Whoops!

My home server is configured to send me daily e-mails with any security events. Typically this means SSH brute force login attempts, and I occasionally take the opportunity notify people that their servers were breached and are being used for attacks.

Today I found something amusing in the logs. Apparently some idiot hacker mixed up their username and password files for their attack:

Feb 28 02:32:53 buddha sshd[57691]: Invalid user QFhGj8kE7D3Vs from 223.4.115.46
Feb 28 02:32:55 buddha sshd[57693]: Invalid user aMb0lgX8umqqQGpFRjiGiP from 223.4.115.46
Feb 28 02:32:58 buddha sshd[57695]: Invalid user crinalove from 223.4.115.46
Feb 28 02:33:00 buddha sshd[57697]: Invalid user xyzsun123 from 223.4.115.46
Feb 28 02:33:02 buddha sshd[57699]: Invalid user 20090924 from 223.4.115.46
Feb 28 02:33:05 buddha sshd[57713]: Invalid user aicumine from 223.4.115.46
Feb 28 02:33:07 buddha sshd[57715]: Invalid user Router#32SOS from 223.4.115.46
Feb 28 02:33:10 buddha sshd[57717]: Invalid user cotinga from 223.4.115.46
Feb 28 02:33:13 buddha sshd[57719]: Invalid user cornalito from 223.4.115.46
Feb 28 02:33:15 buddha sshd[57721]: Invalid user l0p33os from 223.4.115.46
Feb 28 02:33:18 buddha sshd[57723]: Invalid user !mir@nine from 223.4.115.46
Feb 28 02:33:20 buddha sshd[57725]: Invalid user mucleus.caca.root from 223.4.115.46
Feb 28 02:33:23 buddha sshd[57727]: Invalid user !@#$%^ from 223.4.115.46
Feb 28 02:33:25 buddha sshd[57729]: Invalid user easy2use from 223.4.115.46
Feb 28 02:33:28 buddha sshd[57731]: Invalid user diana4ever from 223.4.115.46
Feb 28 02:33:33 buddha sshd[57733]: Invalid user pw2009inx from 223.4.115.46
Feb 28 02:33:36 buddha sshd[57735]: Invalid user eth0eth1254 from 223.4.115.46
Feb 28 02:33:38 buddha sshd[57737]: Invalid user eth0eth0 from 223.4.115.46
Feb 28 02:33:40 buddha sshd[57739]: Invalid user 1q2w3e4r5t6y7u8i9o0p from 223.4.115.46
Feb 28 02:33:43 buddha sshd[57741]: Invalid user kentlung from 223.4.115.46
Feb 28 02:33:45 buddha sshd[57743]: Invalid user 1q2w3e4r5t6y from 223.4.115.46
Feb 28 02:33:48 buddha sshd[57745]: Invalid user kta1234 from 223.4.115.46
Feb 28 02:33:50 buddha sshd[57747]: Invalid user Kt@1234 from 223.4.115.46
Feb 28 02:33:53 buddha sshd[57749]: Invalid user !mi$ from 223.4.115.46
Feb 28 02:33:55 buddha sshd[57751]: Invalid user perfectpassword from 223.4.115.46
Feb 28 02:33:58 buddha sshd[57753]: Invalid user !mir@ninie from 223.4.115.46
Feb 28 02:34:00 buddha sshd[57755]: Invalid user !mir@Ninie from 223.4.115.46
Feb 28 02:34:03 buddha sshd[57757]: Invalid user !Mir@nine from 223.4.115.46
Feb 28 02:34:05 buddha sshd[57759]: Invalid user vkvadaclasa from 223.4.115.46
Feb 28 02:34:08 buddha sshd[57761]: Invalid user vkvadaclasa from 223.4.115.46
Feb 28 02:34:10 buddha sshd[57763]: Invalid user vkvadaclasa from 223.4.115.46
Feb 28 02:34:13 buddha sshd[57765]: Invalid user vkvadaclasa from 223.4.115.46
Feb 28 02:34:15 buddha sshd[57767]: Invalid user d3v__3f__j3b0n from 223.4.115.46
Feb 28 02:34:17 buddha sshd[57769]: Invalid user kany123kany from 223.4.115.46
Feb 28 02:34:20 buddha sshd[57771]: Invalid user gywjddl!@!* from 223.4.115.46
Feb 28 02:34:22 buddha sshd[57773]: Invalid user aprkvkldf!!! from 223.4.115.46
Feb 28 02:34:25 buddha sshd[57775]: Invalid user dnjao123! from 223.4.115.46
Feb 28 02:34:28 buddha sshd[57777]: Invalid user eltmzm!!! from 223.4.115.46
Feb 28 02:34:31 buddha sshd[57779]: Invalid user #7364! from 223.4.115.46
Feb 28 02:34:34 buddha sshd[57781]: Invalid user disk!!! from 223.4.115.46
Feb 28 02:34:36 buddha sshd[57783]: Invalid user @#Rq92u8fjewRweqf45y43tgh3 from 223.4.115.46
Feb 28 02:34:39 buddha sshd[57785]: Invalid user @n!md@mP#$@&#3141$&#@!#mTadm!n$@ from 223.4.115.46
Feb 28 02:34:41 buddha sshd[57787]: Invalid user BUNdAS@#$RT%GQ~EQW#%^QW from 223.4.115.46
Feb 28 02:34:44 buddha sshd[57789]: Invalid user 163typist from 223.4.115.46
Feb 28 02:34:46 buddha sshd[57791]: Invalid user dudejr5542 from 223.4.115.46
Feb 28 02:34:48 buddha sshd[57793]: Invalid user E1T1RDs7 from 223.4.115.46
Feb 28 02:34:51 buddha sshd[57795]: Invalid user 198287 from 223.4.115.46
Feb 28 02:34:54 buddha sshd[57797]: Invalid user r9A6YOFYEh from 223.4.115.46
Feb 28 02:34:56 buddha sshd[57799]: Invalid user 9swL2k5Cp7 from 223.4.115.46
Feb 28 02:34:59 buddha sshd[57801]: Invalid user oxbow@852 from 223.4.115.46
Feb 28 02:35:01 buddha sshd[57803]: Invalid user frigfurg from 223.4.115.46
Feb 28 02:35:03 buddha sshd[57805]: Invalid user xew4upjg from 223.4.115.46
Feb 28 02:35:06 buddha sshd[57809]: Invalid user K4tp0ng from 223.4.115.46
Feb 28 02:35:08 buddha sshd[57811]: Invalid user dkagh!@#$ from 223.4.115.46
Feb 28 02:35:11 buddha sshd[57813]: Invalid user rhg0704 from 223.4.115.46
Feb 28 02:35:13 buddha sshd[57815]: Invalid user 654312 from 223.4.115.46
Feb 28 02:35:16 buddha sshd[57817]: Invalid user glaemsp!!! from 223.4.115.46
Feb 28 02:35:18 buddha sshd[57819]: Invalid user whznskwhdk from 223.4.115.46
Feb 28 02:35:21 buddha sshd[57821]: Invalid user globalpass from 223.4.115.46
Feb 28 02:35:23 buddha sshd[57823]: Invalid user punglor21 from 223.4.115.46
Feb 28 02:35:26 buddha sshd[57825]: Invalid user nic#!@ruc148 from 223.4.115.46
Feb 28 02:35:29 buddha sshd[57827]: Invalid user dudejrqwer!@#$ from 223.4.115.46

There are a LOT more in the log, but you get the picture.

Getting political for a moment

With all that's going on in the world these days, I've been doing a lot of thinking about my own personal political philosophy and where exactly I lie. I'm definitely liberal on the social side of things, but I had often agreed with the stated beliefs of the Republican party or libertarians (small federal government staying out of the way). I tend to vote Democrat though due to disliking the actual ACTIONS of Republicans and their insistence on bringing religion into government.

In light of the Occupy Wall Street movement, I've been trying to consider what I think it would take to actual improve society. Not necessarily specifics of individual items, but more of a higher level political philosophy. In the past few days I think I've figured it out. Note that I do not necessarily believe that any of this would ever happen, and I'm certainly open to the likelihood that I've missed something which renders my opinions a load of horse shit. I'd be curious to hear what people think.

Corporations

Before I start, I should take a moment to step back and talk about businesses. Corporations tend to fall into two basic classes; public and private. Public companies are companies who have stock which is available for sale to the general public in various stock markets around the world. Private companies may or may not have stock, but any shares which exist are privately held by individuals. This could be a single company owner, partners, or it could be in the hands of a number of parties (venture capitalists for example).

General Electric (GE), Google and McDonalds are all examples of public companies. Facebook and the plumber down the street are both examples of private companies, although Facebook is eventually planning to go public. Who knows, maybe Joe the Plumber is as well.

One of the guiding principals of public companies is the concept of maximizing shareholder value. Companies are LEGALLY required to maximize profits. Private companies are also typically motivated to increase profits as much as possible, although they do have more flexibility if they were motivated to exchange profit margins for improving the community, sharing the wealth, or other purposes.

You can sort of think of a company as a machine designed to funnel the maximum amount of money (profits) from customers to shareholders. More customers, more profit. Lower expenses, more profit. Fewer shareholders, more profit per shareholder. The perfect company would have as few employees as possible and would siphon all money to a single pocket.

Luckily there are inefficiencies in these business machines:

* People aren't going to hand over money without something in return, so there is a need to develop and provide a product or service of some sort. This requires employees to design, build, maintain these products/services and support the customer base. These employees get jobs, benefits and their salaries, taking away from the profit margin. For the employees it means the ability to buy food, clothing, shelter and plenty of non-essentials (like maybe the company's products).

* If you have a high margin product, you can expect to see competitors. These other companies are like sharks in the water who smell blood and come swimming. Probably a bad analogy though since the more competitors there are, the lower prices will be due to increase competition. I certainly wouldn't consider myself "saved" from a shark attack when I see more sharks coming.

* Any profit a company receives gets taxed at federal, state and probably city levels. Companies pay taxes on their profit in addition to things like payroll tax. The company executives pay income tax on any salary they are provided. Shareholders pay taxes on any dividends that the stock pays and capital gains tax if they were to sell the stock. These taxes then are used to pay for government expenses, including money to support the community (schools, roads, welfare, etc).

Companies try to decrease these inefficiencies as much as possible. They shift hiring to geographical locations which are cheaper to operate out of. They use patents, copyright law and mergers & acquisitions to decrease the impact of competitors. They use tax loopholes to shift tax liability to cheaper locations or avoid paying it outright. In some case they even leverage our government to do these things for them. Trade agreements open up new customer bases for companies and also open up new cheap labor for them to exploit. New tax breaks or loopholes are created which allow them to keep more of their profits. New regulations are written under the guise of protecting the public which can often raise the cost of doing business for smaller companies, decrease competition. Computers and other forms of automation have also had a MAJOR impact on decreasing inefficiencies.

Here's the thing though. The rest of us, the "99%", live our lives as a result of those inefficiencies in business. The closer they can get to their ideal, the less of us that will have jobs. No jobs, no money, no food. Ironically, also no ability to buy their damn products, so I guess we'd eventually have the last posthumous laugh.

Back to Politics

Just to be clear for readers out there, I'm not against capitalism as an economic system. Corporations SHOULD be expected to act as I've described. Suggesting that business owners shouldn't try to make as much money as possible is absurd and would just be ignoring human nature.

What I am against is capitalism as a political system.

I believe the role of government should be to protect and ensure the prosperity of the population. Measuring this by the income of business while ignoring the income of the majority of the population doesn't achieve this goal.

Since the majority of the country survives by the inefficiencies of business, it should be the role of government to make businesses LESS efficient.

* Increase the cost of outsourcing jobs or importing products to make building at home the best financial option.

* Increase the minimum wage to something people could actually live off of.

* High progressive taxes on income for businesses in order to remove the incentive for industries to merge into a handful of mega corporations (two companies making $1b in profits in a 30% tax bracket would lose money by merging into a single company making $2b in profits in a 40% tax bracket for example). Progressive taxes on corporate income would also give an advantage to newcomers, increasing the amount of competition.

* Neuter patent and copyright law. Having a patent to allow a research company to recoup their expenses makes sense, but 20 years for inventions in technology is an absurdly long time period. Life of the artist + 70 years, or 95 years for work for hire is absurd for copyright. How does paying an artist's GRANDCHILDREN promote the arts? I'm thinking 5 years for patents and 10-15 for copyright.

* Kill any other de-facto monopolies. If a monopoly is necessary, perhaps it should be public works. For example, the last mile of internet access should be a public works project, funded by tax money. The internet access over those lines could then be run by corporations with a more level playing field for competition.

Basically, screw "incentive" programs. Penalize the undesired behavior, or just make it impossible to start with.

Health Care

When it comes to certain "industries", I'm not sure I see how they could run in a way that benefits mankind in a for profit manner. Health care is a big one, as well as education. Perhaps banking as well (yay credit unions). With hospitals, insurance companies and pharmaceutical companies all trying to maximize profit, the current ballooning cost of health care should be expected. Same with the costs of colleges. Education and health are just too important to treat people as "consumers".

TL;DR

I'm apparently a damn Socialist, or something.

So what am I missing? Other than the fact that the people currently in control would all be grievously injured by making these sorts of changes and would fight it tooth and nail, and the public would all say "NO SOCIALISM!!!"

Python Tivo Library

I've decided its about time I start really learning to code, so I've picked a project and I'm working to see how much I can actually implement.

The long term goal of the project is to create a way to archive TV shows off of your Tivo and provide a mechanism to transfer the shows back on demand for showing. I'm working on creating it on Python, and as a starting point I've begun work on a general python library for interacting with them. Right now provided an IP address and your media access code it can connect to your tivo and give you a listing of all of your shows.

My eventual goal is to provide it both a web interface and an interface that the Tivo can use as well as add autodiscovery of tivo devices. I'd like to also tie it into pytivo for the show playback. One nice thing is that would allow you to compress the shows for better storage.

If anyone is interested in taking a look I'm hosting it at Sourceforge as a way to do revision control as well as learn Subversion a bit better (I'm more familiar with Perforce right now).

http://tivoarchive.sf.net

New blog available

Electr0n has setup a new blog for the ##security channel on Freenode, and has asked me to help with some content. I just posted there on Pastebin hacking in light of the recent Hotmail password fiasco.

Check it out.

Career "Advancement"

About 2 years back I left my job in an InfoSec group. That particular position wasn't the right fit for me anymore, and somehow I didn't think I would be a good fit for a security role in most other organizations. I don't have the pen testing experience needed for most security companies, and the thought of maintaining firewall rules at some retail house would bore the crap out of me.

Since then I've been struggling to find myself career wise. I spent some time in an IT role, and I'm now trying a more customer facing role. Still I find myself happiest in ##security on Freenode, answering people's security questions.

So, what now? Maybe someday I'll figure that out.

The Wrong Tool for the Job

These days anti-virus and anti-spam are two very crucial components of a well run e-mail system. Due to how often spammers change their techniques, my company outsources this function to a vendor which provides both services. Both functions are designed and work fairly well.

Anti-Virus

For Anti-Virus they seem to run messages through multiple commercial anti-virus scanners on their servers. Messages that trigger positive are quarantined, and a notification will be sent to the site admin and/or the intended recipient of the message notifying them of what happened.

The site admin can report false positives to the vendor who will investigate and release a message if they can confirm that it was in fact a false positive. They also take an action to reduce future false positives based on what they find. These investigations tend to take 24 hours or so.

Anti-Spam

Spam tends to be a bit more subjective, so false positives tend to be higher than with Viruses. Due to this, their anti-spam offering makes it a lot easier to both prevent and deal with these situations.

Spam messages can either be tagged for users to filter on their own, or they can be actively filtered and put into a quarantine on their servers. Unlike quarantined virus mail, quarantined spam can be accessed and released by users directly.

In order to prevent false positives site admins are able to whitelist domains, e-mail addresses or IP addresses for specific mail relays. Whitelisting a domain is typically not a great idea in these days of e-mail address spoofing, but e-mail address and whitelisting relays works fairly well.

Where it falls apart

Sounds good so far, right?

Well, here's where it all goes wrong. It appears that anti-virus vendors have discovered that they can use their scanning engines to pick up certain types of phishing and scam e-mails, essentially adding anti-spam into their anti-virus product.

A phishing or a scam mail is SPAM, not a VIRUS. The difference here cause a big problem when you get spam levels of false positives while removing the user's ability to release their own messages and the site admin's ability to implement an sort of whitelisting.

That's when you start getting end user reports of mail threads with customers going missing. Add in a 24 hour turn around time for releasing the messages when the problem is discovered and you start to consider deep-sixing your vendor.

Wooo.. Kindle

Being a big reader and a tech gear junkie, I was rather tempted when Amazon announced the Kindle back in 2007. Somehow I managed to hold out on buying it until they announced the 2.0 version in early February. I pre-ordering it right away, and got my hands on it just last week.

So far, I like it. Its thinner than I expected. Definitely very easy to use. I can hold it in one hand and access most of the controls that I need to read a book. The left side has the "Previous Page" and "Next Page" buttons while on the right side the "Previous Page" button is replaced by a "Home" button. Since I tend to read books in one direction, this seems to work fine.

The free built in wireless is great for getting books, and occasionally pulling up text-only web sites. Due to the rather slow refresh on screen changes using it as a regular web browser is a bit tough.

My biggest complaint is the DRM for files through the Kindle store. After being bitten by DRM from the iTunes Music store, I definitely have a bad taste in my mouth over DRM. Luckily there are other options out there.

The first for me is Many Books. They offer a lot of free content in quite a few eBook formats, including both the native Kindle format and Mobibook which the Kindle also supports. They even have a Mobile Interface which works well from the Kindle itself. Most of the content has elapsed copyrights (older books), but there are occasionally newer books either available with sample chapters or content that was published under a Creative Commons License.

Next was O'Reilly. Being a big tech book reader, I have a lot of O'Reilly books.

O'Reilly offers a number of their books in DRM-free E-Book formats, including the Kindle supported Mobibook format. They're not free, but I don't have any objection to paying for content, just having its usage limited by DRM. They even provide free updates to the books as new revisions are published. I just wish they made it a bit easier to get a list of just their books available in E-Book format.

While I definitely like the Kindle, the only thing I'm not sure about at this point is if it was worth the cost or not. The Kindle costs $360. Sony's offering is quite a bit cheaper, although I have no idea how it compares feature wise.