The Hypocrisy Weblog

According to the Swedish IDG news-service, Swedish home electronic chain “TeknikMagasinet” is selling USB memory sticks (ZAP Slider USB 8G) that are/were infected with a trojan.

An angry reader of IDG’s daily IT-newspaper “Computer Sweden” contacted them and shared his story. The reader had bought 3 usb memory sticks and all of them were in unbroken casings. All 3 usb memory sticks had 60 Megabyte used and when plugged into a Microsoft Windows Vista computer, the anti virus application reacted and warned against a trojan being present on the memory stick. Also Microsoft Windows XP were used as a test-subject and the anti virus application reacted on this platform as well.

The reader claimed to have contacted TeknikMagasinet, asking for an explanation, however there was no alleged return-contact by anyone over at the home electronics chain.

Christian Ekstrand at TeknikMagasinet says that only a small number in a particular batch of usb memory sticks that TeknikMagasinet manufacture themselves in Taiwan were infected and that “only 50 usb memory sticks were infected” (as far as he knows). Mr Ekstrand says that he can however not speak about how many , if any, of the customers of TeknikMagasinet that bought the particular products were affected by the incident. He also says that this is the first incident over the last 4-5 years that TeknikMagasinet has co-operated with the particular plant in Taiwan. Also, he said that the reason to why the Computer Sweden reader didn’t hear from TeknikMagasinet was that they weren’t able to reach him and that they in no way or form is trying to tone down the incident.

Mr Ekstrand continues to say that “the virus is pretty harmless and for example only tries to steal World of Warcraft login information” and that “the customer should not be at risk if they have an anti virus program installed” (translating / paraphrasing).

A personal reflection here is that I don’t know if I agree that calling a keylogger that tries to steal information and installs itself automatically as something minor. Who knows what other information the keylogger can harvest if deployed in a customer’s computer. Would it still be a “minor issue” if the customer ends up losing financial information such as his/her credit card number?

UPDATE: Christian Ekstrand comments in the article’s comment section that the virus came in through a control computer that was used by an employee of the plant to surf privately. Private surfing is prohibited at the plant, Christian says. Check this link for information about the trojan.

The other night the power went off at my parent’s house, which I was in for the night. This didn’t turn out to be the vanilla power outage where your electricity flickers off and on again, no this one created poltergeist-like effects.

So, the short story is that the power went out 4 in the morning, nothing odd with that – it happens. Then one hour later, at 5 o’clock the power flickers on and then goes off again. A couple of minutes later the power comes on again, but something doesn’t seem right. I check the lights, and they are shining presumably weaker. I try to go online, as my dsl-modem with attached Linksys access point should have automagically went online – no go. I check the dsl-modem and it looks to be dead. (I swear silently for myself, thinking that I have to get a new modem = more hazzle.)

Seconds later I hear a loud humming noise coming out from the speakers next to the office area. Hmm, I start to think to myself (beside hearing sounds “from the other side”) that something must be messed up with the quality of electricity coming in to the house, and I quickly pull out all electronics, fridges and other appliances that might be in danger. (One of the freezers was standing and clicking on it’s own, and I was actually expecting Pinhead and his cenobites to enter at any moment.)

Next step was to see what actually is coming out of the sockets in the wall, and what do you know?! The voltage is ~110V instead of the regular ~230V as is standard.

During me lounging around, my dad wakes up (the most alert 70 year old you’ll see – ever) and we start to check the fuses inside the house – where-as all are functioning. In order to find the fault source, we go outside to the main fuse box to and both check the fuses there – all are alright.

The natural next step is to see what kind of voltage there are on the phases. *woopsie* Only 1 phase out of 3 are working and the one that is working shows half of what it should, yes you guessed right; 110V.

As we have gone through all the steps at the local facilities, we then call the energy company, where a perky young lady answers (my not so perky) father in the other end that she will notify the electrician on call. (I was trying to hide my laughter hearing him grunting newly awake ) A couple of minutes later, the electrician calls up my father and they discuss the problem. Knowing the area, my father tells the workers what has been sources of error in the past and awaits their arrival.

When this is done, I go to sleep as I know that there is not much I can do by then. (The time is now around 6.30 in the morning.)

I wake up a couple of hours later, and find out that the error was quite a transient one. A “line fault”, for sure, but that was only a partial cable-break to a cable that was running under the creek close to my parents’ house. This partial error was transient in nature, to the degree that it didn’t go completely off and the broken cable served as a giant resistor. Thus, the low voltage levels and malfunctioning phases at the end-point of the consumer’s facility – aka, the border fuse box.

When awake, I put on the DSL-modem again; It worked just fine. It was just a cheap (OEM) ac-adapter that only handled ~230V. The Linksys access point worked like a charm however, as this ac-adapter could take both ~110V and ~230V.

Lesson to be learned from all of this; Never take electricity for granted – it is actually quite a complex process to manufacture and bring into your home. (Plus of course to watch out for Pinhead when opening the freezer )

Until the next time… keep your fingers out of the sockets.

Check out this job posting made by Jeff Bezos in 1994;

Well-capitalized start-up seeks extremely talented C/C++/Unix
developers to help pioneer commerce on the Internet.  You must have
experience designing and building large and complex (yet maintainable)
systems, and you should be able to do so in about one-third the time
that most competent people think possible.  You should have a BS, MS,
or PhD in Computer Science or the equivalent.  Top-notch communication
skills are essential.  Familiarity with web servers and HTML would be
helpful but is not necessary.

Expect talented, motivated, intense, and interesting co-workers.  Must
be willing to relocate to the Seattle area (we will help cover moving
costs).

Your compensation will include meaningful equity ownership.

Send resume and cover letter to Jeff Bezos:

mail:    be…@netcom.com
fax:     206/828-0951
US mail: Cadabra, Inc.
10704 N.E. 28th St.
Bellevue, WA  98004

We are an equal opportunity employer.

——————————————————————-
“It’s easier to invent the future than to predict it.”  — Alan Kay
——————————————————————-

[Link]

It is possible for a malicious site visitor to register a special username and gain administrative privileges on your Wordpress Blog. (Described below)

It is recommended to update now!

Wordpress 2.5 Cookie Integrity Protection Vulnerability

Original release date: 2008-04-25
Last revised: 2008-04-25
Latest version: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt
CVE ID: CVE-2008-1930
Source: Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/>

Systems Affected:

Wordpress 2.5

Overview:

An attacker, who is able to register a specially crafted username on
a Wordpress 2.5 installation, is able to generate authentication
cookies for other chosen accounts.

This vulnerability exists because it is possible to modify
authentication cookies without invalidating the cryptographic
integrity protection.

If a Wordpress blog is configured to freely permit account creation,
a remote attacker can gain Wordpress-administrator access and then
elevate this to arbitrary code execution as the web server user.

The vulnerability is fixed in Wordpress 2.5.1

I. Description

Since version 2.5, Wordpress authenticates logged-in users through a
cryptographically protected cookie, based on papers by Fu et al [1]
and Liu et al [2]. This measure was introduced partly in response to
vulnerability CVE-2007-6013 [3,4].

The new cookies are of the form:

“wordpress_”.COOKIEHASH = USERNAME . “|” . EXPIRY_TIME . “|” . MAC

Where:

COOKIEHASH:  MD5 hash of the site URL (to maintain cookie uniqueness)
USERNAME:    The username for the authenticated user
EXPIRY_TIME: When cookie should expire, in seconds since start of epoch
MAC:         HMAC-MD5(USERNAME . EXPIRY_TIME) under a key derived
from a secret and USERNAME . EXPIRY_TIME.

The flaw in this scheme is that USERNAME and EXPIRY_TIME are not
delimited in the MAC calculation. Hence the cookie may be modified,
without altering MAC, provided that the concatenation of USERNAME and
EXPIRY_TIME remains unchanged.

This class of vulnerability, the cryptographic splicing attack, was
commented on by Fu et al [1], but Wordpress does not employ their
recommended defence.

An attacker wishing to exploit this vulnerability would therefore
create an unprivileged account with its username starting with
“admin”. The cookie returned on logging into this account can then be
manipulated so as to be valid for the administrator account.

II. Impact

A remote attacker, who can create an account with specially crafted
username, is able to gain administrator level access to the Wordpress
installation. Through standard techniques, this can be escalated to
arbitrary PHP code execution as the web server system user.

III. Solution

Upgrade to Wordpress 2.5.1

Workarounds:

- De-select “Anyone can register” in the Membership section of
General Settings to disable account creation.

References:

[1] Dos and Don’ts of Client Authentication on the Web,
Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster
http://pdos.csail.mit.edu/papers/webauth:tr.pdf
[2] A Secure Cookie Protocol,
Alex X. Liu, Jason M. Kovacs, Chin-Tser Huang, Mohamed G. Gouda
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
[3] Wordpress Cookie Authentication Vulnerability: CVE-2007-6013
Steven J. Murdoch,
http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt
[4] http://trac.wordpress.org/ticket/5367

Timeline:

2008-04-22: security@wordpress.com notified
Confirmation of receipt received
2008-04-25: Wordpress 2.5.1 released incorporating patch
Vulnerability notice published

Reference: [Link]

Parts of my day has been dedicated to creating backup routines and gathering enough space to mirror saved data and to download and later burn out the Ubuntu Hardy Heron disc-image.

The problem here is… The software distribution system that Canonical (the company behind Ubuntu) just doesn’t work very well in times of a new release. You see, Canonical have local mirrors – and that is all fine, but then when you want to access and download the actual iso-image or perhaps (like myself) get access to a torrent-file in order to actually save Canonical bandwidth, then they rely on local universities out there – universities that just don’t have the infrastructure to even serve the download requests coming in.

So, in the middle of the day I sit and try to get access to the .torrent-file in order to start my download and even help distribute Canonical’s software, but… I can’t!

Canonical need to decide to either switch their distribution model to rely mainly on distributed data models such as bittorrent, or to invest more in the physical infrastructure behind their software distribution to the end-user.

As it is now, it just does not work very well.

Enough complaints for one day, I am now in the process of installing Ubuntu 8.04 (“fresh upgrade”) on one of my laptops, as this machine is really in need of new and improved acpi drivers/settings etc.
(Yes, you guessed correctly – it is a Dell Inspiron that you can’t close the lid on and/or switch off or it freezes up.)

I will give impressions of Ubuntu Hardy Heron in an upcoming post after I have used the system a bit.

See you soon!

Before updating from Wordpress 2.3.3 to Wordpress 2.5 I did a backup within my control panel (Interworx), and after that I followed the instructions per the update page on Wordpress.org.

What did dawn on me was that I didn’t disable my plugins before I went a head and updated the software, however this sweat was only momentarily as it the process went without any issues even so.

In any case, don’t hesitate to take the plunge – it is one great piece of kit this Wordpress. Except for the improved internal cache-handling, the backend is a real treat; fast and easy to use. The auto-update of your installed plugins is another nifty feature.

IDG.se’s blog service has gone public, accompanied with three “professional bloggers” (Elisabeth Stjernstoft, Per Hellqvist and Niklas Andersson) and user-generated content on the side.

The site isn’t exactly a wonder of design or refinement, but it does it’s job and is pretty spot on when it comes to basic functionality.

If this will be a success or not is too early to say, however I am wondering if surfers – especially the IT-savvy segment – are interested in becoming an integral part of IDG’s traffic-generation and ultimately ad-sales.

[Link]

The other day I got a “No More Invites” invitation from a friend on Facebook. I found really funny, especially as the same person is sending me everything from “Vampires” invitations to “Annoy your friends” dittos.

But to be a bit more serious for a second; The above is one of the weaknesses of Facebook – it is just too cluttered with information and by opting out from certain feeds, you risk missing information that might be vital to your e-social life.

There is a buzz about “Facebook’s user numbers are dropping”, however I believe this to be highly exaggerated. The leveling out of visitors, users and overall traffic is just natural after a period of rapid growth. If this didn’t happen, it would be like saying that these MLM-schemes actually work for everyone.

I’ve moved the blog to a server of mine located in the Steadfast Networks Datacenter. This was made to get better loadtimes and such

‘Ta!

Hello, this is a short note to let you know that Hypocrisy.nu is being used as a return-domain by spammers. Hypocrisy.nu does not condone this type of actions and every email going out from Hypocrisy.nu should have a SPF-pass note added to it.

Thank you for your understanding.