Category Archives: Tech

Kiva Country Collector – Now storing loan IDs.

I had to archive everyone’s cached data, because I’ve made a major change to the data model and it wasn’t fully backwards compatible.

The upside, is that it’ll be less API intensive about pulling in updated data and won’t start from scratch each time.

The downside, though, is that I’m storing loan IDs now. So, that’s something you should consider if you want to use the app. If you don’t select the “Privacy Mode”, then I’ll be storing your lender id, loan IDs and countries you’ve loaned to in a file that looks like this:

$ head lenders/bswopes.csv 
"DO","[519186, 453620, 414509, 253513]"
"BF","[561459, 455699, 406311, 346733]"
"KH","[271711, 295024, 238144, 265943]"
"XK","[508414, 518939, 482881, 443775]"
"BO","[518671, 290774, 232177, 196661]"
"YE","[510083, 412907, 425078, 391416]"
"LR","[434516, 404925, 297545, 203097]"
"BJ","[561715, 404260, 361734, 227187]"
"JO","[480732, 443313, 380336, 310151]"
"AZ","[483852, 337269, 355439, 295106, 234743]"

Here’s what it had looked like before:

$ head old-format/bswopes.csv 
"DO",4
"BF",4
"KH",4
"XK",4
"BO",4
"YE",4
"BI",4
"BJ",4
"JO",4
"HN",4

EDIT 20130921: I’ve converted to json format and also include the total lender_count to clean up the re-import.

Running some tor nodes.

I’ve been running some tor relays for a while now. One runs on my linode box with a reduced exit policy and has been basically trouble-free. The second runs on a machine in my kitchen and has produced some issues.

I recently rebuilt that system as an ubuntu box to run tor, boinc, squid > apache > mod_pagespeed. Overall, I’ve been happy with it, but it seems like my network just dies out at times. It could just need some tuning love, but I’m about out of weekend.

So, I’m just going to switch it over to acting as a tor bridge for now. Should be safer from complaints by my ISP, at least.

iTunes Repeated Password Prompts

I’ve recently been struggling with an issue where iTunes repeatedly prompts for the iTunes store password. There are some forum threads out there that address the issue, but in my case it went beyond the common solutions. I wanted to call out the steps to look for.

This was particularly troubling to me, since I have arthritis; typing any more than I need to can be very painful at times. Also, secure passwords can be a bit awkward to type, since they aren’t normal words.

    • Cookies
    • Keychain
  • Multiple Accounts

So, one of the first things to check is your cookie preferences in Safari. iTunes shares the same cookie storage as Safari and the same restrictions, so if you don’t accept cookies, then you’re going to have trouble. Open up Preferences > Privacy and make sure that your cookie preferences are set to anything other than Always.

Your keychain could be corrupt. Open up Keychain Access, then bring up preferences and “Reset my default keychain”. This will blow away a bunch of saved passwords, so you might want to think about this one first.

Finally, the issue that was causing my trouble. I had purchases under multiple iTunes account. I used Doug’s “Track Down Purchases” applescript to identify what was under my old account and see if it was worth really hanging on to. In my case, it wasn’t, so I purged the files from my old account. Depending on what you have, you can also see about using iTunes match to switch files you own over to your other account. Get iTunes match under your current account, make sure the files from your old account are matched, delete them then download them from iCloud. Bonus is that you’ll probably get better quality copies without DRM.

Good luck!

BA-2005-01 Cursory Analysis of a System Compromise (due to poor password selection)

Cursory analysis of a system compromise (due to poor password choice)

On March 9 at 0856 the installation of a Fedora Core 3 system was completed.
System was then set up on a NAT network and patched using updates provided by
the Fedora project. The root password, for convenience, was temporarilly set to
‘password’ as an outside contractor would be setting up some software.

Continue reading BA-2005-01 Cursory Analysis of a System Compromise (due to poor password selection)

BA-2003-01 Debian: Unsafe directory ownership, default paths may lead to privilege escalation

 

Original release date: December 6, 2003
Last revised: December 06, 2003

A complete revision history is at the end of this file.

Systems Affected

Debian 3.0 with group ‘staff’ ownership of /usr/local/* and the default path setting in /root/.profile

Severity

Low/Medium (Requires access to a local ‘staff’ account)

Overview

The default path setting for Debian 3.0 sets priority to /usr/local before its /usr counterpart. Combined with the loose access controls on /usr/local, this could lead to a privilege escalation attack that might yield root access to an attacker.

Continue reading BA-2003-01 Debian: Unsafe directory ownership, default paths may lead to privilege escalation

BA-2002-01 String-Based Analysis of Apache Chunked Encoding Worm

From: Golden_Eternity [[email protected]]
Sent: Friday, June 28, 2002 2:15 PM
Subject: RE: Apache worm in the wild

Just based on the strings in the .a file, this is my best guess as to what its 
doing. I haven't tried running it, yet, so my observations are very limited. 
Hopefully someone will find this interesting.
 Continue reading BA-2002-01 String-Based Analysis of Apache Chunked Encoding Worm 

BA-2001-03 Multiple Problems with the Implementation of SSH ChRootGroups/ChRootUsers

 

Original release date: July 22, 2001
Last revised: July 22, 2001

A complete revision history is at the end of this file.

Systems Affected

A) Systems running SSH Communications, Inc’s SSH 2 implementation, using the built-in features for user login security.

B-C) Those same systems using SSH 1 compatibility.

Continue reading BA-2001-03 Multiple Problems with the Implementation of SSH ChRootGroups/ChRootUsers

CA-2001-01 Viscosity Breakdown in Common Password Storage Devices

Original release date: June 3, 2001

A complete revision history is at the end of this file.

Systems Affected

  • Any password storage device that relies on viscous material.

Overview

Password storage devices that rely on viscous material may experience viscosity breakdown over time, rendering these devices less effective. In some cases, passwords may be lost completely.

Continue reading CA-2001-01 Viscosity Breakdown in Common Password Storage Devices

BA-2001-02 Firewall rule exposure on ACK based filters

 

Original release date: May 26, 2001
Last revised: May 27, 2001

A complete revision history is at the end of this file.

Systems Affected

Any firewall configured to block inbound packets without the ACK bit set.

Severity

Low – Enumeration

Overview

Any firewall system configured to block (not respond to) inbound packets without the ACK bit set may be vulnerable to an information gathering attack that could reveal a portion of the firewall ruleset and suggest the presence of listening daemons.

Continue reading BA-2001-02 Firewall rule exposure on ACK based filters