You are currently browsing the category archive for the ‘Computers’ category.

Well, not exactly.  But there is free storage.

Google will bump up your normal 15G that’s available with a Google account, adding two gig if you complete their Security Checkup by Tuesday, Feb 17, 2015.  If you use Google services (anything more than the search engine), this is a good thing.

First, you are protecting your online identity.  Not everything you do – this won’t help with last week’s Anthem breach or next week’s breach at a bank or a retailer.  This will help your Google identity stay secure.  The checkup is quick and easy.  You get to see which devices are tied to your Google ID (think Gmail address).  I detached an old cell phone, just to keep tidy.  You get to see what services have access to your information, and I knocked off one or two there.  You get to check where you last logged in to your account from, physically and from what device.  If you live in Nebraska and don’t have a cell phone, then an Android login from Nigeria is probably cause for alarm.

Second, you are picking up another 2 gigabytes of space on Google Drive.  Which is shared with Gmail and Picasa, and available for whatever suits your fancy.  You can put a lot of stuff in 2G – a couple thousand pictures, or five hundred songs, or about three movies, or squillions of emails.  Use it as you wish.

Finally, there is the increased sense of awareness that this brings.  As you are doing the checkup, you start thinking about the ways that the bad guys could use something useful, like your Google account.  I understand that Google is an ad sales company more than they are a search engine.  I know that they read my email (they store it, so they have to be able to read it).  I also enjoy the support I get from an ecosystem of digital services, and I’m willing to make the privacy trade-off with Google to get the benefit of all the Google products.  Knowing search terms and browser history across machines is cool.  Something like WordLens

640px-WordLensDemo5Feb2012

is completely mindblowing when you see it running on your own phone instead of on somebody else’s video.

So I think Google is pretty cool (even inventing and making available the Go language).  I want to protect my investment with them, and to encourage others to do the same.

Regardless of your motivation – greed, higher purposes, or a utilitarian view of protecting your investment, do the Google security checkup.  You’ll thank me later.

First, I want to differentiate between hacking (seeing how something works) and cracking (doing the same thing for malicious reasons).  There can be a fuzzy line between the two.  I want to stay clearly on the good side.

As an example, I once broke into a government computer, getting root access and changing the root password.  It was by their own request – the only operator had died suddenly, and the family threw out all the documentation he had at home.  The government organization contacted the company I worked for at the time, and I got to break in, and to turn the results over to the proper authorities.  As I look back, this was almost an amplified pen test. (They failed, which was good in this case.)

That’s the good side.  Here’s a bad side (that I chose not to do): I wear a Fitbit tracking device, which counts the steps I take.  Their daily goal is ten thousand steps.  My cardiologist is happy with five thousand, which I normally achieve.  When I got the device, I started looking for ways to hack it.  I’m inquisitive, that’s what I do and how I think.  I found a video where somebody hooked their Fitbit up to a hair trimmer so the device would record two steps a second.  All interesting, until you add in that my company rewards me monetarily for achieving steps.  That turns a cute prank (“Look – a hundred thousand steps today!”) into theft.  That’s wrong.

There’s nothing wrong with giving your cat a Fitbit – just don’t use that one to get points.

With that background, here’s how to do a little white-hat hacking on mysql.

We had to make major changes to the database supporting an application.  The developer was long gone, and nobody had the password to the database.  Really didn’t want to reverse engineer the whole DB and then test to see if it works – that is the wrong way to spend a couple weeks.

(aside: my favorite search tool is Google.  Bing just doesn’t cut it, though I like their image search better – I can specify what license I want the picture to have)

Googling the question led to a long list of mis-hits, and then this winner, in a reply to a longer and more complicated method.  If you’re on the machine and have root access, the anonymous tipster says that

cat /root/.mysql_history|more

is “very informative”.  Which is an understatement – the password is up at the top of the file.

Thanks, Mr. Anonymous.  You helped save the day – and contributed a tool to my hacking toolbox.

 


Footnote: yes, the commands

more /root/.mysql_history

or even

head /root/.mysql_history

are shorter.  This isn’t a code golf contest.  The value is in knowing where to look, not how to look.

I am an extremist.  I read Linux Journal, and the readers of that magazine have been labeled by the NSA as extremists.  And not only am I a reader, I subscribe to the magazine.  I’m paying to support extremism!

So, since I have been granted the label, I may as well put the tattoo on my blog.

LJ-Extremist-black-stamp

My esteemed technical cohort Dave Farquhar also has some wise words on the subject.

HP did a booboo, and left an admin ID in one of its systems.  Shame on HP.

Then they didn’t respond to the white hat guy who found it and tried to tell them.  So he went public.

Going public with these findings, after giving the company time to respond and fix them, is a good thing.  Three weeks might be fast – companies are not as nimble as individuals.

What I find interesting is that the researcher hinted at the password without providing it.  He gave the hash of it – the non-plaintext version that gets stored instead of the password itself being stored.  So the technically curious (including me) wanted to find out what this 7-character password is.  There are sites that work backward from the hash to the password – not necessarily doing the math, but using rainbow tables or something similar to do the one-way translation, so they can do the reverse search.

So I found out what the password was.  Nothing significant to me, nothing obscene, nothing outstanding – just a simple, slightly obfuscated password.

The part I find most interesting is the level of interest in the hash.  I’m seeing an awful lot of that 4c50 listed.  If I owned the system that HP sold, I’d be shaking in my boots right about now.  Even non-malicious hackers will want to get in and look around, and some of them will accidentally change something.

Last20hashes

Occasionally I get forwarded email.  Not just the junk that some people pass around, and not even the good stuff that people pass around.  This tends to be a legitimate forward of information I want or need, coming from people who are a bit technically challenged.  I can tell this because I can’t immediately see the forwarded email – it comes in as a text attachment.

eml-1

Inside, it looks messy  (yes, names, addresses, and IPs have been munged).

Read the rest of this entry »

I go through my Gmail spam every so often.  Google is pretty good at parsing what is junk and what is good, but they aren’t perfect.  So I look in the spam bucket and clean it out occasionally.

Tonight I found a subject line that made me laugh.

sails

Now my new friend Greg ought to know that I don’t live near navigable water.  I’m not a boater.  I don’t need 52% more surface area in my sails.

But boy, that Greg sure knows how to make it easy to put up a blog entry.

Thanks, Greg.

Sometimes you hear an echo, your own words coming back to you.

Sometimes the echo is a bit distorted, not exactly what you said.

Sometimes it’s coming from someone else, and is malicious.

Read the rest of this entry »

I’m staying away from politics for a while – I find that I get bothered easily.  So here’s something from the real world that bothers me.

I’m part of a FreeCycle group.  People post to the newsgroup when they have something they don’t want anymore, rather than pitching it.  I’ve seen everything from egg cartons to projection TVs.  People can also post with wants – a family gets burned out and needs new furniture.  A kid wants a particular doodad for a school project (the last one I saw was for hearing aids).  Lots of people offer excess plants.  We have been the beneficiary of multiple things, never posted a want, and have supplied at least one person’s want.

This want was astounding.

WANTED: Laser for a 40 caliber handgun

Thu Jan 24, 2013 8:42 am (PST) . Posted by: (redacted)

Springfield 40 caliber hand gun, I read it is attached to the barrel rod? Need it for training.

Well, then.  That makes sense. This person has applied for a job somewhere and wants someone else to donate a $350 piece of hardware.  If the donor has it, they bought it on purpose – this isn’t a plant that self-propagates or an egg carton that has outlived its usefulness.

Earlier this year, when we were cleaning out our shed, we came up with a bicycle, an electric mower, and a metal cart that we didn’t want/need anymore.  We took them down to the street, taped FREE signs to each of them, and let the market work.  We were gone that Saturday, and when we got back, the items were gone.  Somebody benefited from our generosity.

But begging for a $350 specialized piece of equipment?  Naah.

Another aspect: if they need this for their job, it’s part of job start-up costs.  Count that in when you apply.  At my old job, I needed a piece of software so that everyone could upgrade their software easily.  I wrote up the business case and we purchased a worldwide license for Beyond Compare.  I switched jobs, but the software didn’t.  Last month I bought my own copy (personal) for my workplace.  I can use it, work and home, forever.  I bought it, and I plan on using it at my current job for the rest of my work life.  My employer didn’t owe it to me.  The world didn’t owe it to me.  I wanted it, and I bought it.

And I’m staying away from politics.

Note: details of the want ad are munged for privacy.

I like computers, and I like my new job.  It’s not so new, I guess, since I have been there over five months.  I still like it.

I get to dig down deeper into applications and computer systems than I did before.  I get messy (metaphorically) working on all sorts of different things.  At times, when the solution doesn’t present itself quickly enough, you have to dig a little bit.  Go down beneath the shiny GUI, past the middleware, and get down into the guts of the thing.

If you have used the internet (you know, like maybe for reading this blog post), you have used Unix/Linux boxes along the way.  It may be directly (yes, your Android phone is running a version of Linux), indirectly (most web servers run Apache, probably on Linux), or in desperation to resolve a problem.

One of the places where Linux differs from Windows is in its use of the command line instead of Windows, Icons, Mice, and Pointers (WIMP – an acronym chosen by the Linux folks, I’m sure).  As you may have seen in the desperation link, disk drives get mounted – they aren’t just there.  Windows probably does something similar, but it is hidden in another layer you don’t usually see.

A news article reminded me of all this recently.  Iran test-fired a rocket containing a monkey, which supposedly came down safely.  The news story contains an explanation of why they showed pictures of two monkeys when there was only one in the rocket.

scratch_monkey

I have my doubts about the well-being of the monkey on the rocket.  I hope Iran learned from the failure of others and mounted a scratch monkey.

I don’t know why this guy calls himself daft – he’s pretty brainy and rational, if you ask me.

He appears to be unnamed.  He is not untalented.  I used his altitude finder for Google Maps to locate how far up and down I had walked on Saturday.  Google maps doesn’t offer terrain maps – that option (which I have used before) is grayed out.

So cheers to Mr. Daft – long may his applications run!