geek·er·y: Socially inept single-mindedness or accomplishment in scientific or technical pursuits. Posts in this category pertain to particularly geek-related topics such as WordPress upgrades, other blog-related software and plugins, software security/bugfixes, Microsoft vs. Apple vs. Linux, math, science, website updates, OpenID, etc.

WordPress 2.5

Filed in Web DevelopmentTags: Geekery, Web Site, WordPress

WordPress 2.5 has been released. I have installed it, and everything seems to be working fine - especially on the front end (though I'm still exploring the new admin interface).

Let me know if you notice any issues, and if you use WordPress, go install Version 2.5 now!

Linux Survives PWN 2 OWN Contest; Mac, Vista Fall – and What It Means For You

Filed in LinuxTags: Computers, Geekery, Windows

Head-to-head-to-head, Vista vs. MacOS vs. GNU/Linux in the PWN 2 OWN contest at CanSecWest 2008:

Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it...

Each has a file on them and it contains the instructions and how to claim the prize.

Targets (typical road-warrior clients):

  • VAIO VGN-TZ37CN running Ubuntu 7.10
  • Fujitsu U810 running Vista Ultimate SP1
  • MacBook Air running OSX 10.5.2

...Once you extract your claim ticket file from a laptop (note that doing so will involve executing code on the box, simple directory traversal style bugs are inadequate), you get to keep it.

The contest took place over three days, the challenge - and the cash prize - diminishing each day:

Day 1: March 26th: Remote pre-auth

All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.

The pwned machine(s) will be taken out of the contest at that time.

Day 2: March 27th: Default client-side apps

The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.

The pwned machine(s) will be taken out of the contest at that time.

Day 3: March 28th: Third Party apps

Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.

All three laptops survived the first day, as none of the contestants attempted any hacks.

However, day two brought the first successful attack: the MacBook Air was compromised in a matter of minutes. The attack vector was the Safari web browser. The contestant instructed the MacBook Air user to navigate to a specially designed web page using Safari. The attack reportedly took less than two minutes:

Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing.

And finally, day three saw the second successful attack, as the Vista laptop was compromised. This time, the attack exploited a reportedly cross-platform vulnerability in Java:

"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he said in an interview shortly after he claimed his prize Friday. "This could affect Linux or Mac OS X."

That means that in the end, only the GNU/Linux laptop (running Ubuntu) was left standing.

What is the moral of the story here? Well, in my opinion, there are two:

  1. Don't believe the Apple/Mac hype from Steve Jobs or his army of Apple fanboys. According to the two winning contestants, the Mac was the easiest of the three targets. Those who claim that Apple is inherently more secure have been proven to be making a baseless claim.
  2. More importantly, remember that the single, weakest link in security is the user (this means you). The successful attacks were accomplished by exploiting vulnerabilities not in the OSes themselves, but in standard-install and popular third-party apps (web browser, Java). A security-ignorant user can have his Mac box compromised, just as a security-aware user can safely use his Windows box.

So, as a user, what can you do to protect yourself? Many things - and these apply regardless of which Operating System you choose:

  1. Always operate behind a hardware firewall. Even if you only have one computer using your broadband internet connection, set it up behind a router. These devices are cheap (less than $100 for a wi-fi router, and $50 or less for an ethernet-only router), and provide the lion's share of protection you need for your computer.
  2. Never run as root (administrator). All operating systems have the ability to set up and use accounts with non-admin privileges. Linux and MacOS do so by default. Windows notoriously hasn't in the past, but one of the best changes in Vista - annoying though it may be - is the User Account Control, allowing a user to operate without admin rights, until explicitly elevated. If you are still using WinXP (or older), set up an account with admin privileges, but also an account without admin privileges. Use the non-admin account on a regular basis.
  3. Stay away from the internet's red-light district. While it is true that any web site can be hacked, most internet-based exploits are found on adult web sites, warez (software-pirating) web sites, and other "black-hat" (malicious computer hacking) web sites. Avoid them, and you will limit your exposure.
  4. Never, ever, open unsolicited email attachments. Surprisingly, email remains a viable attack vector, even though this basic rule has been preached for over a decade. If you receive an email attachment you didn't request or weren't otherwise expecting, do not open it. Period.
  5. Use web scripts judiciously. Use ActiveX even more suspiciously. Most browser-based attacks take advantage of JavaScript (cross-platform), the Java Runtime Environment (JRE, also cross-platform), or ActiveX (IE-, and thus, Windows-only). If you use Firefox, use the No Scripts plugin. If you use Internet Explorer, set ActiveX controls to require explicit authorization.
  6. Keep your third-party apps to a minimum. If you must use them, keep them updated. Another common attack vector is vulnerabilities discovered in third-party apps (e.g. QuickTime, Adobe Flash, Skype, etc.). If you don't need them, don't use them. Don't have them running by default. If you must have them, ensure that their browser plugins are configured not to launch/run automatically.

There is, as always, more (avoiding phishing, etc.); but the above list should provide the bulk of protection. Learn to modify your computer-use behavior, bearing in mind that you cannot place ultimate trust in your operating system to protect you.

Upgrade to WordPress 2.3.3

Filed in Web DevelopmentTags: Geekery, Web Site, WordPress

WordPress Version 2.3.3 has been released, and is an important security update.

Back in the Saddle

Filed in Web DevelopmentTags: Geekery, Web Site

Sorry for the interruption. I was implementing some internal changes on the web site. Everything should be working fine now, but if you notice anything amiss, please let me know!

WordPress 2.3.2

Filed in Web DevelopmentTags: Geekery, Web Site, WordPress

The latest version of WordPress - version 2.3.2 - has been released. It is mostly a security update. Get it while it's hot!

Edit: Make that Version 2.3.2, not 2.3.1 - it's late; I'm tired!

Unexpected Downtime

Filed in Web DevelopmentTags: Geekery, Web Site

Sorry for the absence the past few days. I hit a few snags upgrading to the latest version (2.3) of WordPress.

Everything should be working now; let me know if you run into anything amiss.

For Joshy: Top Ten+ Arithme”tricks”

Filed in PersonalTags: Education, Family, Geekery

For Joshy (and the rest of us, too): I'm sure you're working on your math tables, memorizing addition, subtraction, multiplication, and division of numbers from one through ten.

Do you need a shortcut for multiplying by four, five, nine, or eleven, or squaring two-digit numbers ending in five? How about subtracting a large number from 1,000? Well then, see this list of arithme[em]tricks[/em].

(H/T: Lifehacker)

Blog Updates: Comments and OpenID

Filed in Web DevelopmentTags: Geekery, Web Site

I would like to phase out my use of Haloscan for comment and trackback management. To that end, I have enabled commenting from within the blog, and have enabled trackback verification and CAPTCHA comment verification.

For those of you who leave comments, the comment verification is just a simple math equation, the answer to which must be entered in order to verify that you are human. It is one additional step, but unfortunately necessary in order to prevent comment spam. I have also enabled comment moderation, meaning that the first time you post a comment, it will have to be approved before is appears. Once you have had a comment approved, future comments will not require approval.

Also, for this and all future posts, I am requesting that all comments be made using the comment form for each post, rather than using the Haloscan link.

If you don't know what a trackback is or how to use one, you won't need to worry about trackback verification. For those of you who do use trackbacks, the verification will simply require that you link from a valid web site with a reciprocal link to the post to which you are sending the trackback.

Finally, I have implemented this plugin, to allow comments via OpenID identity authentication. I will follow up with a later post, detailing what OpenID is, and why you should use it (and not just for my blog).

OpenID will likely become my preferred identity authentication method, so I encourage anyone who comments to look into it.

WordPress 2.2.1 Upgrade

Filed in Web DevelopmentTags: Geekery, Web Site, WordPress

Pardon any dust you may encounter. WordPress 2.2.1 was released, and I am in the midst of upgrading.

UPDATE: The upgrade is complete. Let me know if you notice anything amiss.

Daylight Saving Time: the 2007 Y2K

Filed in MiscellaneousTags: Geekery, Technology

As far as tech nightmares go, this one might be worse than Y2K.

The US Congress changed the rules for Daylight Saving Time, starting in 2007. This year, rather than spring forward the first Sunday of April and fall back the last Sunday in October, DST will begin on the second Sunday of March, and end the first Sunday of November.

Growing up in the then-non-DST-observing Indiana, I still find the whole DST process foreign enough that I don't have a set routine. So for me, I make the change when I'm told, and move on. However, many of today's advanced consumer electronics have programmed algorithms for DST - and reprogramming these devices might be impossible, potentially requiring manual changes four times a year. Worse, as with Y2K, legacy computer systems and software may not account for the new changes properly, leading to potential - and unknown - consequences.

Microsoft has established a help center to deal with the change as it impacts their products.