Beansec 08 08

The August 08 Beansec was a great success! We filled the entire club with people till well past 10pm. A special thanks goes out to Zach Lanier and Dan O’Neill who picked up the tab for drinks and food in Hoff’s absence. If you see them online or in person make sure you say “thanks” too!

Beansec August 08

MBTA security fail

In light of the events of last week I couldn’t help but be amused by this dialog box floating on a turnstile display in the central square T stop.

EDIT: my cell phone camera takes lousy pictures. The text reads:
Program: D:/FOAAA/
File: sprintf.c
Line: 94


Security or convenience: Apple chooses poorly

My powerbook is in the third year of its life and as such has begun falling apart on a regular basis. I’ve had the laptop in for repair at least five times this year alone. Every time I bring my laptop in Apple employees ask me the same question.

“What is your administrator password?”

The first time I heard this question I thought he was joking. Apple is not kidding. They have offered every excuse imaginable for this practice but none have come close to convincing me to hand over my password. Sometimes the technicians would even try to intimidate me by saying that they might not be able to continue the repair if I refuse. One technician even tried to charge me an additional $100 for the installation of OS X for failing to divulge my password. The claim was that he had to perform additional work since I refused to cooperate.

This is official Apple policy and it needs to stop.

Consumers should *never* be asked for their passwords. It is a practice that defies logic to anyone that is trained in security. Given the state of the art in live OS distros there is absolutely no reason that Apple should ever need access to consumers files for hardware repairs anyway. It isn’t as if technicians haven’t been caught pilfering files from users in the past.

When bringing Apple computers in for repairs users should do the following until this is resolved:

1) Create a clone of the boot drive
2) Secure erase the contents of the drive
3) Install a fresh copy of the OS
4) Reimage the drive once you receive your computer back

This adds all kinds of time overhead to a process which already sets the consumer back however Apple still believes this is a valid way to treat their customers.

Unrescuable ruby error

I’ve been working on some DNS resolution code for a while now. It is multithreaded using event machine. The resolution code is wrapped in a begin/rescue statement yet it still errors out occasionally with the following error that I have never been able to rescue.
/usr/lib/ruby/gems/1.8/gems/dnsruby-1.1/lib/Dnsruby/select_thread.rb:147:in `select': time interval must be positive (ArgumentError)
from /usr/lib/ruby/gems/1.8/gems/dnsruby-1.1/lib/Dnsruby/select_thread.rb:147:in `do_select'
from /usr/lib/ruby/gems/1.8/gems/dnsruby-1.1/lib/Dnsruby/select_thread.rb:62:in `initialize'
from /usr/lib/ruby/gems/1.8/gems/dnsruby-1.1/lib/Dnsruby/select_thread.rb:61:in `initialize'
from /usr/lib/ruby/1.8/thread.rb:135:in `synchronize'
from /usr/lib/ruby/gems/1.8/gems/dnsruby-1.1/lib/Dnsruby/select_thread.rb:48:in `initialize'
from /usr/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/inflector.rb:257:in `new'
from /usr/lib/ruby/1.8/singleton.rb:95:in `instance'
from /usr/lib/ruby/gems/1.8/gems/dnsruby-1.1/lib/Dnsruby/Resolver.rb:806:in `send_async'
... 11 levels...
from ./stats_common.rb:66:in `resolve_block'
from ./stats_common.rb:64:in `resolve_block'
from ./resolve_urls.rb:16:in `resolve_urls'
from stats_engine.rb:44

Domestic Terrorism Definition

I hope this purported FBI flyer is a fake. I hope that the FBI doesn’t actually define domestic terrorism as:

groups or individuals operating entirely inside the US attempting to influence the US government or population to effect political or social change by engaging in criminal activity.

My understanding of what made terrorists a special class of criminal was that they used violent tactics and had no regard for civilian casualties. It seems wrong that non violent attempts to influence the government are considered domestic terrorism. Even if they are criminal.

For instance, wouldn’t lobbyists who crossed the line be considered domestic terrorists? Their very job description is to influence the government. If they bribe a congressmen can we detain them for terrorism now?

EDIT: I’m pretty sure this is a hoax now. The definitions I’m finding online for domestic terrorist all include the use of violence.


Domestic terrorism is the unlawful use, or threatened use, of force or violence by a group or individual based and operating entirely within the United States, Puerto Rico, or other US territories without foreign direction committed against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof in furtherance of political or social objectives.

The never ending robots.txt

While looking over logs for a server of mine I decided to write some code that would help me deter someone sniffing my server for weaknesses. The first thing I decided to write was a robots.txt file that had a few different qualities.
1) It would never end
2) It would not bog down the CPU
3) It would not repeat
4) It would be a valid robots.txt file

At the time I was using PHP for another project and so it was already configured on my server. I reused a password generation function and stuck it in a time delayed infinite loop. Then I changed the .txt handler on the server to be PHP.

@header("Content-Type: text/plain");
@header("Pragma: no-cache");
@header("Expires: 0");
$standardStatement = "User-agent: * \n";
print $standardStatement;

function randpass() {
$chars = "1234567890abcdefGHIJKLMNOPQRSTUVWxyzABCDEFghijklmnopqrstuvwXYZ1234567890";
$thepass = '';
$thepass .= $chars{rand() % 39};

return $thepass;

while (true):
$newpath = randpass();
print "Disallow: /$newpath\n";

MIT students sued By MBTA over research

Three students have been sued by MBTA over research that was to be presented at Defcon this weekend. The complaint by the MBTA lists over (7) counts for damages including “affect[ing] a computer system used by the government entity for national security purposes”.
What is unclear is whether or not the researchers provided or attempted to provide the MBTA with access to the research first. According to the article at the Register they did. The complaint alleges otherwise.

One of the more amusing parts of the complaint is (61) where the MBTA says that Ron Rivest (a professor of these students) and the undergrads are bound by the MITnet Terms of Service and those apply to “key systems in the Commonwealth, such as the MBTA computerized Fare Media systems.”

More on this to come.


Use of application “Scrabulous” has been restricted

We’re sorry, but this application is not available to you. Please visit the Application Directory to find other applications.

Granted Wish: Traceroute pickling in scapy

A friend of mine sent in a script that worked for him.

#!/usr/bin/env python

import scapy, pickle

# pickler
tr, un = scapy.traceroute([""])
f = open("/tmp/pickle-out", "w")
p = pickle.Pickler(f)

# unpickler
f = open("/tmp/pickle-out", "r")
u = pickle.Unpickler(f)
tr = u.load()
print " Original tr:----------------------------"

I still couldn’t get this to work on my Ubuntu box. However in a later chat with my colleague Elphine I found out that Ubuntu had it’s own package for scapy. So I used apt-get to install scapy and this time it DID work. This is great since now I can start sticking objects into a database and move on to the next task of combining arbitrary traceroutes for the purposes of making graphs. I’m still curious why this didn’t work when I simply downloaded the code and executed it. Once I get some working code I’ll post it here.