Thursday, November 27, 2008


So there I was, trying to build SPIKE in an Ubuntu 8.10 VM. GCC gave about 9,000 warnings, then said something like this:

/usr/bin/ld: (blahblahblah): hidden symbol `__stack_chk_fail_local' in /usr/lib/libc_nonshared.a(stack_chk_fail_local.oS) is referenced by DSO

Since it took me longer than 10 minutes to find the solution, I'm posting it here. The solution is to manually edit the Makefile and add "-fno-stack-protector" to the CFLAGS. Then make clean; make. The end. Happy Thanksgiving.

Friday, October 10, 2008


Saturday, August 30, 2008

libpcap 0.9.8

Because is shit, and I had to scour pages to the ends of the internet to find this, I'm putting it here in this easy-to-find location. Enjoy the fruits of my labor.

Download libpcap-0.9.8.tar.gz

Wednesday, August 13, 2008

Broadband Speed and Whiny McCryface

Every now and then one of these stories comes along saying "WAAAAAAAAAAAAH, the United States has broadband that's way slower than everyone else in the world!"

Let's ponder this for a moment. Can you think of a reason why Japan, South Korea, and France have more bandwidth on average?

Maybe it's because, compared to the United States, they're THE SIZE OF A FUCKING POSTAGE STAMP?

I mean, I have a network in my living room that has over fifteen fucking times the bandwidth Japan does. It's called a gigabit LAN, and at this rate it'll take Japan a few millennia to catch up to its "speed." The United States will never catch up, largely because the United States is a big bunch of retarded stupidheads (at least that's the implication in most of these articles). What do we even know about the internet, anyway? Like... nothing. We basically copied it from Japan.

Thursday, July 17, 2008

Slippery slope

Today, this.

Tomorrow, kids are downloading and printing handbags, TVs, and cars.

(And yes, I most certainly would steal handbags, TVs, and cars, if they cost 100 times what they should and if I could download them for free with a trivially small chance of getting caught.)

Saturday, July 12, 2008

Failing Windows Updates

After installing Service Pack 3 on a Windows XP Pro machine, I needed to download some security updates. After downloading the updates, Windows Update informs me that it cannot install them. I've had this problem before and just reformatted every time it happened, but this time it was personal. It ends up being a simple fix:

Go to Start/Run/cmd.exe

run the following commands:

net stop wuauserv

regsvr32 C:WINDOWS\system32\wups2.dll

net start wuauserv

Finally, run Windows update again.

Wednesday, June 11, 2008

Have faith in humanity?

Then read this rant at Attrition. They should know what they're talking about; after all, they keep better tabs on data loss than anyone else I've heard of.

I kinda wish one of those incidents would happen to the credit bureaus ("Experian accidentally posts complete credit history of everyone in the world to the Pirate Bay"), and then maybe we could get this silly outdated shit behind us.

Monday, June 9, 2008

A Lighter Ubuntu

To display all of the installed packages in Ubuntu (installed via apt) by size, use the following command:

dpkg-query -W --showformat='${Installed-Size} ${Package}\n' | sort -nr | less

To uninstall packages completely as if you were making a live-cd, use:

apt-get remove --purge package name

There is a new package called remastersys in the repositories that make creating a live-cd simple.
The howto can be found at:

Sunday, May 25, 2008

Verified By Idiots

Yesterday I was helping a friend order something online. It was the first time she'd used her Visa card to purchase something on the internet, so she had to go through the steps to create a Verified By Visa password. Verified By Visa is a service that Visa performs that basically creates an out-of-band authentication whenever you make a purchase with participating retailers. So basically, it adds another bit of authentication to your purchase - not only do you need the credit card details and CVV, but also this password you set up with Visa.

So far, so good. I really can't complain about that. Problem was, when my friend tried to enter her usual password, which is a decent password (non-dictionary, both letters and numbers), a Javascript alert box popped up saying her password did not meet the Password Policy, please try again. It didn't say why.

So she and I started trying all kinds of things to make her password better, introducing more characters, mixed case, more numerals, special characters, all over the place but to no avail. Same message every time. At this point, I was already annoyed that they do this checking client-side (hence the Javascript alert box) and I considered bypassing the script and forcing it through anyway. But, just to be a good sport, I decided to look at their code to find out what the damn Password Policy requires.

Let me back up: I had to look at the code because I looked at the "Verified By Visa" FAQ pages about password requirements and they said that the password policies are set by the card issuer. Well then.

So I viewed the source of the frame containing the Verified By Visa password entry form. I didn't see the code for the alert box there, so I looked for includes that might contain it. "pwdbase.js" looked promising, and sure enough, there it was. The javascript file is currently here . (Yes, the card was issued by Wells Fargo.)

So I looked through the code, found the alerts about the password policy, and finally found the offending code:

else if( (/\W/).test(document.passwdForm.pin1.value) || (document.passwdForm.pin1.value.length < 6) || (document.passwdForm.pin1.value.length > 8) )
alert("Your password does not conform to the Password Policy. Please try again.");
return false;
I almost couldn't believe it, but I know people are idiots. The reason it wouldn't accept the password is that PASSWORDS CANNOT BE LONGER THAN EIGHT CHARACTERS, and hers is longer.

Un-fucking-believable. Let alone the fact that they do their checking client-side, which at best is unnecessary (if they're not brain-dead and do checking server-side too), and at worst allows any password to be sent, even a blank one. Let alone their popup boxes that tell you nothing (browsing the code, you can see one that helpfully says "isbad " and then the password you entered). This extra bit of security, that involves your name, address, SSN, and PIN (they have to verify that you're you when you set your password, after all), cannot be longer than eight characters. And I'm pretty sure, looking at the rest of the code, that it can only contain letters and numbers.

I wish this weren't so commonplace, but the fact is, I have to have a dumbed-down password that I can use for online shit like this. I had to make it exactly eight characters, and remove the special characters from it. But to see this from a BANK? In a measure that's supposed to IMPROVE security?

So I went to the website for the Wells Fargo Verified By Visa thing and I used their little contact form to send them an email. The gist of it was "Are you INSANE? I'm glad I'm not a Wells Fargo customer, and with this I'll probably never be one, since I don't know if I can trust my data with a company that does this." They emailed me back:
I understand your concern about the Verified by Visa program. This program is run by Visa directly.

For information about Verified by Visa, please contact them directly at 1-800-318-9617 for enrollments with check cards or 1-877-262-8636 for credit card enrollments. Bankers are available to assist you 24 hours a day, 7 days a week.

Chris Cataldo
Wells Fargo Online Customer Services
No, idiot. Fuck. I know it's not Chris's fault he doesn't understand the problem. But at least he could have asked his manager about it or something.

And what about these Arcot jackasses? Apparently they run all the "Verified By" programs. Maybe they could enforce a little password common fucking sense of their own? But then, their banner graphic says it all: "Strong authentication so simple, even a child can use it." Well, sorry, but I don't think credit card authentication should be so simple a child can use it. Grownups should be able to do more to protect themselves than children can. Of course, experience would suggest they can't, since everyone's inclined to type "password" into every box asking them to set a password. Maybe Wells Fargo is onto something after all, and the world isn't ready for passwords longer than eight characters. (Although if their shitty Javascript is any example, maybe someone has already snatched their client database, and if they want passwords, they only need to generate tables for six- to eight-character alphanumeric strings. Have fun!)

So here we have a team effort to produce crappy security: Arcot, not putting an ounce of effort into guaranteeing protection in the systems they set up; Wells Fargo, having client-side Javascript checking to enforce their retarded password policy; and people in general, doing the best they can to make sure it's easy to steal their data. As someone who's supposed to go forth and protect the people in general, I know I need to get used to the idea that they're trying to be bigger idiots than idiot-proof systems can handle. Fine. But it's just really disappointing to see such negligence and stupidity on the part of a bank and a credit card protection system, who should fucking know better.

Wednesday, May 21, 2008

mod_security on Debian Etch

For licensing reasons, mod_security is no longer in the Debian repositories. To add it there, add the following to /etc/apt/sources.list:

deb ./

Then add the gpg keys with the following commands:

gpg --keyserver --recv-keys C514AF8E4BA401C3

gpg --export -a C514AF8E4BA401C3 | sudo apt-key add -

sudo apt-get update

You can now install mod_security to Apache2 through apt:

apt-get install libapache2-mod-security2

Wednesday, April 30, 2008


Here is Brad and I's Anti-Forensics presentation given at the Nebraska Cyber Security Conference on April 22, 2008.


Tuesday, April 15, 2008

anyway, this cake is great

it's so delicious and moist

Thursday, April 10, 2008


Here is something you can drag up to your bookmark toolbar in Opera, Firefox, and IE to clean up annoying web pages.

Simply drag the link to the bookmark toolbar.
To clear CSS: ClearCSS

Tuesday, March 25, 2008