “in depth” reporting on “important” news stories.

Suicide? Seems a bit extreme. But Gonzo Thompson was a very extreme person.

In any case, I raise this glass of Chivas Regal in your honor, Mr. Thompson. You will be missed. I sincerely hope that this generation can find the strength to challenge the status quo as effectively as you did.

Paris Hilton redux

Tuesday, February 22nd, 2005

In the comments to the original posting, there was this:

I have the Address book email me

I haven’t redacted the email address for a couple of reasons. First, it is in the original comments and, secondly, it isn’t hard to find this information without either paying for it or dealing with some random person’s email.

If anything, the Paris Hilton Phoneplosion seems to have confirmed that information wants to be free. That link is actually very interesting in that it delves into the history of the phrase and concept.

It would seem that the economy works something like this:

  • A piece of marketable information is obtained. Ethically or not is irrelevant. Hell, whether or not it really happened may not be relevant, either.
  • The person obtaining it brags about it in a relatively public forum. This used to often be solely to news agencies of one ilk or another. Now, it is often on any of a number of cracking/phreaking related community sites.
  • The information is eventually revealed as either proof of the crack or pursuit of the story, depending on forum. Around this time, money exchanges hands — either someone packages the information and offers “girls gone wild” style “see celebrity X in compromising position” products (as happened in this case) or a news agency pays money to “own” the story.
  • If it is widely considered “newsworthy”, the story breaks through channels like DrudgeReport as a “developing story”. This creates a frenzy of online interest. For more niche stories, there are other channels of disclosure such as SlashDot, various rumor sites, celbrity oriented sites like gawker, and — of course — porn sites.
  • If there was any previous event– such as the Paris Porn Tape– that could be associated with this event, it is repackaged and sold and/or displayed along with the new event. What is old is new again.
  • Now, about 24 hours into the new economy, Google’s indexing engine starts producing useful hits. So does Google News, if the story is hitting the press. Once this happens, much wider coverage is sure to follow.
  • At this point, the folks in step #3 that are selling the product are likely making some serious cash. It would be interesting to see a graph of sales over time correlated to various disclosure events. At the same time, the content starts popping up in the mainstream; monologues on late night TV, Fark style story repositories, etc…
  • People continue to pay for the content, yet– at the same time– the content becomes more easily found through free channels. Sales decline, views decline, interest declines.
  • ….
  • Weeks or months later, the legal system actually starts to make noise in regards to suing for damages, claims against ownership or applying criminal charges. By this time, the event has largely been forgotten within the cultural hive mind and most of the initial events surrounding disclosure– the pieces of information most important to the legal action– are now buried in log files, hazy memories or otherwise obscured by the weeks of ‘fast culture’ events that have occurred since.

So, it appears that an entire economic niche comes into being and fully matures within about 72 hours. Once the market has been established, there is so little cost to keeping the product– pure information– on the market that the “buy a snap of Paris’s Private life” sites will be with us until taken down simply through someone forgetting to migrate it to a new server.

Getting started with Python on Mac OS X

Tuesday, February 22nd, 2005

A friend asked me what he should install onto his Mac OS X system to most effectively learn Python. This particular person is a very experienced Objective-C and Java developer, with loads of Mac OS X specific adventures.

This post is targeted to that kind of developer.

Mac OS X ships with a perfectly usable build of Python included in the system (as long as you install the BSD package, which is enabled by default).

First, install the most recent production release of the Subversion client. That link leads to some very convenient to install packages. Alternatively, installation via Fink or DarwinPorts will also work quite nicely. Or you can build it from the source.

Next, grab a pre-compiled copy of the module. Decompress it, then copy it into the appropriate place within /Library/Python/2.3/. Interactive Python without readline is miserable.

Then grab the top-of-tree of the PyObjC repository via Subversion. The top-of-tree is almost always very stable as a result of the relatively large and high quality unit testing suite and the focus-on-quality of the developers. Once installed, the benefits are two fold. First, it will install PyObjC, including all examples, the Xcode templates, and the runtime itself. Secondly, it will install py2app which will allow one to easily package Python modules and applications, including creating Installer packages out of any standard Python module.

svn co

And build/install it:

python bdist_mpkg --open

The above will build a .mpkg that contains PyObjC, py2app, and related resources, then open it the Installer application.

From there, it is a matter of choosing your favorite editor. Xcode, SubEthaEdit and Emacs can all edit Python quite effectively. The key is to turn off tabs. Never, ever, insert tabs into Python source — always use spaces.

There are other editors available. I pretty much stick to a mix of Emacs with a custom setup (you’ll want to grab the latest python-mode, at the least) and Xcode, with the occasional bout of SubEthaEdit, depending on mood.

For learning Python, I would start with Dive Into Python and then– because this is aimed to Mac OS X developers– move on to ripping into the PyObjC examples. Also, ReSTedit is a fairly decent sized Cocoa-Python application that is under active development, tends to track the latest changes in PyObjC, and has a couple of relatively complex third-party Objective-C classes integrated into the project.

That should provide a pretty decent foundation for both generic and Mac OS X specific Python development. Certainly, there are any number of other tools that one might install, varying in size and complexity.

Recommendations, corrections, and suggestions welcome.

USB Flash Drives

Tuesday, February 22nd, 2005

Since giving away my iPod Shuffle to my wife a few weeks ago, I have had need of a portable storage device. Never before, but now I do. Go figure.

I have a firewire hard drive but it was either in use or largely unavailable and, even if available, I have to screw around with firewire cabling to make hook it up and then switch machines. A Shuffle would work, but iTunes is always going to fire up and ask to take over the device (if the machine doesn’t already own it).

Today, I finally got completely fed up with the situation after about the fourth time I needed to move a handful of files between two machines that were otherwise isolated.

So, I headed down to the on-campus Apple store to pick up a flash drive only to discover that they were out of stock. Now, that wouldn’t be that big of deal if I hadn’t been in the store earlier in the day and saw three 512MB units in stock at that time. So, apparently, I’m not the only person needing this kind of convenience.

On the way home, I stopped at Office Max to pick up a random cable. They had the Lexar 1 GB JumpDrive Secure on sale for $85 with an on the spot discount of $10 and a mail-in rebate for $15 — bringing the price to $60 (yup– math sucked the first time around). Not bad for a 1GB USB 2.0 (the high-speed 2.0) drive.

I’m ignoring the “secure” feature. Instead, I created a sparse encrypted disk image on the device that is the same size as the device. Sparse disk images start out minimally size and will automatically grow, as needed, up to the size of the media they reside upon.

You can create the disk image from within Disk Utility or the command line. The command line will look like (this is a single command):

hdiutil create -size 1g -fs 'Journaled HFS+' -type SPARSE \
-encryption -volname Name-Of-Volume /Volumes/FlashDrive/Name-Of-Volume

I would recommend not placing the disk image password in your keychain. The end result is a convenient, cable-less, tiny portable storage device with unencrypted and encrypted storage areas that automatically grow/shrink as your needs change. No third party drivers or software needed.

Update #1: As Eric noted, the resulting image will start out at 34MB for an empty image. That appears to be overhead related to creating the disk image. As the size of the image drops, the amount of overhead drops along with it — to a point. To answer another question of Eric’s, hdiutil compact image will recover disk space no longer used by the sparse image and return it to the underlying file system.

Update #2: Bob Ippolito suggests that journaling an encrypted disk image is largely pointless. He claims that it will increase the potential for corruption and the additional duplication of information necessary to journal the filesystem will necessarily imply less security.

Honestly, I don’t really have enough information to form an opinion in regards to the likelihood of corruption with or without journaling. As for security, it is true that any repetition of data within an encrypted stream decreases security. In this case, the decrease in security is likely extremely miniscule.

But there is another reason to turn off journaling and it gets back to Eric’s point about the overhead. Turning off journaling reduces the “out of the box” size of a 1GB sparse, encrypted, disk image from 34M to 26M. A significant savings.

Some more data:

FS Type 1g empty image size
HFS+ Journaled 34M
HFS+ 26M

Interesting and not terribly surprising. For now, I think I’ll stick with HFS+ as I have plenty of space. hdiutil can always be used to convert the image from one format to another later.

Paris Hilton’s T-Mobile SideKick compromised.

Sunday, February 20th, 2005

Apparently, Paris Hilton’s T-Mobile SideKick has been compromised and the contents have been posted to the Internet. As a result, many famous folk’s phone numbers have also been posted. If this were the personal info of any random John Doe, it wouldn’t have made the news. But it wasn’t just anyone and the list of numbers includes all kinds of people the rabid celebrity worshippers and tabloid press obsess over. I bet there are a lot of personal assistants stressing out as they try and grab a new device and transfer all the data.

This raises a more serious concern. That T-Mobile’s network is vulnerable has been known for some time. Personal photos of various celebrities had been ripped off along with some other personal information.

In this case, it sounds like the contents of Paris’s phone was ripped down and posted. The story specifically mentions personal notes and other non-phone number information that one might keep on a SideKick.

The simplest explanation is that T-Mobile offers an automatic service via which the contents of the phone is backed-up to their systems. But I couldn’t find anything like that mentioned as a service.

If not that, then what happened?

If the phone was compromised and the data was downloaded directly from it, that would imply that a powered down cell phone is the only way to keep data secure (making it rather useless). I can’t imagine T-Mobile storing data without customer permission, but sillier things have been known to happen.

Google news for T-Mobile. Paris Hilton google news.

Of course, this is still very early in the Drudge “exclusive report” cycle. So, there is always a chance that this isn’t a real story or it is just a case of Paris misplacing her SideKick such that the wrong person found it and posted the contents.

Update #1: Banner ads and the like are already starting to show up for Paris Hilton Phone Pic Packs. Apparently, there were about 35 pictures on the phone and you can now pay for the privilege of downloading and viewing said pics. Let’s see — less than 24 hours between the alleged hack and the “productization” of the results. The window of revenue generation is likely so short that the individuals and companies involved in the distribution will simply disappear before the law can even start to properly investigate this. I would bet that the porn-conomy is all abuzz with renewed interest in the original Sex Tape about now.

Update #2: Through very useful comments (Thanks!), I have learned two things. First, the SideKick uses Danger as the information service that drives the SideKick’s data storage and handling service. Apparently, the SideKick constantly syncs the Address Book, Notes, and other data to the central server. Secondly, T-Mobile controls the authentication process and authentication with T-Mobile is also counted as authentication with Danger’s service.

As documented at Security Focus, T-Mobile’s service had been compromised almost a year ago.

I wonder if the recent high profile compromise exploited the same security hole or a new hole has been found. Or, to rephrase the question: Is T-Mobile completely incompetent at managing their security or are they simply feeling the pains that many companies experience as they grow over time?

Configuring Subversion & Apache2 as installed by DarwinPorts

Friday, February 18th, 2005

Once you have Subversion & Apache2 installed, the next step is to configure it. I have been through this exercise before — probably even blogged it. I figured I would document it again with a focus on trying to make the commands copy/paste-able. That, and the next step is try and configure SSL based authentication to the repository.

The first step is to create a Subversion repository and set the ownership:

sudo mkdir /svn
sudo svnadmin create --fs-type fsfs /svn/master
sudo chown -R www /svn

As I have some scars resulting from corrupt Berkeley DB data stores, I chose to use the filesystem– fsfs– based backing store for Subversion.

The next step is to configure Apache2.

cd /opt/local/apache2/conf/
cp httpd-std.conf httpd.conf

I created a patch file that can be applied to httpd.conf. In order, the chunks of the patch make the following changes:

  • Configures Apache2 to listen on port 8000
  • Loads the dav_svn_module
  • Eliminates the standard document root. When done, the server will only respond to Subversion and icon requests.
  • Adds a <Location /svn> block at the end that configures subversion for the previously configured repository located at /svn/master. Requires an authorized user.

At this point, everything is configured. Now it is time to create a user or two. Note that the ‘sudo’ below (or above) may prompt for “Password:”. Keep track of whether you are entering your password or the new user’s password.

cd /svn/
sudo -u www htpasswd -c master-auth <user>
New password:
Re-type new password:
sudo -u www htpasswd <user2>
New password:
Re-type new password:
/opt/local/apache2/bin/apachectl configtest
Syntax OK
sudo /opt/local/apache2/bin/apachectl restart
httpd not running, trying to start

Also, if you have a user or two that you want to add but don’t want to deal with typing their password, have them create an htpasswd file and simply send it to you. The file is of the format “user:hash”. Just append the “user:hash” to the end of master-auth and restart apache.

At this point, visiting the URL http://svnhost:8000/svn/ should reveal an empty Subversion repository at revision 0.

Thanks to Adam Swift for the excellent article on setting up Subversion. Helped a lot.

multitail — useful tool for dealing with apache

Friday, February 18th, 2005

While configuring apache2 and subversion, I ran across the age old problem of needed to monitor both the access and error logs of apache.

A quick check of darwinports shows two promising entries:

% port list | grep tail
multitail sysutils/multitail 3.0.6 Tail multiple files in one terminal at once
xtail sysutils/xtail 2.1 like 'tail -f' on a bunch of files at once

Google reveals that multitail would be more useful. Unfortunately, 3.0.6 is way out of date and doesn’t build via darwinports (or standalone). xtail works, though. No color which leads to a bit of verbosity, but works fine and is more convenient than backgrounding a couple of tail -f processes.

% xtail /opt/local/apache2/logs/*log

*** /opt/local/apache2/logs/access_log *** - - [17/Feb/2005:23:41:46 -0800] "GET /foobarbazasdfasdf HTTP/1.1" 403 315

*** /opt/local/apache2/logs/error_log ***
[Thu Feb 17 23:41:46 2005] [error] [client] client denied by server
   configuration: /opt/local/apache2/htdocs/foobarbazasdfasdf

*** /opt/local/apache2/logs/access_log *** - bbum [17/Feb/2005:23:41:52 -0800] "GET /svn/ HTTP/1.1" 200 271