Archive for July, 2001

Go hack your own Apache server

Weekend Exploits

Looks like some people are trying to get wise and hack into my apache webserver. Yes, I do actually actively go through my logs manually.

Silly Windows users.

Date: Sun, 8 Jul 2001 05:22:06 -0400
To: errors@gnu-designs.com
Subject: 404 MISSING URL
----------------------------------------------------
On the site    : http://
Error Response : 404 MISSING URL
Occured on     : Sun Jul  8 05:22:05 2001
When the URL   :
http:///scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir was requested
Coming from    : 
By a user at   : 216.198.90.30
As hostname    : 216.198.90.30.cypresscom.net
With browser   : 
----------------------------------------------------

Lots of Random Fu

Tags:

jjshoe, that would be me, on irc. Welcome to advogato.

Lots of new things

Plucker

    New Plucker release today. This one adds Gesture support. Good work Mike and Robert O’Connor.

    We still need perl coders to pick up the perl parser and get it working again. Any takers?

ViewCVS

    I managed to get ViewCVS’ annotation fixed so now the anchors work. You can see an example of it here. Note the line-by-line annotation and anchors. Nice. I hope gstein rolls the fix I emailed him into the upstream. I also changed the icons a bit and dressed up the layout and navigation a bit more. I’m moving them all into their own builds of ViewCVS now, so there’s no project-based dropdown. You can see two versions of it here and here or here.

NSI

    NSI has finally decided to fix my domain after 52 emails, 11 phone calls, 4 faxes and 5 weeks of nagging.

    Now I can move the domain off onto the other box, and unplug the hardware.

    FINALLY!

Big 3-OH

    Flying back east to spend my 30th birthday with my girlfriend. I’ll be on the clock, but it’ll be good to get away from this whitewalled prison for awhile and see her again (only $200 on a 1-week notice too for the tickets, not bad).

Statistics

    Isn’t this purty!. The images are generated dynamically from the cgi.

    I’m testing out a package called aWebVisit. It’s pretty nice for really getting into the guts of who is visiting your site. I’d like to take this codebase and modify it a bit to handle my cvs logs and history. Being able to visually see the progress of projects inside the CVS would be a great asset.

    I’m sure now that I’ve mentioned it, someone will try to steal it. Mine! You saw it here first!

echo $PS1

    Well, since everyone else is in the prompt wars, here are two of my entries:

    declare -x PS1="C:\\\\\W> "

    (yes, it’s a joke, but imagine ssh’ing into a remote machine and getting this!)

    or..

    export PS1="[\[\033[11m\[\033[0;36m\t\d\[\033[11m\[\033[0;40m]\n[\[\033[11m\[\033[0;36m\#\[\033[11m\[\033[0;40m]
    \h:\w\n$" 

ObCVSCompletionHack

    This needs a few more minutes of care to read ~/.cvspass and $CVSROOT out of the environment, but you get the
    idea (and yes, it’s for bash):

    _cvs()
    {
            local cur prev
            
            COMPREPLY=()
            cur=${COMP_WORDS[COMP_CWORD]}   
            prev=${COMP_WORDS[COMP_CWORD-1]}
            
            if [ $COMP_CWORD -eq 1 ] || [[ "$prev" == -* ]];
                    then
                    COMPREPLY=( $( compgen -W 'add admin    \
                                   checkout commit ci diff  \
                                   export history import    \
                                   log rdiff release remove \
                                   rtag status              \
                                   tag update' $cur ))
            else
                    COMPREPLY=( $( compgen -f $cur ))
            fi      
            
            return 0
    }
    complete -F _cvs cvs
    

    vi mode in bash really rocks. It’s forcing me to learn more about vi than I could using it strictly as an editor. Still fumbling a bit.

Life

    Tired of my music. Tired of my 14.4k dialup bandwidth on a 56k modem and my ISP blocking every port except 22 and 80 (inbound and outbound are blocked). Tired of this prison cell in South San Francisco.

    Just… tired.

    But I think I’m getting better at things. That’s a plus. Just things in general. Headaches still abound, quite a few chest pains, but nothing as severe as “The First One(tm)” several weeks ago. I’m instructed to ingest Advil like M&M’s now though. Ugh.

    This just needs to be mentioned, since over the past two days, I’ve been feeling my whole apartment “wiggle”. Today, so far, we’ve had 24 earthquakes in California and surrounding areas. You can keep up on the results at USGS.

    Quite interesting to see that we’re getting more-frequent incidents of higher-magnitude earthquakes this week. We’ve had 17 quakes exceed the 3.0 Richter rating since 6/30/2001. That’s unusually high.

Complicate CVS Things

Implementing things using cvs that were not really designed to be implemented in cvs is proving to be a bit… neural.

Advogato Search Engine

Advogato Search Engine

    Well it’s coming along, I managed to get everyone’s diary indexed here. As I was going through it, I noticed that we have 4276 total people listed and of those, 3080 have never posted a single diary entry.

    wget came in handy:

    1. Wget People
      (a 1.48 meg file)

    2. Run the following:

      for i in `cat
      www.advogato.org/index.html | grep “,” | grep “a href=” |
      cut -f 2 -d ‘”‘`; do wget -r -l1 -np -nc –accept=xml
      http://www.advogato.org/person/$i/diary.xml;
      done

      (all on one line, those are accent gravé marks, not single quotes)

    3. Find all empty diary entries: find . -size 30c
    4. Remove them: rm -Rf `find . -size 30c`
    5. Index the data with ht://Dig
    6. Lather, rinse repeat

More later…

Information Interchange, psycho stalkers and network suffrage

Tags: ,

Information Interchange

ldunbar, speaking as someone who is a master at Social Engineering (and some other skills not to be mentioned in a public forum ;-), I can say that this information can definately be used for maliscious purposes.

Let’s say for example, that I own a business and ship orders within 20 zipcodes locally to me (ground courier). I can whip up a script to pump their zipcode search engine daily with those known zip codes to see what customers are buying and at what frequency, and begin an advertising campaign to move those customers to using my services instead. I could also use that as a way to determine where my next new sattelite office should be located, based on who in the surrounding area codes is buying the highest volume of parts. Kudos to ucdweb.com for providing me with such a useful, public system for doing a demographic study for my business. Now I don’t have to hire anyone to do this for me. I could also drop a name into Four One One and get their address and telephone number. Call them on behalf of the shipper, request a work telephone and ‘best-time-to-deliver’, and use that as a means of exploiting the consumer (or rob their house)

I would use these examples when speaking to them again. They might have a change of face when they realize that they would be liable, and their records would be open to investigation if someone was murdered or something as a result of the information obtained from this type of “service“.

I was just reading a book by John Douglas called ‘Obsession; The Psyches of Killers, Rapists, and Stalkers‘ a week or two ago (mentioned in my diary here) and it details a few people who have gone to lengths like this to get information on people to exploit, torture, and murder them. One guy was stalking a female coworker in his office. He came in on the weekend, called “weekend” security and said he had forgotten his desk keys, and gave them the desk number. They gave him a new set, but didn’t realize he had given them the number to the locks on his target’s desk instead. He opened her desk, made an impression of her house keys, and made dupes. He would enter her house and leave or take things from the house, but she never knew. One day as tensions mounted, and she thwarted his advances, he left a copy of the key in an envelope under her windshield wipers. It got uglier from there, but I won’t go into the gory details here.

Never underestimate what people will do given access to information. The internet is making it easier for these things to happen, and become less and less traceable. A simple kiosk in an “Internet Cafe” can serve as a anonymous terminal to get information on anyone.

XML Tree Support?

To all the XML/XSLT gurus: Is there a tool out there which works under linux, either in a browser or standalone (even Java will do) which allows me to expand and collapse an XML document by branches, the way IE does it? I happened to stick my XML book’s cdrom into a spare Windows machine and go through the examples on it under Windows, and noticed that IE has a really nice method of displaying and manipulating the raw XML document with a nested tree view. I can collapse/expand any nodes at any level. It would be nice to have this in a linux flavor.

Advogato Search Engine

I’m not sure who mentioned it first, but the diary.xml function of Advogato is pretty nice. So here’s my idea, and others are welcome to pick at it. What if we grabbed all the diaries from the People section and indexed them by date and stuffed them in MySQL or ht://Dig so people could search on topics, keywords, or other criteria? lkcl, perhaps this would make a good addition to your new XMLvl site.

Anyone want to begin coding the beast?

Network Suffrage

I’m sure everybody has already seen, heard, or been a part of the noise regarding Andover.net being down a few times this month. VA is having financial troubles. All of this is sitting on VA-owned equipment and servers, AFAIK, and VA is supposed to stand up for the Linux community. SourceForge is supposed to be a service dedicated to helping developers in the open source community. OSDN is supposed to be a support network for these developers and services.

Tell me then, why is jobs.osdn.com running Microsoft IIS5 on Windows 2000?! (netcraft)

$ HEAD jobs.osdn.com
200 OK
Cache-Control: private
Connection: Keep-Alive
Date: Thu, 05 Jul 2001 21:23:47 GMT
Server: Microsoft-IIS/5.0
Content-Length: 26757
Content-Type: text/html
Client-Date: Thu, 05 Jul 2001 21:27:35 GMT
Client-Peer: 216.138.211.59:80
Set-Cookie: ASPSESSIONIDGGGQGNRK=MLAAGFMAHGGPCHLAGOLIFLMD;
path=/

My spoof domain, http://www.sourcefubar.net is now up and routing. I’m still working out some security issues, but it should go live soon.

The troubles with NSI continue. I have now faxed them copies of my license, my passport, initiated another printed request, this time on “company letterhead”, and made sure that the address of the domain owner (gnu-designs.com, Inc.) matches that on my CT license, my passport, and on the “company letterhead”. All four documents (passport, license, request, and company letterhead) include my title (CEO/Owner) and my signature, and all signatures match. There can be no confusion that this is indeed me. Next we resort to DNA and blood samples. I just want to point my domain to a new DNS!

/dev/null

I notice that my typing speed has increased (as have my errors), and my ability to “understand” problems and fix them is much faster than it was even a month ago. I think this has something to do with diet, and sleep. I’ll have to experiment a bit more with this. This is definately a place I’d like to remain. Find, analyze, fix, all in minutes. Success.

Does anyone find these two images a bit… scary? (remnants of the Nazi regeime where you were “encouraged” to turn in your neighbor):

Front of brochure for WindowsXP

Back of brochure for WindowsXP

Ok, back to this Embedded Linux Course. Almost done, only a few more days left to design and test the labs, and then I’m done.

Network Dissolutions, h4xx0ring and more!

Tags:

Sun Jul 1 01:01:14 PDT 2001

colorquiz.com

I can’t recall who had this linked in their diary recently, but the results for mine were somewhat scary.

“…Depleted vitality has created an intolerance for any further stimulation, or demands on his resources. This sense of powerlessness, combined with frustration that he cannot control events, subjects him to agitation, irritation, and acute distress. He tries to escape these by stubborn insistence on his own point of view, but the general condition of helplessness renders this often unsuccessful. Is therefore very sensitive to criticism and quick to take offense…”

I pointed it out to afew friends, and theirs were dead-on also. Scary how 8 colored blocks can determine so much about someone… if you believe such things.

Network Dissolutions
I highly recommend that anyone using href=”http://www.nsi.com”>Network Solutions get off of them as fast as possible. I’ve been trying for over 5 weeks to relocate the domains I own from a network in CT to a new network in CA. First, there is a bunch of incorrect information on my records, scattered all over the place.

One of my domains’ Administrative contact is DD989,while it’s supposed to be registered to my internic handle of DD989-ORG, (they dropped the -ORG from my entry).After three phone calls to them personally, I managed to get them to change my address and telephone number from the CT location to the CA location. I couldn’t do this via their “automated” email system after 52 failed emails (with NIC tracking numbers on each of them).

I then tried to remove this erroneous person from my record, and sent many more emails. I emailed Darin DeCuir at his given address (dead), and then did a Google search for his name, to find out if he had any other address I could use. I found one entry, and emailed him there. No response. I tried calling Kaiwan, and the numbers were turned off.

I then called Network Solutions back, and spent 75 minutes on the phone with one of their operators, who proceeded to do nothing more than send me a blank Service Template to fill out, which generated a volley of more failed “automated” emails. Another phone call the next day, 1:07 long, and the same results.

This operator was much more clueless than the first. I was irate. She insisted that I send a fax in, on “company letterhead” (which I have none, and do not intend to) and photocopies of my license. I asked to speak with a supervisor, since I had emails and phone calls going back 5 weeks, without a single change to any of my domains, accounts, or records. Unacceptable!. She proceeds to tell me that the supervisor is in a meeting.

I settle, frustrated, on that, and decide to comply and send them a fax. I faxed a new copy of the Service Template to them, signed, dated, with NIC tracking number on it, and included photocopies of my CT driver’s license and a photocopy of my passport. There was no doubting that the person whose name is all over the domain records, and the address of the registrar, my web company, is the same one which appears on both my passport and my license (and anyone who knows me personally knows how much I HATE having pictures of me floating around) I can literally count the number of pictures of me in existence on both of my hands.

I call them again to verify that changes I made to a domain in progress were indeed being made, and that my address on my own internic handle records was being updated. The (non-English-speaking) woman proceeds to tell me that I filled out all the wrong forms in my email requests. I explain to her that their staff needs more training, since the operator from the previous day was the one who showed me which forms to submit. I explain to her that I’m moving my domains from a network which has a DNS server, to a network without any local DNS. She proceeds to start talking to me in a condescending tone about how I can’t possibly have a website without having a dns, and how a host, website, and dns are all the same thing, and have to exist before I can have a domain.

Ahm, no. I explain to her again what I’m trying to achieve, and she comes back in her best 3rd-grade-schoolteacher voice telling me that I’m wrong, and I obviously don’t know how the internet works. “…the IP address is like a telephone number… ” After 2 full hours on the phone with her, frustrated, I simply hang up on her. (blood boiling)

The next day I call again to verify that they received the fax (this was Friday), and the operator (very helpful) indicates that they do, and proceeds to read off information ONLY shown on my passport. Great! He says it will take 24-48 hours to affect the changes. Perfect.

I then log into EasyDNS (thanks again go to rasmus for giving me the tip) and set up my domains to relocate to the new network. I pull all of the records, hosts, subdomains, etc. into there, and purchase a 25-domain block.

I call NSI again (Saturday) to see if my information has been updated, so I can make the final moves, and the operator this time says that they never received my fax, and that none of my information was updated at all, because I used the wrong templates. I inhale slowly, trying not to reach into the phone, and have her go over the process with me, which I verified was the right process. She then tracks back three identical requests in 3 consecutive days with 3 individual NIC tracking numbers, that I requested, responded, and confirmed the domain changes with their automated system, but their system ate the final responses, and never made the changes. She then proceeds to tell me that they have a NEW fax number for “expedited” requests to change my info, and if I fax them again, but this time on “company letterhead”, they can make the change in 24-48 hours instead of 3-5 business days.

After about an hour on the phone, and frustration mounting, I begin to boil.

This is unacceptable. I have NIC tracking numbers going back 5 weeks. You’ve already confirmed that your system is eating the responses. I’ve got over 50 emails here from your system, full of NIC tracking numbers, requesting changes, and NONE have been made. I’ve faxed you everything about me possible, to verify I am who I am. I want my domains moved, and I want this other person off my record, he is blocking my access to change my information on a domain I paid for. You are deliberately restricting my ability to run a business. I would like you to either change the information now, as I’ve requested, or give me a supervisor.”(puts me on hold for 7 minutes)

Sir, I’m sorry, but the supervisor is in a meeting right now but if…

(I cut her off)

Unacceptable! I called on Tuesday with the same request, and he was in a meeting then. No supervisor is in a meeting at 10:00AM on a Saturday morning. Either you get me a supervisor now, or you get me his manager. Pull him out of the meeting. I don’t care. This is unacceptable. You gave me the same excuse on Tuesday. I don’t want excuses, I want answers!

(automated voice)

We’re sorry, the line has been cut. Please try your call again later…

She hung up on me! (blood boiling)

I call back, get someone else after 37 minutes on hold waiting for someone to answer the line, and THIS person tells me she’s looking at the fax itself, and that it will take 3-5 business days to process. Why can she see the fax, but the previous operator 37 minutes previous, could not. Another volley of automated email, no changes made, and still I haven’t seen a single change to my domains, other than my contact information in my internic record has been updated.

The result is that I have less than one week to relocate my domains now, including the ones with incorrect information in them, and get a box built onto the new network. My current provider is cutting off the service. He emailed me asking me to call him, and specifically said not to email him back. I called him on his cell phone, left a message. I called him at home the next day, left a much longer message, describing the details of the changes I was making. No calls back yet. I’m getting very suspiscious.

h4xx0ring
This weekend has been quite busy, and it’s only 1/2 done. I’ve been hacking a ton of things. I was helping eriddle and another friend (separately) get cvs working, hack his sshd to function properly, get Sitescooper working for Brian (and give him the crash course in CPAN and building perl modules.

I managed to get annotation working with named anchors in ViewCVS. I’ve emailed gstein the patch I made. Simple 3-line patch, and now it looks like code2html‘s output, with numbered lines with links for each line. I can now email someone a direct link to a line in an annotated file. I’ve got quite a lot of customizations going into ViewCVS on my new site. Have to get ready for a huge launch. It’s going to be so much fun doing this!

I’m still muddling with getting my new apache build out the door for the new box. I need a server with mod_php, mod_perl, mod_python, mod_ssl (with certificates), and all the other goodies build as DSOs. Not an easy task. I’ve been tinkering a bit with ApacheToolbox, though the latest version is horribly broken. I spent more time patching bits and bobs here and there in the scripts and tarballs than I did letting this “automated” system build them for me. I did manage to get the following
working though:

[Sun Jul 1 00:35:27 2001] [notice] Apache/1.3.20 (Unix) mod_python/2.7.2 Python/2.0 PHP/4.0.6 mod_gzip/1.3.19.1a mod_perl/1.25 mod_ssl/2.8.4 OpenSSL/0.9.6a configured — resuming normal operations

There’s still a problem though. If I have mod_python loaded, the server segfaults. GAR! Still working on that one. Certificates are working, and all of the Rewrite rules are functional. I’ve been spending some time splitting off the larger chunks of httpd.conf into separate external files, so I can manage them easier (it also makes it easier when you have to disable ssl, for example, to comment out one include line, then to comment out 75 SSL defines and structures in the master httpd.conf file itself).

For those wanting manual instructions (HIGHLY recommended), there’s Apacompile.

I found this invaluable trying to figure out how to juggle the things that were always nearly impossible manually.

pilot-link.org is up.
{news|bugs|cvs|irc|www}.pilot-link.{org|com|net}
are all routed to the same box. Only the .org points to the old domain until we roll over to the new network. The same will go for all of the other sister and vanity domains held on the machine.No, the IRC services offered are not in any way going to be attached to, pointed to, or affiliated with the private services of OpenProjects, otherwise known as OPN. I will not confuse people by affiliating a
free, open, public service with a closed, private service such as OPN.

Lots of new stuff coming up for LWE. Surprises abound! Can’t say any more. My skills will be put to some of the ultimate tests with this design, development, and architecture and implementation. I like biting into stuff like this!

Went for my cardiologist-ordered chest Xray at Seton Medical Center on Friday afternoon. Will find out the results on Monday.

Ok, this isn’t hacking, but I haven’t had a haircut in over a year. Went from bald to… this… without a single cut. Stopped at the local (non-English-speaking) SuperCuts on Friday after my chest Xray, and got about an inch trimmed off. Much healthier now.

sshd, Sitescooper, CPAN, cvs

ViewCVS

Apache

Domain Hacking

Secret Project #209

Bones

Hair

Birthday’s coming up. I wonder if I can get this sleeve colored in before Mike kills himself on his bike.

What a Saturday! I wonder what’s in store for me tomorrow!

Lots of code and Canadian Cross Compilers

Tags:

Wed Jun 20 02:28:55 PDT 2001

Spent all day working on cross-compiler toolchain building on SunOS and Intel architectures, including Canadian Cross builds with gcc-3.0, binutils-2.11, and gdb-5.0 for both ARM and m68k and m68k-palmos architectures.

Documented as much as as I could take (22 pages of material). The Embedded Linux Course is going well, but I just wish I had more time to work on it, and some more bandwidth to get to the material. Dialup at 14.4k with a 56k modem really hurts.

Spent the rest of the day fighting with Mantis bugs, and going the very-painful path of upgrading from 0.14.18 to CVS HEAD. Made about 1,000 fixes to the code for both “prettiness” and consistency

Then I hit a dead stop. Fatal bugs aplenty. I’ve posted 7 critical/fatal bugs today with it (0000591 through 0000597 over here. I really like Mantis. I really like where it’s going. I don’t like having to hand-reinstall these dozens of parts every time I upgrade though. It was a toss-up between Mantis and RoundUp. I leaned towards Mantis only because my server can no longer take any more hits from static Python binaries running under httpd.

The rest of the bug tracking packages out there failed miserably (I tested at least a dozen, from JitterBug to Bugzilla, GNATS, Double Choco Latte, Tracker, and a few others. rasmus has one he uses on bugs.php.net, which was nice, but not quite as full-featured as Mantis). These two are clearly the most powerful I’ve seen.

My end-goal of course, is to provide a nice, integrated, robust, set of tools for the developers that use my hardware and my free public cvs and to increase the speed with which we can close bugs and continue writing productive code.

I picked up two good books the other day. The first one is by John Douglas called Obsession, and is full of case studies of profiled killers, rapists, stalkers, and their victims. I’m about 1/2 way through this one, and it’s only 2 days old. The human psyche and forensic pathology along with investigative detective-type work are beginning to pique my interest.

The second book I picked up was by Steven King, called Insomnia, and is about an older gentleman who loses his wife, and slowly begins losing sleep a little each day. He begins having “visions”, which he thinks are hallucinations… I’m about 3 chapters into this one already. So far, it’s pretty good.

02:30 PDT, time for food and one more deliverable tonight before I crash.
<selfless plug>cert me</selfless plug>

lkcl’s attempt at breaking Advogato

lkcl, your new site seemed to vomit all over itself when I cloned my advogato entry into it. You might want to check out what happened there, and delete my entry so I can recreate it, or just blank the textarea fields.

The Certification of Devon

deven, you’re welcome. I certified you, and that’s why you show up as Apprentice. It takes the certification of someone with enough valid certifications in order to change your certification. Please read up on the Certification Overview.

Bad Behavior has blocked 1345 access attempts in the last 7 days.