Wednesday, 30 October 2013

What is known about the Adobe breach now and what is in store

If you have ever used in your lifetime, reset your password if you know or cannot remember if you ever signed up for an account there. It doesn't matter if Adobe themselves have reached out to you or not, reports of there being 38 million accounts at risk were incorrect: it's really 153 million. This was mentioned in Kreb's article, but news reports outside of him are throwing erroneous figures.

The source of the aptly named "users.tar.gz" came from a Russian website that I had been monitoring for a few days. A user eventually shared it when the link went dead and a kind fellow determined a safe way to download it in a reasonable period of time as the person who reposted used an ad-supported file sharing website. In the end, it cost 2 EUR to download the file.

It's now in the hands of many researchers including myself.

Here are some facts that a number of us taking a look at the leaked user data have in store:

  • The exact count of the leaked credentials is at most 153,004,874. This has yet to be confirmed but in conversations with a friend who is also looking at the data, it worked out to about 50 duplicate accounts for every 10,000.

  • Passwords are stored in DES format. There is a global key as opposed to a unique one for each user.

  • It should also be kept in mind that not every user account has a password listed in this file. It is not to say that there is no password leaked any of these types, but don't take this as assurance to say the least.

  • Users range from businesses, to governments, to NGOs, and to people like you and I.

  • The most commonly used passwords were "123456", "password", "123456789", "12345678", and "qwerty". This was determined not via password breaking but due to the fact that users have stored some hints in the password recovery details.

The leaked data is also stored in this format (with user details removed):
103251644-|--|-[...]|-7ZANzFDeVNU=-|-only password|--
103251834-|--|-[...]|-L8qbAD3jl3jioxG6CatHBw==-|-? password|--
103252332-|--|-[...]|-N/Bo4qtibWs=-|-where is my password?|--
103252463-|--|-[...]|-//mMaopP+fE=-|-habbo password|--
103252538-|--|-[...]|-8rGaJa+8UUSY41q03G/5+A==-|-real password|--
103252720-|--|-[...]|-YQR6szpR2NTioxG6CatHBw==-|-gmail password|--

One excerpt from an e-mail I had received earlier should be taken into account as well:

Actually, I think its double DES for the longer ones. Just two des
concatenated, one for first 8 char and one for second. You can see
that a lot of the longer passwords have the same ending. This happens
because many second halves of passwords longer than 8 char will be the
same. For instance, a 9 char password will only have 1 char and 7
blank spaces in its hash. Also, this is terrible. You should be able
to easily figure out the salt as well.

If you think that Rock You was bad, Adobe will make it look like it was just a passing fart.

Again, I do suggest that if you think you might have given your details to Adobe that you just reset your passwords if you have not already.

Edit: Adobe clarified that the passwords are all DES as I suspected (or 3DES to be exact). I did make an erroneous assumption about it being another hashing function but that has been proven to be otherwise.

Tuesday, 29 October 2013

Using a Bitcoin ATM

Today I was one of the first people in the whole world to use an in-service ATM built specifically to purchase and sell Bitcoins as one was put into service today here in Vancouver. I've never really been too big into Bitcoin (or "BTC") in the past although I did at one point have 4 BTC (which at its peak would have been worth something like $1,000 CAD), but I had lost the wallet file associated with it. I did also briefly mine Litecoins, an alternative to Bitcoin, but I lost interest in the idea very quickly.

The number of people who were at the coffee shop was minimal, maybe a dozen or so even though it was lunchtime. Admittedly the coffee shop is a bit away from the central business district of downtown Vancouver, but there were plenty of offices and businesses around, so I found it surprising that there was not many people about. Nonetheless, there were people who did not appear to be tech-centric who did in fact take a sip of the BTC Kool-Aid and throw some money at it. Surprisingly, the one individual who qualified in this category threw $100 CAD into the machine. She appeared to be visiting from rural British Columbia too as she was wearing a badge for a conference, representing a real estate agency from outside of the Lower Mainland.

The machine itself is more kiosk-like than ATM and I do have some criticisms about how you are to use it. For example, if you wish to purchase Bitcoins, you have to enter bills at the bottom of the machine, requiring you to bend down to do so. This isn't the end of the world of course, but people would complain if those horrid self-checkouts required you to do so or if an actual bank-issued ATM required you to put the card on the side.

To comply with Canadian money laundering laws, you are required to use a palm scanner to verify your identity. This makes sense except for one problem: the people behind the ATM's operations must approve your palm.

For this visit, the approval of my palm was instantaneous as they had staff on hand to monitor the machine and verify that it wasn't mixed up with anyone else. However, in conversations with one of the ATM's owners, I was informed that approval would otherwise take upwards of an hour (possibly more I guess) as they must do the approvals manually. This seems awfully silly as why would I use a machine that requires me to spend an hour to wait for approval? It is things like this that will limit acceptance of BTC if acceptance is at all possible.

I did decide to take the plunge and purchase some BTC. I only had a $20 note on me so I decided to just use that for the purposes of the experiment. As evident in the above image, you can only purchase Bitcoins in $20 or $100 incrementals, up to $1,000 CAD. The $20 note ended up equating to 0.092 BTC at the time, but I didn't get the opportunity to ask if it was a fixed rate for the day or if it was a live conversion. The going rate for 1 BTC was $218.26 CAD.

I did not have a wallet at the time either so the machine provided me with one and also gave me a private key in the form of a QR code printed on a receipt. I later went and enabled the wallet on my laptop at the office and do now see my BTC inside. I also got a receipt for the purchase of the coins I had made too.

Processing of the transaction took about an hour before it showed up on Blockchain. I have to admit, even with all of its quirks and delays, it actually is rather painless to use once you've gotten to used to the awkward palm scanner.

Now one thing I will be honest about: I am still not convinced about Bitcoin. It's neat, I can see people making a lot of money from it, but overall I am just not a "Bitcoiniac" so to speak. If people want to send me BTC, I am cool with that, but I just don't have as much excitement over it.

And yes, please send me some Bitcoin if you desire!

Also if you're reading this, do give Canary a look see as that is my main project.

Wednesday, 16 October 2013

Compass card: a review

I was one of the lucky recipients of a Compass card that is due to be launched in the next half-year.

Due to my being away in Europe for a good chunk of the testing programme and having Canary to work on, I haven't had the time to play around with the card as much as I want to so what you're getting here is pretty much the raw data. I can gladly answer any questions if you e-mail me.

I do have friends in the local Vancouver information security scene that are poking at the system themselves.

Tapping in and out and flaws

The system in place works no different than other systems such as San Francisco's Clipper card. Boarding a bus or entering a station takes one simple firm tap on the reader (needs to be held down for a half-second) and that will be enough to transmit a signal to and from the card and the reader. It could be a bit slow for a bus, but with enough gates, it won't be an issue at any station.

However, due to the zone system that is currently in place, it is quite easy to board a bus and then once at the back, you can tap out. As you can see in the image above, tapping out too fast will present that above message. Yet if you wait just a few seconds after the bus has started to move, you can immediately tap out.

You can repeat this on the bus at least twice in a row but then the system does lock you out if you attempt to tap more than four times in one trip. I haven't tried this more than once but my fifth and consecutive taps ended up resulting in the same error as above being shown. The card did work however when I entered a SkyTrain station at the bus' terminus.

This flaw was publicised earlier this week and the response from TransLink was nothing more than how much life will be better with the new Compass card system. Needless to say, I am almost certain that they were aware of this issue from the get go and to be honest, it's not much of a flaw to begin with seeing that there aren't that many bus routes that require multi-zone fare and if they do, they generally require you to tap into a gate at some point since they connect to a SkyTrain station.

The loophole so far doesn't exist within the SkyTrain system as you do need to tap out to physically leave the station. This issue will be be more apparent when TransLink eventually adopts a distance-based system, but I imagine that the buses will be taken into account.

Contents of the card itself

So for those who are curious about it from a technical stance, the Compass system uses a Cubic implementation of MIFARE DESFire EV1. At this time, the proprietary standard does not have any known vulnerabilities, but I have included the raw details about it below.

# IC manufacturer:
NXP Semiconductors

# IC type:

# DESFire Applications:
1 unknown application

-- NDEF ------------------------------

# NFC data set storage not present:
Maximum NDEF storage size after format: 4094 bytes

-- EXTRA ------------------------------

# Memory information:
Size: 4 kB
Available: 4.0 kB

# IC detailed information:
Capacitance: 17 pF

# Version information:
Vendor ID: NXP
Hardware info:
* Type/subtype: 0x01/0x01
* Version: 1.0
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-2 and -3
Software info:
* Type/subtype: 0x01/0x01
* Version: 1.4
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-3 and -4
Batch no: 0xBA3417AE30
Production date: week 08, 2012

-- TECH ------------------------------

# Technologies supported:
ISO/IEC 7816-4 compatible
Native DESFire APDU framing
ISO/IEC 14443-4 (Type A) compatible
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

# Android technology information:
Tag description:
* TAG: Tech [,,]
* Maximum transceive length: 261 bytes
* Default maximum transceive time-out: 309 ms
* Extended length APDUs not supported
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 618 ms
MIFARE Classic support present in Android

# Detailed protocol information:
ID: 04:48:0B:F2:59:22:80
ATQA: 0x4403
SAK: 0x20
ATS: 0x067577810280
* Max. accepted frame size: 64 bytes (FSCI: 5)
* Supported receive rates:
- 106, 212, 424, 848 kbit/s (DR: 1, 2, 4, 8)
* Supported send rates:
- 106, 212, 424, 848 kbit/s (DS: 1, 2, 4, 8)
* Different send and receive rates supported
* SFGT: 604.1 us (SFGI: 1)
* FWT: 77.33 ms (FWI: 8)
* NAD not supported
* CID supported
* Historical bytes: 0x80 |.|

# Memory content:
PICC level (Application ID 0x000000)
* PICC key configuration:
- AES key
- PICC key changeable
- PICC key required for:
~ directory list access: no
~ create/delete applications: yes
- Configuration changeable
- PICC key version: 129

Application ID 0x000001
* Key configuration:
- 14 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Key itself required for changing a key
* 1 file present

- File ID 0x00: Standard data, 384 bytes
~ Communication: with MAC
~ Read key: key #1
~ Write key: key #2
~ Read/Write key: key #2
~ Change key: master key
~ (No access)

I do suggest that you look into Adam Laurie's RFIDIOt site if you're interested in looking at the card for yourself.

Monday, 29 July 2013

Have you read your own privacy policy?

I recently came across Aetna's privacy policy and found this curious paragraph:

Please note that your e-mail, like most, if not all, non-encrypted Internet e-mail communications, may be accessed and viewed by other Internet users, without your knowledge and permission, while in transit to us. For that reason, to protect your privacy, please do not use e-mail to communicate information to us that you consider confidential. If you wish, you may contact us instead by telephone at the numbers provided at various locations on our sites or, in the case of our health plan members, at the Member Services toll-free number that appears on your ID card.

The part in bold is the interesting part. It's a pretty basic "contact us with details provided on your health card" statement, but the request in itself is not what got my attention.

In fact, the whole privacy policy itself is fine at least from a non-lawyer perspective. It was written to protect Aetna's assets and is there to provide you with your rights and responsibilities should you have questions about how data is being gathered.

Why am I writing about this then? Let's search Google for the last part of that bold statement as we'll find a lot of sites using this statement. I am fairly certain that the original is the one from Aetna above. All in all, we have over 12,000 results with that particular statement with the privacy policy being tweaked to whatever the author desires. This originally stemmed from a conversation on Full Disclosure.

We have emergency locksmiths, Taiwanese electronics companies, CNC instructors, Indian schools, insurance brokers, and even a law office all using this generic statement.

So who owns this particular policy and why are people seemingly copying it and then just making slight changes? Based on the context, I would gather that this is Aetna's privacy policy but is it really theirs? I have no proof but being that they're a health insurance provider, it would make sense for them to refer to this ID card.

My guess for everyone else is that with exception to the law office, the reason for having done so is a lack of readily available lawyers and the desire to have a boilerplate document for anyone to read. I can at least tell you for one that this marketing firm lifted theirs from Aetna as the name still appears in it.

I'd imagine that there is copyright violation here too, but again I am not a lawyer so I cannot say this is for certain.

It might be time for these site owners to review their privacy policy.

Thursday, 25 July 2013

Do not filter my Internet

I don't care about your opinion on pornography as it is irrelevant to what I am about to say: we do not need to have "opt-out" options for what content we want to see on the Internet.

Winnipeg MP, Joy Smith has suggested that we follow in the lead of the United Kingdom in making it that if you want to have access to pornography, you must opt-out of the filter that is on by default. What Smith is proposing is having a list of people who look at pornography.

If you think that the opt-out idea is a good one, read ahead and think about this.

Here's a quote from her via the CBC:

"We’re talking about protecting children. We’re not talking about adults. Adults can log onto their ISP computers, check on the box and turn off the filter," she said.

And then her interview with CTV:

"Child exploitation, human trafficking is a worldwide issue," Smith told CTV's Canada AM. "The Internet is being used to harm children and I think this is just a common sense approach, another tool that parents can have to protect their children."


"It doesn't censor an adult at all, because all the adult has to do in his home or her home is walk over to their computer, log on and check a little box that shuts the filter down. But it does protect the children," she said.

We see a common theme here: "children". What is Smith going on about here? Are children actively searching for pornography or is she concerned that not having a porn filter will lead to these children being exploited? If the former, then parents need to be involved in how their kids use the Internet and if it is the latter, then we already have legislation to deal with that problem. Does Smith understand what she is talking about or is she instead trying to make a name for herself? I'd argue it is the latter and to be honest, she doesn't come off as very intelligent in the process.

This isn't the first time that legislation centred around the Internet has been turned into a crusade to protect the children from the party Smith's in. Last year, former Public Safety Minister, Vic Toews tried to force legislation through that would allow for police to monitor Internet activity without a warrant. During the uproar over it, Toews in his infinite wisdom accused those who were against the bill that they were either going to be with the Tories or with the child pornographers. He later took a step back and the bill had failed to pass.

What is the fascination with the Tories and drafting Internet legislation that is archaic?

Now back to the content here: pornography. If we permitted this opt-out feature, what is to then require us to opt-out of filters that prevent us from viewing sites belonging to governments or non-profits that the sitting government of the day doesn't like? How would you like to have all of your Internet activity monitor to ensure that you meet the requirements of the government? You may not like the David Suzuki Foundation (the Tories certainly do not), but perhaps your neighbour does and is a regular donor? What if you're actively involved with a group like the Fraser Institute and say a left-leaning government is in power? What if you decide to apply for a job at the city and based on your browsing behaviour they determine that your political ideals do not match theirs and as a result you're not hireable?

Or let's go a step further: what if you're a citizen of Iran and want to renew your passport? The sitting government right now doesn't have much love for the Iranian government so would you like to end up on some watchlist because of your browsing behaviour on Iranian websites?

Going back to protecting children briefly, what are we trying to do with such legislation? If we're trying to prevent child pornography for example, then this law isn't going to do squat. You are unlikely to go on a public search engine, punch in specific key words, and find child porn on a website that is reachable via normal means. I won't go into technical detail, but there are underground networks that exist within the Internet that do not get crawled by the services you and I use daily. The vile behaviour of these people who collect and share the exploited images are not going to easily show up on Google Image Search.

If you're honestly afraid of your kids being exploited, then monitor their Internet activity like a responsible parent should do. It should also be noted that the vast majority of child exploitation is done by someone already close to the child. It is nowhere near as common for random strangers to be exploiting children at random.

It isn't a matter of what party is in power either. It's a matter of what is right: privacy. You may have nothing to hide you might say, but it isn't in your best interests to rail against those who do value it. It is not a crime to be private about your daily affairs and it should never be. My browsing behaviour is none of your business and likewise yours is none of mine.

If you support having porn filters on the Internet, then install one at home if you're fearful of what might come in. However, don't help vote in laws that would disgust those who died trying to keep the freedoms that you and I still have today.

Monday, 8 July 2013

Docker... why are you doing things this way?

So Docker went and posted this on their website providing instructions on how to install their desktop software:

root@host:~# curl | sh

What does the script do besides running blindly as root? Well if we take a look at their git repository, we can find this file and see inside:

# Add an user called docker and set its password as docker
RUN useradd -m -d /home/docker -p aaOLN9pfuDGV. docker
RUN sed -Ei 's/adm:x:4:/docker:x:4:docker/' /etc/group


Since Docker doesn't provide an easy method for me to contact them, I've opened a case on this matter in their Github and I guess will wait and see what the response will be.

Monday, 24 June 2013

Marketing deception is not a way to win me as a customer

I own a car. As a requirement of owning a car that consumes petroleum fuel, I must take it in for servicing every few thousand kilometres or every six months depending on which comes first. It required during this servicing that its fluids and lubrication are changed, as well as check to see if there is any required maintenance to parts. While a bit of a hassle, it's necessary to ensure that my vehicle continues to operate for as long as it is possible.

Conveniently, a car dealership that services my brand of car is located en route to my office downtown. I choose to take my car there because the dealership where I had gotten my car in the first place is not located in a convenient spot and requires me to pay a toll to go and pay a visit. I can drop my car off at this place and they offer a nice shuttle service that will drop me off at my office. When I am done working for the day, it's just a short train and bus ride to pick up my car.

This is the relationship I expect to have with Destination Hyundai. They service my car, I pay them to service my car, I go home with my car, and business continues on as usual for all parties.

This is not the relationship I expect with Destination Hyundai. Why do I need an SMS message? Are you going to pay for the messages received on those with plans not as gracious as mine?

This is also not the relationship I expect with Destination Hyundai. Inside was 'awesome' details on 84-month financing at 0% interest with the purchase of a new car. Why do you guys think that I need a new car?

When I got the spam message, I was pretty livid and posted the above screenshot on Twitter. They were kind enough to provide me with an opt-out option, but when did I opt in to the direct marketing? When did I opt in to the deceptive letters being delivered to my mail?

After ranting about it on Twitter, I eventually got a call from one of their marketing coordinators. It was explained to me that they were really sorry about this and that I had been removed from their marketing list. Of course, I had questions for her and she was unable to answer some of these:

  • After stating that an employee at the service desk had likely selected me for being included in their marketing, I then asked if that employee was to get a 'spiv' out of the deal. Being involved with marketing, she was unable to answer that question.

  • When asking her about the physical letter I received in the mail, she told me that a third party mailer was sending these out and that she would investigate. I don't buy this one because if you're in charge of marketing, you're going to know how these are going to be sent out. It's either scummy at its finest (and I question if it is even legal but I am not a lawyer either) or the people at the helm of marketing are woefully unaware of things.

  • Lastly, a policy the dealership has is to add their own licence plate frame around the car's set (and replace the existing ones too) to advertise their business. You also have to opt-out of this and this policy of theirs ended up with their dumb frames on both my car and my girlfriend's. The coordinator was unable to explain this one to me.

Here's some context on the last point:

I didn't ask for them to install these borders. They just went ahead and installed them. When I took my car in for servicing the next time around, I requested that they removed them and so they did. When my girlfriend had her car serviced there recently, she too had the borders added to her plates (after them having removed the original dealership ones)

The licence plate one really is the one thing that makes me not believe that this me being forced to accept their marketing was a mistake. It is on this basis that I do not buy that customers are opted-out by default. This is not a relationship I wish to engage in.

So as a result, I will take the inconvenient option to get my car serviced as opposed to visiting Destination Hyundai.

Monday, 10 June 2013

Thanks to Sony, the concept of sharing games has been simplified

I wonder if this is doable on the Playstation 3, Playstation 2, Playstation, Sega Dreamcast, Sega Saturn, Sega Genesis, Sega Master System, Sony Playstation Portable, Nintendo Wii U, Nintendo Wii, Nintendo Gamecube, Nintendo 64, Super Nintendo, Nintendo Entertainment System, Nintendo 3DS, Nintendo DS, Game Boy Advance, Game Boy Color, Game Boy, or Virtual Boy?

What about other or obscure consoles like the 3DO, Atari Jaguar, Atari Jaguar CD, Atari 2600, Commodore CD-32, NEC PC Engine, NEC PC-FX, Neo Geo, Neo Geo CD, Neo Geo Pocket, Wonderswan, Wonderswan Color, Atari Lynx, Sega Nomad, Sega Game Gear, Sega Pico, Sega SG-1000, Action Max, Amstrad GX4000, Atari 7800, Atari XE, Casio PV-1000, Commodore 64, APF-MP1000, Arcadia 2001, Atari 5200, Bally Astrocade, ColecoVision, Fairchild Channel F, Interton VC 4000, Intellivision Odyssey 2, RCA Studio II, Vectrex, Super Vision 8000, VTech CreatiVision, Philips CD-i, FM Towns Marty, LaserActive, Pippin, or Playdia?

Fascinating news from Sony on their attempts to simplify this whole market.

Oh yeah. What is Microsoft doing these days?

Tuesday, 4 June 2013

File sharing via Reddit

A few months ago, a friend and I were having a drink and we ended up talking about how Reddit in some ways has behaviours and layouts that sort of remind me of Usenet. They have a lot of differences of course, but in some ways they're also quite similar.

When that idea came up, I wondered how difficult it would be to be to use Reddit for what really was the final nail in the coffin for Usenet: file sharing.


One of the problems facing this idea is that there are varying limits on what can be posted on the site. For example, messages between users and comments in posts have a character limit of 10,000, but self-posts can be either 10,000 or 40,000 characters depending on the status the sub-Reddit has. This means that we can only work with files that at most 9 KB in a lot of situations and 39 KB at best.

However, in addition to those limits, you cannot expect to post binary data right into your form post without running into corruption problems should changes be made to the file upon it entering the database. So when you use something like Base64, you end up having to work with smaller files as the encoding process will increase the file size.

On top of that we have to verify that when receiving the file that the data hasn't become corrupted. This means that in addition to the encoded file, we'll need a small header that includes some small details about it.

Storing and receiving data

Based on my last points, in the end I had to create something like this in a Reddit post:

| File name: filename.ext |
| File size: X [bytes/KB] | < Meta data
| File MD5: md5sum |
| Base64 data | < File data

We only need the file name, the MD5, and the Base64 data in this circumstance, but the file size is useful if you end up reading the message as a person and not as the tool.

And speaking of which, that is exactly what I have done. I have written a tool that does exactly this very thing.

Introducing "Karma Share"

Reddit is built based on karma, which is basically Internet points that cannot be exchanged for any monetary value; so why not get karma for sharing files? Well, not exactly yet, as the tool is only designed to send and receive files using private messages.

So using the wonders of Python and the Reddit API, I have created a tool called Karma Share, which is a command line-based application that will send a file via Reddit's private messaging system to any user that you desire.

In addition to sending files, it can also receive them too.

Overview of Karma Share

Karma Share is written using Python 3 and PRAW, a Python library that interfaces with the Reddit API.

To send a file to someone, it just involves invoking this command: push <filename> <recipient> <user> <pass>

And to receive a file, it's as simple as this: pull <user> <pass>

You can also edit the file quite easily and have the username and password stored directly in the script, requiring you to only use "pull" by itself or just "push [file] [recipient]".

Karma Share - Version 0.1
Created by Colin Keigher -

Filename: clients.csv
Size: 3 KB
MD5: 845e0ccf9318e51af4241f4b0e594dc0

*** Attempting to login...
*** Login succeeded!

*** Attempting to send message to AnotherRedditUser.
*** Message sent!

Messages are sent as normal and can be viewed via a browser without any consequences.

It also checks to see if you have already received files and will not discriminate against messages that have already been read; this means that you can avoid worrying about accidentally reading a message that was meant to be downloaded using this tool.

Karma Share - Version 0.1
Created by Colin Keigher -

*** Attempting to login...
*** Login succeeded!

RedditUser has sent you a file!
File name: clients.csv
File size: 3
File sum: 845e0ccf9318e51af4241f4b0e594dc0

RedditUser has sent you a file!
Skipping decoding of oka.jpg as MD5 matches existing file.

RedditUser has sent you a file!
Skipping decoding of qm.gif as MD5 matches existing file.

Read 3 messages and downloaded 1 new items.

The tool makes an MD5 sum of the file before it encodes it and will only send it via the Reddit messaging system provided that the Base64-encoded data and the header values themselves do not exceed the limits imposed by the site. It will also not write the file if it finds that the data has been corrupted upon it being transferred to Reddit.

Pitfalls and the future

The obvious problem here is that we're still limited to files that are a few KB in size. However, it is possible that the tool can be written to do multi-parted files. But there is one caveat to this.

Reddit does limit how many posts you can make in any given period of time and if you're using an account that is either not verified via e-mail or has somehow tripped its anti-spam mechanisms otherwise, it is going to require verification for each and every single post. This will become apparent in the tool when it starts to requesting for a captcha input upon sending a file; the PRAW library provides a link you can click that will show you the required string.

In some cases you can post every few seconds, but in a lot of instances you will find that you can only post every ten minutes. This means that if you're attempting to send 100 KB via Reddit, it's going to take you almost an hour and a half--it's not very effective. For the time being I do not believe that the powers that be at Reddit will have anything to fear as it would take weeks to just upload a 500 MB DVD-quality copy of the latest Top Gear or Game of Thrones episode. But this could be possibly useful for posting a funny cat picture without having to rely on services like Imgur.

Really, this is an experiment and perhaps a useful one in certain circumstances that I have yet to figure out. Also keep in mind that using this tool could get you banned from Reddit so I take no responsibility if you lose any of your Internet points.

Download it!

Want to try it out? It works just fine under Python 3 with the PRAW libraries installed. You can grab it via my GitHub.

The code is licensed under the GPLv3 licence.

Ed: the idea has been turned into a webcomic entry.

Monday, 27 May 2013

Good work, Microsoft

When I read that Microsoft is skimming Skype conversations for URLs, I act as if I am not surprised. It is nice to know that my own servers are not unaffected by this:

$ cat /var/log/apache2/access.log.1|grep 65.52.100. - - [21/May/2013:09:38:48 -0700] "HEAD /volunteer/ HTTP/1.1" 200 277 "-" "-"
$ cat /var/log/apache2/access.log*gz|gunzip|grep 65.52.100. - - [07/May/2013:18:46:29 -0700] "HEAD /2013-makers-2/ HTTP/1.1" 200 277 "-" "-" - - [03/May/2013:00:19:07 -0700] "HEAD / HTTP/1.1" 200 277 "-" "-" - - [20/Apr/2013:01:03:11 -0700] "HEAD /volunteer-registration-2013/ HTTP/1.1" 200 277 "-" "-"

$ whois
NetRange: -

Really, why trust a third party if your communications are supposed to be secure? We all know that mobile phone carriers store SMS messages for long periods of time, so why should it be surprising to anyone that someone who provides a free service is going to harvest data out of it?

It shouldn't happen but at the same time there is no such thing as a free lunch either.

Sunday, 26 May 2013

How far have I travelled via SkyTrain?

My girlfriend and I got into an interesting argument: how far have I gone via SkyTrain? I said that it must be in the tens of thousands and she said that it was likely not and probably something like 5,000. I gave her response some thought and agreed but then started to wonder how far I really had gone.

Before you read too far into this, the numbers thrown around are all estimates and really do not signify what I actually have done. Measurements for distances travelled were used by referencing this map from Wikipedia, which gave me the distances between stations and switches in metres. For those unfamiliar with the system, it has 68.6 kilometres of track (with another 10.9 KM on its way), 47 stations, and has the ability to run trains 75 seconds apart.

A lot of educated guesses were made throughout this calculation and I am only sharing it since I actually went and ran the numbers out of sheer curiosity. Take everything you read in this article with a grain of salt.

Determining how far I have gone each year

Now I should admit that I don't keep a travel log of everywhere I go every single day--I barely am able to keep myself up to date with calendar appointments on my phone. However, with some guess work I can determine some constants based on actual day-to-day activities such as going to work, socialising, attending school, and perhaps family events. Knowing this, I decided to break it down using those four groups: work, school, social, and family.

I was born in late 1984, but SkyTrain was not a 'thing' until December of 1985, so I can more or less calculate from January 1986 onward. I never really wandered on to the transit system by myself until I was in my mid-teens due to my life revolving more or less in Surrey, where SkyTrain doesn't travel deep into. With that in mind, I can safely determine that maybe twice a year I would go with someone in my family towards somewhere like BC Place Stadium or that general vicinity. However, 1986 was also the year of Expo 86, which probably meant I visited the world's fair a dozen times--I should confirm this with my parents but actually it won't make much of a difference in the total amount.

My first job where I required the use of transit to get to work was in 2004 and save for two years I required use of SkyTrain to get to and from work. And for class? I was able to get away without taking SkyTrain to make it to class in a lot of cases.

The numbers were all crunched via Excel and some liberties were taken to estimate what I have done in a year. I won't go into super fine details here but I will at least give you the logic behind my math. One thing to keep in mind is that I count to and from as two different trips.

Attending class

Class didn't involve me going via SkyTrain all that much, but there were times where I did in fact use it to get to get to and from. Since I know when I was in school and how often, as well as which stations I would have used, I was able to make this table:

Trips to Class
 TripsKMsAvg. KM
* Denotes a year where I was living out of province.

It should be noted that the above table and any future tables may be a bit off in terms of how the math comes out to, but this has to do with me copying the data out of Excel in the process, but as you can see the kilometres add up quite quickly even though the trips are rather short save for 2009 when I briefly attended BCIT.

However, prior to graduating high school, at least once or twice a year I would be travelling on SkyTrain with my classmates. Some experiences include painting the windows of the main Canada Post building downtown for Christmas, or perhaps going to the CBC building or Science World. Since I can somewhat account for all of these trips, I can safely estimate using the distances how far I have gone for each year (around 52 KM).

When I add up all of these numbers and work it out, it comes out to about 3,800 KM. An extra 100 KM and it would have covered the distance of Vancouver to Cabo San Lucas, Mexico.

Having been to Cabo before, it's quite nice. If SkyTrain were to be able to go non-stop at full speed (80 KM/h) to this part of Mexico, it would take just over two days as opposed to a five-hour flight.

Travelling to work via SkyTrain

Figuring out the numbers on my getting to work was the easiest. For the most part, I knew what my schedule was like from 2005 to present and I was also able to guess what I did work due to days spent in class. Days when I am ill, working from home, travelled by car instead, or were on vacation were accounted for in my counts. Of course like before I made a good guess based on what I could remember.

Trips to Work
 TripsKMsAvg. KM
* Denotes a year where I was not commuting via SkyTrain.

One thing to note: 2007 was a weird year as I had tele-commuted from January into September and was not using SkyTrain.

I left one company for another in 2009 and as a result found myself having to drive to work as opposed to taking transit. This meant that for a whole year I didn't have a reason to take SkyTrain for work purposes simply because the system was nowhere near where I was employed at the time. It was also the first time in four years where I had actually had full-time access to a vehicle (first car I bought myself too) and as a result my entire transit use pattern was changed.

However, in 2011 I had taken a job at a company downtown and found myself having to leave the car at home since it was ineffective for me to commute via it. This worked out for the better as in 2010 I had moved closer to the transit system. One thing of interest here is that when I left the car-dependent job in 2011, I had almost 48,000 KM on the odometer (after 2-years ownership); two-years later and I find that the odometer has only hit 62,000.

2012 also saw the greatest transit use overall where work counted for 8,253 KM (total use that year combined was 8,608 KM). Overall, the total use for commuting to work via the train was 25,909 KM since 2004. Just like how I measured out the school trips taking me to a sunny part of Mexico, that distance could cover almost the round-trip flight distance from Vancouver to Perth, Australia assuming no stop-overs.

I wonder how many zones it would be if it went all the way out there?

Socialising and family

I should point out that since having moved closer to the transit system, I have found that I have never had a reason to take transit to see my family. My parents' home is almost 13 KM from the nearest station and the time it would take using transit as opposed to taking my car is quite significant--it was a huge driving force behind my decision to move to where I am now.

Just like how it was in grade school, I only took SkyTrain with my parents or other family members perhaps a few times a year. I would say that during Expo 86 it was probably a bit more than other years and some other years were a bit more frequent than others, but I worked out that it was probably something like 78-80 trips total between 1985 and 1998, being the last time I recall having to take transit with a family member. Most of the time it was to visit something downtown and the typical station we'd visit would be Stadium. Using that knowledge, I worked it out to be about 2,021 KM.

Seeing friends on the other hand became a real mess to sort out. 1999 to 2002 were car-free periods, so I knew that whenever I did go out, it would have likely been on the train. For that period, I worked out that I'd be on SkyTrain a bit over a dozen times. It increased in 2003 onward but decreased in 2009 when I bought a car. When I moved closer to transit, it levelled out a bit but I still drove more for socialising than I did take the train.

Here's an excerpt of years where I did use transit heavily to see people:

Being Social
 TripsKMsAvg. KM

As you can see in 2010, my estimate didn't change much but my distance covered did due to a change in where I lived.

I worked out that between my family and seeing friends, it worked out to 16,706 KM. A lot less than work, more than school, and the distance can cover a direct one-way flight to Antarctica.

The system does reasonably well in snow all things considered (although it has become majorly delayed as a result of it), but I don't think that it would survive the extremes of the south pole.

Closing and how long did these journeys take?

Overall, I have travelled about 47,000 KM on the SkyTrain system since it came into existence. If I were to start and end a world tour just outside of Quito, Ecuador where the Earth's equator is, I could do one whole round trip (about 40,000 KM) along the equator and still have 7,000 KM to spare, allowing me to fly back to Vancouver with some change leftover.

Since we know the approximate distance that I've managed to cover, we can determine what amount of time that I have spent on the train. Some things like when the system is delayed or down completely are not taken into account, but because it has been stated that the average speed between each station is about 45 KM/h, we could divide that 47,000 by that average speed and come out to 1,044.44 hours, or 43 days, 12 hours, and 29 minutes. Americans on average spend about 540 hours in their car per year, so my total time spent on the train isn't that bad. Last year, it is likely that I just spent 183 hours on the train just getting myself to and from work, so I shouldn't complain.

Regarding the total number of trips (as opposed to distance covered), the number worked out to just over 3,400. I have to wonder as the system continues to grow and how my patterns change, how much higher this will grow? I guess with a few more years of data I could answer this, but I am done with this question.

Thursday, 23 May 2013

Losing the faith of your (online) community

Earlier this year, I was asked to leave an online community after a row between myself and a few other members had developed. When I was asked by a community member in private to leave, I chose to do so and did so without making noise.

In the real world, I had a group of friends who began to exclude me after I had made a unpleasant life-changing decision that was overall unpopular. This was understandable as it had created a rift between me and specific people. I had it out privately with one particular person but again chose to not make much noise beyond that.

Both of these cases were quite difficult for me emotionally as nobody likes rejection, but at the same time there are things that you have to have to face in life. Sometimes it's better to cut your losses because it becomes futile to try and fight it. There are things worth fighting for too, but you have to understand how much you need to fight and how much it is actually worth.

My context for the above stories is parallel to my experience with running online communities. You can have a vibrant, active community when things are running smooth when those who are a member of said community have some level of faith in the decisions you make as maintainer, but it can turn on you very quickly if you start to become arrogant or ignorant of certain aspects of it. For six years, I ran a forum for the local anime convention here in Vancouver and learnt a lot about myself and others; it wasn't really pretty when I look back at it.

It was like herding cats and I was not well received

My experience with running this forum was at the time a pleasant one for the early few years but looking back I have changed my mind. I went through wanting to clean up the place to becoming a tyrant and it reflected poorly on how people perceived me.

When I say that running this forum was like herding cats, I am saying this because the anime convention had introduced a contingent of members who were of a wide age variety; I believe that the average age of the forum users was something along the lines of 16 or 17 based on my knowledge of the actual convention attendance. At the time when I was in my early 20s, I could put up with the politics of dealing with these guys because I never quite grasped that it was a herding cats scenario.

Policies handed down to me from the convention operators didn't apply well to the forum and as a result I found myself having to swim upstream in order to keep these rules in line. I would go and make fancy methods to get people from avoiding the word filter and found myself banning the public schools in the province (which are on a single IP block) in order to make life easier for myself and those who worked with me. However, as time grew on I found myself spending far more time on this than what was deserved.

It was quite active when I was in charge, with 2,000 some-odd accounts and about 500 of them active, but as time progressed, the demographics and types of behaviour began to shift and I found myself turning more and more into a tyrant in terms of how things should be run in order to stem the changes that I didn't find very likeable. Power goes to your head and for that I don't think I'd ever make a good Prime Minister in the face of such things. This is not to say I should never be in charge, but I believe that I shouldn't do the same job for too long and I shouldn't do it knowing I have no impunity such as the case here. I could effectively get away with almost anything and those who ran the convention didn't dare challenge me, which looking back I feel was a mistake.

I left briefly as I wanted to focus on other matters (namely that I had decided to move to another province), but came back some time later and found myself in the same habits as I was in before. And with that came an overall disgust for me from these forum members.

Effectively the online community had no trust in me but was powerless in doing anything about it. I could share some of the remarks that people had for me but it is irrelevant to this part of what I am writing, but in short I was not exactly liked in the role I played and the words chosen to describe me were not good.

I don't look back at this period in my life as a positive one even though there were some rather awesome people I met in the process. I removed myself from this community a number of years ago and haven't looked back on my decision. There were definitely good times, but overall I feel that it was a huge time-sink and put me behind on a lot of other things that I am working on now.

Reddit and how its moderation works

I've written about Reddit before in a not so happy light. In addition to my remark about it being a circlejerk in a lot of cases, I have zero love for how the site is moderated.

Reddit and its sub Reddits are moderated two ways: votes (karma) and moderators. Downvotes for posts that don't contribute to Reddit or the discussion and upvotes for the opposite. A moderator's role is to be there to take care of whatever they see fit that doesn't fit for the sub Reddit. It could be harassment, spam, or outright pointless and ignoring what the community as a collective has considered as the norm.

However, this is an ideal situation and is rarely if ever followed. The votes are used when people don't like the discussion or person. This is more or less evident in the Obama AMA where the downvotes were likely those voting for Romney or other candidates, but you can see this in smaller situations where it just comes to just overall popularity of the poster. Reddit has attempted to address this by introducing a scheme that allows sub Reddit moderators to implement a delay on when karma is shown, but this isn't a real solution. Really, Reddit is broken this way because it doesn't interpret how a human being actually thinks on a typical decision--reactive and largely not objective.

And the moderation system itself is broken too. Nobody owns a sub Reddit really as that is actually the property of Reddit itself. However, once you go and create a sub Reddit, it's yours for as long as you choose to keep it and as long as Reddit desires to let you do so. And if you appoint any moderators underneath you, they cannot perform a coup on you, but if they can remove anyone who comes after them. It's basically a lineage system that is very ineffective and you cannot take someone on top out easily.

Really, Reddit is flawed.

When to know that you need to leave

I bring the topic of Reddit up because it's different from an online forum run by some forum software and at the same time has a lot of same characteristics of such. Recently on a sub Reddit I frequent, a number of users and moderators had began to voice their dislike for how the place is being run. Since the order system was in place, the complaining moderators who actually spent more time on the sub Reddit than those on top ended up opting to resign citing that they are powerless to go against someone who's ideal isn't in line with everyone else. Those at the top have resisted to leave and would rather make "simple changes" to pacify the general crowd. It might work but it's really not worth it in my mind.

When you have a large number of users being vocal against you running the place, citing that content quality has gone downhill since then, you have to act decisively. You cannot continue with the status quo and hope that everything will continue on positively.

Sites like Something Awful have only survived long term because users were not left to make decisions on everything. However, certain decisions were made in the past of lead to it being the site is today. For example, Lowtax no longer actively moderates the forums and does so due to his position in the site. He has focused more on running the place as a business and as a result there is a more or less positive view on him. This took years for him to realise and there were a number of odd behaviours on his part as time went on, but I look at the place now and it's largely neutral. It's not the same site it was a decade ago when I first signed on, but a lot of the old circlejerk mentalities from the past do not exist in the same manner.

I found myself hearing comments along the lines of me being an "asshole" or "douche bag" when I ran these forums for the previously mentioned convention. At the time they didn't phase me but looking back, these users were mostly right. I have a bit of an ego that needs to be deflated sometimes and I try my best to acknowledge when I am in the wrong, but sometimes you need to just let these things go and let others take the helm. I haven't looked back at the site since then and there have been attempts to get me involved again, but again, it's not worth it.

You need to leave a community when you're in charge when you have way too much opposition. It's how you fix the community in the long term. You can stick around as a member but you shouldn't hold on to power as if there is no other solution.

For those who are wondering: there is a long story behind why I have opted for a new account on Reddit. It will likely be discussed on this blog when I get around to it, but I have decided to start using my actual name in some places.

Tuesday, 14 May 2013

Don't blame me...

The Greens for all they stand for have some anti-fact nut jobs in their list of candidates. Some of their candidates have a stance on radio transmissions that are completely anti-science.

Libertarianism in the form that most people practice these days is hypocrisy at its finest. Government has a role to play in our every day lives regardless of whether or not you like it.

No idea who the independent guy is in my riding, and as a result I couldn't throw my support behind him as I have no idea what he stands for. I should have taken a look into this I guess.

Don't think anyone needs to know about my love and appreciation for the Conservatives. John Cummins is a leader that doesn't understand that he barely has support in his own party.

So what option was left? The leftovers appear to be the lesser of all evils with one being less evil than the other I guess.

I voted for Kodos.

Monday, 29 April 2013

Security Challenges

A few days ago on Reddit's r/NetSec, a link containing some penetration testing challenges was posted. I've decided to post some hints to each of them since having completed some of them.

I'd like to get back and take a swing at the web-based ones as they should be doable on my part, but priorities! If I get a chance to do II, III, and VI, I'll likely post a follow up here.

Challenge I

This one is fairly straight forward. Pay attention to the URL and you'll notice that it does an include of a file. You can easily bypass this by inserting a URL-encoded null character (x00) in the string to bypass some barriers that are in the way of things. You'll then want to look for some Apache-specific password files.

Challenge VII

One of the things that threw me off in this WiFi challenge was that the packet capture was seemingly useless. Just over 5,000 IVs were captured and as a result normal methods for breaking WEP were out of the question. I tried to bruteforce this too and was pulling my hair out.

It was pointed out by a friend that the access point in question has a vulnerability that allows one to quite easily generate keys based on the ESSID--it was using one of the defaults too so I felt a bit dumb for not cluing into this, but the unit is for an Irish telecom and I am Canadian. Once I had that sorted out I was able to decode the packet capture and then was able to determine how to get my name added to the list.

Challenge VIII

Let me start off by saying this: don't bother performing a packet capture. It might give you a hint about what is going on but don't analyse it any further than that.

This is really going to be a reverse-engineering job requiring a bit of Java skills--or the ability to at least be willing to wet your feet with the language. In the end you're going to need to make use of a Java decompiler (jad) and then just parse through everything to understand what each function is doing.

It's really easy to do if you have any level of coding experience. Up until this challenge I had zero experience with the language and managed to get it to run an application that performed all of the functions I needed to reverse what was done--I was from tutorial to compiled in less than five minutes (seriously).

Break the PIN

This one was surprisingly easy. As the author of the challenge notes elsewhere, there is no need to hammer his server for a result. In the end you can do this offline if you examine what he's looking for (a 7 digit number) and then the code on the page itself. You should be able to whip something up in any language and have it cracked in less than three minutes.

Wednesday, 24 April 2013

Distances travelled by a hard drive

Once in a while I'll come up with strange ideas and one of them was the curious thought I had about distances covered by hard drives.

The diameter of the platter in a standard PC hard drive is 8.89 cm and as a result its circumference will be 27.96 cm. The typical hard drive today spins at give or take 7200 revolutions per minute, which works out to 120 per second. Since we know the distance travelled every minute, we can work this out to 120.82 KM/h, which is 10.82 KM/h faster than the speed limit on the Coquihalla Highway.

This means a hard drive could in theory keep up with highway traffic.

Let's assume that we don't have to worry about powering the hard drive because we know that otherwise it won't work, but where could the hard drive possibly go should it have access to some unique power source and it could keep itself upright and use its platter as a wheel?

The distance between the capital of British Columbia, Victoria to its island neighbour, Nanaimo is approximately 110 KM, which means the hard drive could easily drive down the highway and get there in less than an hour. However, the speed limit in the Malahat section is 80 KM/h, so it would likely get a speeding ticket for having done so. We'll ignore this consequence since the hard drive doesn't have a licence anyway.

How about a larger feat? Perhaps we want to drive from Vancouver to Toronto? Well, thanks to the hard drive's enormous stored energy, it could travel the shortest distance of 4,373 KM in just around 36 hours. But this is cutting through the United States, so if we were to stay within our own borders, it would work out to about the same as it would be 4,389 KM but would have the consequence of speeding through city streets which are set with a maximum 60 KM/h. The hard drive would be quite the rebel.

Okay. So we have this fancy energy source and as a result could go anywhere. How about to outer space? What if the hard drive managed to manipulate its gyroscopic forces to defeat gravity and fly upwards to places beyond our atmosphere? Since we're already breaking the laws of the road, we can go for broke and completely break the laws of physics.

In this Time article, it's stated that the average car's age is 11 years old and has gone a distance of 165,000 miles (266,000 KM). The distance between the Earth and the Moon is 384,400 KM, so the average car has yet to make it as far. How long would it take for the hard drive to get to our celestial neighbour? It would take about 132 days for it to reach its destination--for reference, the astronauts that visited there took almost four days to arrive.

Since cars are averaging 11-years on the road, how much further does the hard drive go in that time? It would be approximately 11,649,963 kilometres. The hard drive would take half-a-century at best to reach Mars when it is at its closest, but considering the closest that planet will be to us will be about 58,000,000 KM in 2018, it's unlikely that it would get there in time and would probably take a whole century if it were to leave now as the distances can reach around 100,000,000.

This is all presuming that the hard drive just doesn't give out before it gets there. These devices are quite amazing and have the ability to outlast expectation and sometimes just flat out die. My rule of thumb is that a hard drive is only good for up to 5-years of continuous operation, which means it would die out long before it made it to our planetary neighbour.

Closing on this, a 10,000 RPM hard drive is only going at 160 KM/h so while it would get to Mars a tad faster, it's not really an improvement.

Monday, 22 April 2013

The Boston Marathon bombing and the Reddit circlejerk

What happened in Boston last week goes without saying as one of the most horrific events I have ever seen in the United States. The raw images of limbs scattered about and people missing them as a result were just horrifying. Regardless of the reasons, attacking innocent civilians anywhere is uncalled for and completely unjust.

However, one of the ugliest things that came out of all of this is the Internet vigilantism that had its goal in trying to catch whoever was responsible for the attacks. Specifically, the creation of the Reddit subgroup, r/findbostonbombers (it has since been closed so I haven't linked to it). It was Reddit's response to the search for who was responsible by combing through images on Flickr, Twitter, Facebook, and whatever else had photos that may or may be relevant--none were just in case you're wondering.

When you have people pleading that they're not the Boston bomber, those who go missing for unexplained reasons who are then accused of being the attacker, and then racial profiling because they're brown or some other colour other than good ol' fashioned American-proud white (because white people have never bombed any Americans), you have to wonder what these people think about racial profiling at the government level.

I refuse to link some of the images here as enough damage has been done to these falsely accused individuals, but it was amusing to see first-hand people trying to prove to me that certain people were likely guilty just because they were looking in the wrong direction, their clothes didn't match everyone else, or somehow they had a backpack but when seen in other photos it appeared that they didn't have them on, but of course in a later taken photo they're shown with their backpacks again. Just because you've watched enough CSI does not mean that you can take a look at a crowd and tell me who's a terrorist, rapist, murderer, paedophile, or whatever.

Unlike the Internet, the FBI had the ability to sift through video evidence provided via CCTV cameras placed in buildings and the surrounding area. What did the Internet have? Just photos they stumbled across on social media and elsewhere. What did the FBI pull off that the Internet did not? They had photos of the actual suspected bombers wandering around with the backpacks. They released video and stills of the suspects and only then did details about these people started to emerge.

It was only when the photos of the two suspected bombers did any other photos appear but it was from people who looked at their own damn images. How many photos of these suspects did Redditors find? None. In fact, they went on to falsely accuse an innocent missing person. Yeah. He sort of matched the blurry, digitally-zoomed image of one of the suspects, but it's not hard to go on your Facebook friends list and do the same damn thing.

Now comes into play is the whole Reddit circlejerk. I would refuse to call the subgroup created to find the bombers anything near altruistic in terms of its goals, but rather a lynch mob. Yes. Their intentions may be objectively good, but it's nowhere close to being actually useful or thoughtful.

Why was it so hard for people to not just do what the FBI wants and just send the damn images to them if they happen to find something that might be helpful in the investigation? Why did these Redditors have to go out and start playing with Microsoft Paint to figure out where Joe Shmoe and Susan Smith were looking at? In fact, I don't even recall a single image where a woman, a child, delivery driver, grandparents, et cetera were suspected as being involved.

How did these Redditors not know that some kid was instructed to place a backpack somewhere? How do they know it wasn't a woman who was involved? Why did they focus mostly on dark-skinned people or those with clothes that didn't match the rest? How did they come to the conclusion that just looking in one direction was sufficient for a probable suspect?

Really, Reddit is not above the rest of the Internet when it comes to moral authority--not by a long shot.

Honestly I think what it all boils down to is this notion in the Reddit community that whatever they do is for the good of the world. Yes. There have been instances where members of Reddit (I have been on the site for almost four years now FYI) have done some rather good work for the benefit of others, but there have been enough examples of where they have done harm. For example, after a post discussing Reddit's involvement in finding the bombers, it was pointed out by someone who has the same thoughts that I do that the founder of the aforementioned sub-Reddit was receiving threats as the aftermath of having someone falsely accused.

There's a lot more that I could say on this topic such as those involved not understanding what a reliable source is and why you shouldn't act upon it--for example: police scanners provide detailed information but there is a reason why the media was not reacting at the same rate as Reddit does. They need to know if what is being said is valid and radio communication amongst the police during a standoff situation is only so accurate.

In the end, Reddit, you embarrassed yourselves.

Tuesday, 16 April 2013

"Debrowning" plastic

As some of you may know, I maintain a collection of video game consoles and have done so for almost a decade. One of the largest annoyances of such a hobby is the fact that the ABS plastic that most video game consoles and peripherals are made from have a habit of turning into a brown colour after long-term exposure to ultraviolet light--this is a byproduct of bromine used as a fire retardant. I am not alone in this annoyance and there is actually a whole community of people that have come up with a rather simple solution that doesn't involve painting, using a simple solution called Retr0bright.

Since I have plans to do this with a number of items in my collection, I have decided to do a test with a Super Nintendo controller I had picked up sometime ago and share the results here.

Here's the test subject prior to any work being done:

This is not as bad as other situations I have seen. However, the controller was a good test subject because someone had previously opened up the thing prior to me acquiring it and had stripped its screws. It's going to be used for parts in the end, but since it was a donor controller, I figured that it would be a good candidate for what I wanted to do.

To make Retr0bright, the ingredients are quite simple:

  • Hydrogen peroxide

  • Active oxygen cleaner

  • Arrowroot

All of these ingredients can be acquired for a few dollars each. I believe that the peroxide solution set me back $8, the cleaner was $4, and the arrowroot was most expensive at $10 for 300 grams. It is suggested that you get at least 6% or higher solution of the peroxide, but I picked up 3% because it was cheaper--I will explain the trade-offs a bit later. It also seems that you can get away with the dollar store variety of the cleaner too as it didn't seem to be much different than mainstream brands like Oxy Clean.

Combining the stuff is fairly straightforward but be prepared to add more arrowroot than what some steps state and you will likely have to heat the combined substances while mixing--short 30-60 second periods in a microwave are sufficient. In the end I used about a litre and a half of peroxide, 90 mL of the cleaner, and then about the same with the arrowroot. You're going to find that you'll adjust the measurements as you go along until you get something that is quite soupy.

Once this stuff is made, let it sit overnight and it should have a gel-like substance that you can apply to the plastic.

You're going to want to reapply the stuff every once in a while while letting it bask in the sunlight. It's safe to let the solution sit out in the open for the day as it shouldn't evaporate very quickly, but it will dry off on the plastic. You'll want to ensure that you get the maximum amount of sunlight possible too.

As you can see, there is a noticeable difference between the before and after shots of the controller. One of the things I immediately noticed was that there was no negative effect on the silk screening on the plastic. It has been said that stickers should survive just fine during the process as well.

Regarding the use of a 3% hydrogen peroxide solution: it just takes longer. It only took me about 6-8 hours to pull off the change in colour, but it is likely that this would be far faster if the solution was more concentrated.

Overall I am glad to see that this works and likely will try it on something bigger later on.

Monday, 1 April 2013

Being an Avivore and data mining Twitter

How easy is it to pull phone numbers, IP addresses, and Blackberry PINs from Twitter? It should be no surprise that it isn't very difficult at all and it was the topic of a presentation that I gave at BSides Vancouver last month. This is more of a follow up to my talk more so than my previous write-up on the event.


This began really due to boredom on my part. I was working on a Twitter-related project for Maker Faire Vancouver and due to some missing components, I had to delay what I was already writing. Being that I do not like to have idle hands, I started to mess with what I already had and decided to make it so it would search for phone numbers. I didn't anticipate anything at first but then I started to get results.

After seeing the large volume of results from the script, I decided that I would bear a bot that would respond to people who have been found to be erroneously posting their numbers on Twitter. Oddly it seems that I am the first to go and search for this information openly, but not the first to do something related to user-initiated privacy violations--not sure what else to call this.


After some fumbling around, I managed to create a Twitter bot.

The bot was designed to only respond to one tweet at a minimum of ten minutes and only when a random number generator hit a certain value--so not to cause a flood of tweets. It also was set to tweet a randomly chosen phrase to avoid the anti-spam actions that Twitter itself would take should I tweet the same thing each time.

While I took the time to ensure that Twitter itself wouldn't ban me, it ran for something like 36-hours before it got banned. I had eventually appealed it but I spoke to a contact I had for the company and was told upfront that it would probably remain banned if it were to get in trouble again.

Some of the reactions during its brief lifetime were kind of interesting:

Poor decisions are made regardless of what country they're from--especially mine.

Justin Bieber is pretty wild these days. Maybe?

Note: no mobile phone was harmed or abused for this portion of project.

So what next?

Well, I wanted to be persistent on this and thoughts about a few different approaches. One idea someone had proposed was to follow the lead of @NeedADebitCard and just retweet the phone numbers. However, I didn't want to run the risk of getting banned from Twitter should they decide that it should be banned--mine would likely follow soon after.

Maybe I should just compile the findings into a list?

This ran for a few days as well and I killed it eventually (it could be revived at a moment's notice) for reasons that I cannot recall at the time of this writing. It basically followed similar footsteps to that of Please Rob Me (link has been disabled), which compiled results found of Twitter users checking in using services like Foursquare to demonstrate that one can be easily followed.

It worked quite well as my application would take results and then dump them into a database. The page itself would then display items from the database and then display the number in the format '(555) 555-1xxx'. It was intended so one could just delete their tweet should they find their phone number showing up on my page. By deleting the tweet the obfuscated number would be all that remained and would just fall off of the list as others would make the same mistake.

In addition to that, I had briefly configured it to use Twilio to send text message very sparingly to random users who ended up in that list. Out of the 400 or so tweets that I archived before shelving the project, about nine people were texted with the message "I found your number on Twitter. You should not tweet these things, y'know". Most of the responses were fairly benign but I discontinued from this behaviour as I was unsure to what laws I may or may not be violating at the time.

Ed - April 3: I was asked why I discontinued from this overall. I had decided that I wasn't sure of the consequences of doing this. Add the fact that I didn't want my hosting service to have any troubles over this so I opted to not let this service operate any further.

Going for broke

In the end I opted to just create some code to search Twitter on a cycle and pull everything into a database. The code is somewhat not well written but it does the job and lets you see how effective it is in retrieving information. It was initially designed to just pull phone numbers but then it sort of mutated into finding IP addresses and Blackberry PINs.

A sample output is as follows:

$ python
Avivore 1.0
A Twitter-based tool for finding personal data.                            │
Licensed under the LGPL and created by Colin Keigher
[1364844946] Using existing database to store results.
[1364844946] 12447 entries in this database so far.
[1364844956] Type: bbpin, User: SocialGamerMax, PIN: 261D288C, TweetID: 318808517685440513
[1364844957] Type: bbpin, User: AsgharBhatti3, PIN: 21D91A46,TweetID: 318808291490791424
[1364844957] Type: bbpin, User: MIDOO_889, PIN: 26CFA12B, TweetID: 318807746273214464
[1364844957] Type: bbpin, User: Tsa7el, PIN: 25ba2a8f, TweetID: 318806708887629824

The 12,000+ entries you see above were created over the course of 24-hours, so as you can see there is just a tonne of personal data sitting on Twitter for everyone to have their hands on.


Some other ideas that came up was to harvest e-mail addresses or prescription medication. E-mail addresses would be straight forward, but prescriptions were an interesting one that would probably require me to build a database of names of common drugs. This would be interesting to search for using the limitations that Twitter has put upon me, but I would not be surprised if this and the other data has some sort of use.

The talk I gave at BSides Vancouver touched loosely on the ramifications of this sort of information and what use it could serve. For example, someone who is willing to provide their personal details on the service may also be highly likely to be susceptible to social engineering attacks. An easy one to pull off would be to call the individual a few days or so afterwards stating that they were from Twitter and wanted to ensure that everything was okay and to also "verify" their password. For businesses, it could allow you to know who might be a risk to your company and might be willing to produce certain, proprietary information that you may not want divulged. These are of course all hypothetical but it was something that ran across my mind as I was working on this project.

As a result of this work, I've expanded on this data retrieval for other services and have a new project in the works that may likely be demonstrated sometime soon. For now, feel free to try out the script and have a sigh or two.

Monday, 25 March 2013

Identifying Facebook scams and why you should not spread them

Ed: This is intended towards my friends but can be shared with others. I really want people to stop participating in these scams because they do far more harm than good.

Let me start by saying that I hate Facebook. It has pretty much managed to infiltrate almost every aspect of our modern lives and as a result it's pretty much inescapable. As a result, I am on Facebook but I would not shed a tear if it were to disappear tomorrow.

However, I want to rant about something that irritates me that I see people doing quite often and as a result if I see you posting this on the site, you're going to get this link. It's for your benefit and not mine because these problems will not affect me but I do wish to look out for you.

The above really does irritate me.

It is unlikely that you'll get a free mobile phone or tablet on Facebook

Here is a pretty popular scam going around the site, the infamous "free phone giveaway" ones:
We are giving away 5000 Samsung Galaxy S4 to 5000 Lucky Fans for FREE. All that you need to do is complete the easy steps below to participate! (Worldwide)

1. Like this photo.
2. Share this photo.
3. Like this page -> Samsung Galaxy S4

4. Choose your color (white/black)

The lucky winners will be selected in 7-10 days but will get their gifts at 30 April. Only people that have completed all steps can participate.
Winners will be announced at our Facebook fan page or in private message so make sure you like us on Facebook.

Good luck !!

You see similar posts for iPhones, iPads, other Android devices, car GPS, cars, laptops, et cetera. You usually see these posts with some obvious grammatical mistakes--of course, I may have made some in this entry too.

I see one of these pop up on my feed about once or twice a week. There are some people who constantly go about liking pages and sharing them for the sole purpose of perhaps being the one 5,000 people to get a phone. With 80,000 likes on the page itself, you have a 1 in 16 chance of being a lucky winner, which is far better than the chances you have with a lottery ticket. However, Samsung does not go about doing this at all.

For example, shortly after the Galaxy S3 came out, a Canadian fellow messaged Samsung about getting a free phone in exchange for his customer loyalty and a cute drawing of a dinosaur. The company's response was to send back an image of a kangaroo on a unicycle but stating that they could not send him a free phone. It went viral and because of this Samsung did in the end send him a phone as he probably did more to benefit Samsung than a silly giveaway.

This is a unique case and only cost the company so much as I had pointed out. And this is the key point: there is a cost that has to be taken into account.

I cannot find firm numbers, but supposedly it is around $230 USD for the production cost of an S4. For Samsung to give away all of those phones, it would cost them nearly $1.15 million USD just to make them. Retail prices of the phone are not concrete, but it has been reported that a 16 GB model will be $629.99 USD, so that would mean that $3.14 million USD would have to be spent. There are additional costs too that need to be taken into account but this is quite a lot of money for a promotional event.

To further drill this into context: at 80,000 likes, you're looking at anywhere between spending $14 and $40 per person at the end of this promotion depending on how you choose to look at its overall cost. Unlike my brother, I am not much into marketing and sales, but I do imagine that if your marketing costs require you to spend that much per person on a promotion, it's not very effective. A commercial spot during the Superbowl costs just above the extreme total cost of those phones (around $4 million USD), but that spot only costs about $0.04 per person as it has the ability to reach over 110,000,000 people.

It's prohibitively expensive to give away phones for free. You are more likely to see these phones made available in promotional give-aways at restaurants and whatnot.

Speaking of which, there's no free coffee, food, or gift cards in general either

I've seen this a bit less often these days, but it is not unusual for me to see Starbucks or Tim Horton's gift cards as prizes for sharing a page on Facebook. In fact, I've seen this behaviour from those who work at Starbucks themselves. Guess what? Neither do this.

I won't go too far into those two companies, but it is covered quite well in this Naked Security article from Sophos.

However, I've seen this for for a number of other places including Staples, Milestones, Real Canadian Superstore (aka Loblaws, etc), The Brick, Home Depot, and Indigo/Chapters. If it is a major chain, then I have likely seen it with one of the scam pages.

There are times where smaller businesses may actually go about doing this, but I'll explain something in a moment.

OK. Why should I not then?

Simply put: there is no such thing as a free lunch. You're giving away something to get these things and it's unlikely that they're going to be used for getting you the prize that you desire. You're also risking your privacy, safety, and your friends as well.

By liking a page and sharing the details, it is easier for those with malicious intents to harvest your details to do some of the following:

  • Sending you malicious messages via e-mail or Facebook that contain malware.

  • Getting phishers to impersonate you to your friends.

  • Selling your and your friends' data to third parties to be used for all sorts of reasons.

You're not just doing a disservice to yourself, but you're also doing a disservice to your friends. There may people on your list who do not wish to have their details exposed but are not adept enough to go through the hell that is Facebook's privacy settings to set it so these pages cannot get their hands on their details. Just because "well I might actually win" comes to mind does not mean that it is worth the hassle.

What else?

Just keep the above in mind when browsing around on Facebook and thinking about sharing the page.

Here's a simple thing to ponder: if the sweepstakes requires you to like a page that is not the official page itself, then it is unlikely to be real. It doesn't matter if there is a giant photo of boxes of phones inside of the page, it makes no business sense for these companies to direct you to a page that is not the official page itself. What happens when the Galaxy S5 comes out? Why do you have to go to a page separate from the mainstream one? Once the promotion is over then all they've done is spent money on you and haven't gotten anything in return, which is a like on their page.

Also watch out for the name of the company in question. I've seen Apple show up as "Apple.", "Apple's", "Apple Computers'" and so forth. There's just one page: Apple Inc. Look for the page and if the promotion is not on that site as posted by them, then it's not real and you should not spread it.

I provide this information because I want you to be safe and I hope that this isn't taken the wrong way.

Friday, 15 March 2013

BSides Vancouver recap

BSides Vancouver has come and gone and I'll have to say that it went quite well. I've been meaning to write a post-conference write-up and finally I've found some time to do so.

One of the highlights of the conference was the fact that there was a large attendance. I think it worked out to just over a hundred people in attendance and a full speaker track.

(Shamelessly stolen from the BSides Vancouver site itself.)

Most of the slides including my own have been posted here. If you're looking for my bug-ridden source code, you can find it by visiting my Github repository for it!

Basically I gave a talk on capturing personal data from Twitter. Nothing special, but it allows for you to pull phone numbers, Blackberry PINs, and IP addresses 'automagically'.

(My lovely girlfriend captured me talking about some nonsense.)

It was quite nice to meet the speakers who came to the dinner we had the night after. Admittedly it was a bit difficult the day after, but that is par for the course.

Also, I'd like to point out that I do have a new domain:

Finally got around to registering the domain after a buddy of mine kept pestering me to do so. This domain will stick around as my blog but slowly I'll be migrating things off of it. Not much of a BSides recap I guess, but I definitely am looking forward to next year.