Fear and Loathing

Glenn Greenwald has another winner, this time over the firing of Juan Williams after his "I's afraid of Muslins!" kerfuffle. His article is great by describing the general trend of fear and loathing in America:

To start with, as a general proposition, it's vital that the American citizenry always be frightened of some external (and relatedly internal) threat. Nothing is easier, or more common, or more valuable, than inducing people to believe that one discrete minority group is filled with unique Evil, poses some serious menace to their Safety, and must be stopped at all costs. The more foreign-seeming that group is, the easier it is to sustain the propaganda campaign of fear. [...]

"The Muslims" are currently the premier, featured threat which serves that purpose, following in the footsteps of the American-Japanese, the Communists, the Welfare-Stealing Racial Minorities, the Gays, and the Illegal Immigrants. Many of those same groups still serve this purpose, but their scariness loses its luster after decades of exploitation and periodically must be replaced by new ones.

The terrorists have won, guys. They flew a few planes, destroyed some buildings, killed a couple thousand people. It was our idiotic scared reactions which drove us to record deficits, torture, fewer civil liberties, a surveillance state, and participation in the two longest foreign wars in US history, which killed more of our people than the planes did (not to mention Iraqis/Afghans). And we're still scared.

It's simple advice, sadly still relevant: Refuse to be terrorized. Stop playing into their hands and for Baal's sake, grow up.

----

On the theme of cultural Paul-is-grouchy, Dan Savage has an exchange, followed by another, from Good Christians who wish he'd just stop being so mean! He (rightly) tells them to shut up and wake up:

I'm sorry your feelings were hurt by my comments.

No, wait. I'm not. Gay kids are dying. So let's try to keep things in perspective: fuck your feelings.

A question: do you support atheist marriage? Interfaith marriage? Divorce and remarriage? All legal, of course, and there's no Christian movement to deny marriage rights to atheists or people marrying outside their respective faiths or to people divorcing and remarrying. Why the hell not? [...]

The children of people who see gay people as sinful or damaged or disordered and unworthy of full civil equality—even if those people strive to express their bigotry in the politest possible way (at least when they happen to be addressing a gay person)—learn to see gay people as sinful, damaged, disordered, and unworthy. And while there may not be any gay adults or couples where you live, or at your church, or at your workplace, I promise you that there are gay and lesbian children in your schools. You may only attack gays and lesbians at the ballot box, nice and impersonally, but your children have the option of attacking actual real gays and lesbians, in person, in real time.

Real gay and lesbian children. Not political abstractions, not "sinners." Real gay and lesbian children.

It's required reading. As someone who also doesn't keep silent on the horrors of irrational thinking (usually religious or religiously motivated), I too tire of the "stop being so mean, Paul!" line. Really guys, all I do is report the news. If you aren't completely outraged, you aren't paying attention. And any offended religious folk should probably be pointing their ire elsewhere, since I'm normally reacting to egregious events. The "don't be offended at me" angle was the genius of this song:

While not religious, also relevant:



I know we all want to be friends and not have anybody's feelings hurt, but kids, some shit is just stupid. And I'll call it that.

Off to Istanbul!

I'm off next week to visit Madly Brilliant in her current home of Istanbul, Turkey. She's abroad for the first time, spending 5-ish months as a lab tech, so my visit bisects hers. Mad props to Adobe for letting me do this ^_^

(by the way, we just released the AIR Runtime for Android! Download it onto your phone now, and enjoy mobile AIR apps ^_^)

Of course, I'm visiting during a terror warning. Surprisingly, I'll describe my reaction with a meme:



Bruce Schneier (from 2004!) and Slate highlight why this is so.

Also, the last show I sound designed at pw used Fly Me To The Moon as a recurring musical motif. So when I heard this, at first I was like "Hmm..." but then started grooving contentedly:

I have a very colorful, mixed relationship to the theatre that produced the show (I was on the board). Still, they have a wonderful little wiki where I made and defaced a profile page.

Away I go!

m4d H4X

For two years I was a UTA for our department's Introduction to Security course, and my current roommate is the current Head TA. So when a friend was looking for someone to perform a security audit on his web application, he called my roommate, who called me in as his surgeon's assistant. Here's what we found:

Dictionary Attack

Anytime you have a problem in computing, there's always a 'dumb way to do it,' which normally involves checking every possibility. Remember being a kid and asking someone to guess your birthday? The first thing they ask is 'What month is it in?' Suppose you say 'August.'

A dictionary attack is the kid who closes his eyes and says "August 1st August 2nd August 3rd August 4th August 5th..." (and ruins the game).

The idea is this: if you want to guess someone's password, try every value it could be. You do this by trying to log in as them with every password, and you stop when one of them works.

Sounds dumb? It is, but never underestimate a fast, dumb computer. After all, it worked against Twitter.

The attack is called a Dictionary attack because the idea is that you try someone's e-mail address with every word in the dictionary. A simple dictionary (one I used for this) consists of the 500 most common passwords, a couple hundred first names, and an actual dictionary (the puzzle links to a text file). Since most people use real words as their passwords, there's a good chance you'll stumble upon the correct one.

To stop this, you have a few options:

• Create a delay after some failed attempts, and report the behavior to an admin. So if someone messes up their password 3 times, make them wait 15 minutes. Another 3, make them wait an hour, etc. This slows down your opponent, and makes you aware of suspicious activity.


• Demand strong passwords. We all get annoyed having to mix numbers and letters (one of the most common passwords is 'password1', the most common is '123456'), but it helps your security, since you won't find 'h4ll0MRP3ANut' in a dictionary.


• Keep track of your requests, and stop trolls. This is a similar tactic to a DoS, but keep track of where people are logging in from. If you have 100 failed logins in 1 minute from IP Address 113.154.2.110, stop letting them try to connect (again, at least for a day or two).

File Upload

Most web applications let you upload files to share, or view online. There was once an artist who bound his book with sandpaper so that shelving and re-shelving it would destroy the books next to it. That bookshelf is your application, and that book is the other exploit we found.

The site in question had a file upload feature, so we uploaded an executable file that would run whatever command we fed it on the computer where it resided (in this case, the company server). As soon as we 'viewed' the document, it would execute. So a command like

find ../../ -name "config.rb" -exec grep password '{}' \;

Will find a configuration file, and find all the passwords in it (most web frameworks have contain a file).

The fix to this one is simple: don't let users upload any type of file your server might execute (unless, of course, you're a code hosting site, in which case you don't need to be told about this).

----

Security isn't the way movies make it out to be: most hacks aren't mathematical or cryptographic breaks, and they're never as dramatic. The brilliance in the best ones is that they're so simple. Most security holes are little leaks in the way software gets written, or more usually (like weak passwords) flaws in predictable human behavior.