Meddling

It would’ve worked, too, if it weren’t for those meddling kids!

There are 617 posts filed in Meddling (this is page 28 of 62).

WordPress brute force hack attacks

Since this spring, the world’s WordPress sites have seen a surge of brute-force hacking attempts, where scripts running from “botnets” have been steadily trying one dictionary word after another in an attempt to take over their victim sites.

I was alarmed to discover this traffic hitting my website earlier this week and was stymied as to how to prevent it. Normally when one gets a hacking attempt, it’s a simple thing to block that site’s IP address using firewall rules. In this case, however, the attackers are using a massive array of hacked computers scattered around the world. Each hack attempt comes from a different IP address, making it impractical to block them all.

Wondering if my site would soon fall to these script kiddies, I took some time to configure some analysis tools to get a better idea of what I was facing.

I needn’t have worried. This is what these genius password attempts look like:
Continue reading

Poor password management by banks

I recently signed up to the site of one of my (many) 401K administrators. When it came time to pick a password for my account, I was disappointed to see the kind of restrictions the bank put on my choice of password:

Password requirements:

Must contain 8 – 20 characters
Must contain at least one letter and one number
Is case sensitive (e.g. “MyPassword” with an uppercase “M” and “P” is different from “mypassword” with a lowercase “m” and “p”)
Cannot contain any spaces
Cannot contain special characters (e.g. !#$%^&@,;*( )+~?<>‘\”)
Cannot contain more than 2 of the same consecutive letters or numbers (e.g. aaa or 222)
Cannot be the same as your previous 6 passwords
Cannot be the same as your Username

I understand some of these, but not allowing spaces or special characters? That significantly reduces the complexity of available passwords, making the password easier to crack. Now perhaps they get around this by giving the user x number of tried before locking her out, but why not just allow special characters?
Continue reading

Hackers Are Now Leery About Inviting the NSA to Their Conventions

Ruh-roh.

The announcement appeared at the conference website yesterday, in a post titled, “Feds, We Need Some Time Apart.”

For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.

When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship.

via Hackers Are Now Leery About Inviting the NSA to Their Conventions – Yahoo! News.

My experience with Gulf War Syndrome

USS Elliot (DD-967) in North Arabian Gulf, circa 1998

USS Elliot (DD-967) in North Arabian Gulf, circa 1998


On the Gulf War Veterans Facebook group, one of the members asked if anyone had mystery illnesses. It sparked a lively discussion – one that sometimes veered off into black helicopter land – but it did inspire me to share my mystery symptoms with the group. I’ve alluded to these previously but have not shared them in this detail on my blog before.

As I said in my Facebook post, my desire for answers outweighs my reluctance to post this info in a public forum. If you know me you know what a statement that is. I hope it draws out others to share their experiences, too.
Continue reading

Pandora Paid Over $1,300 for 1 Million Plays, Not $16.89

Here’s another rebuttal for David Lowery, who recently asserted that Pandora was ripping him off. It turns out his record company is ripping him off, which should be old news to him by now.

Lowery told kids to get off his lawn about this time last year, blaming Creative Commons.

David Lowery’s “My Song Got Played On Pandora 1 Million Times and All I Got Was $16.89” article has been picked up over and over and over, including by very respectable folks, often without comment.

This has left many readers with two impressions:

Pandora only paid $16.89 for 1 million plays.1

Pandora pays much lower royalty rates than Sirius XM and especially terrestrial AM/FM radio.

Music royalties are complex, but both of these are patently untrue.

via the understatement: Pandora Paid Over $1,300 for 1 Million Plays, Not $16.89.

What It’s Like to Get a National-Security Letter : The New Yorker

Nice first-person account of what it’s like to get a “national security letter” from the FBI.

I spoke with Brewster Kahle, the founder of the nonprofit Internet Archive, perhaps the greatest of our digital libraries, and of the Wayback Machine, which allows you to browse an archive of the Web that reaches back to 1996. He is one of very few people in the United States who can talk about receiving a national-security letter. These letters are one of the ways government agencies, in particular the F.B.I., can demand data from organizations in matters related to national security. They do not require prior approval from a judge, only the assertion that the information demanded is relevant to a national-security investigation. Recipients of a national-security letter typically are not allowed to disclose it.

via What It’s Like to Get a National-Security Letter : The New Yorker.

Did U.S. Gov’t Lie about TWA Flight 800 Crash? Ex-Investigators Seek Probe as New Evidence Emerges | Democracy Now!

There is a petition active with the NTSB to reopen the investigation into the crash of TWA 800. The plane exploded in July 1996, shortly after leaving New York.

The official explanation blamed a short circuit in the center wing fuel tank, though that’s never happened to a 747 before. Many witnesses reported seeing a streak of light rise in the vicinity of the plane.

I stopped believing the official explanation early on when I read a CNN story reporting that the nose-wheel doors were blown inward, suggesting an external explosion had taken place. The NTSB said the investigation would have to see how that evidence fit the official theory:

But Shelly Hazle, an NTSB spokeswoman, downplayed the significance, emphasizing that investigators will have to see how this newly discovered evidence fits into their theory of how the plane blew up.

The NTSB was cherry-picking evidence to support its theory. I knew then that the investigation was a sham. What downed the plane? I have no idea, but I do firmly believe the federal government knows more than it’s telling.

Seventeen years ago, TWA Flight 800 crashed off Long Island, killing all 230 people aboard. The official government investigation blamed mechanical failure, but now a group of former investigators are petitioning the National Transportation Safety Board to reopen the probe, saying the original report was falsified. Was the plane accidentally shot down by the U.S. Navy conducting a nearby exercise, or was it a terrorist attack?

via Did U.S. Gov’t Lie about TWA Flight 800 Crash? Ex-Investigators Seek Probe as New Evidence Emerges | Democracy Now!.

Why Are Dead People Liking Stuff On Facebook? – ReadWrite

Here’s a follow-up to the Mitt Romney Facebook hacking story. Apparently, the bogus “likes” continue long after the election was over.

Last month, while wasting a few moments on Facebook, my pal Brendan O’Malley was surprised to see that his old friend Alex Gomez had “liked” Discover. This was surprising not only because Alex hated mega-corporations but even more so because Alex had passed away six months earlier.The Facebook “like” is dated Nov. 1, which is strange since Alex “passed [away] around March 26 or March 27,” O’Malley told me. Worse, O’Malley says the like was “quite offensive” since his friend “hated corporate bullshit.”

Oh, in related news, Facebook’s security chief just went to work for the NSA.

via Why Are Dead People Liking Stuff On Facebook? – ReadWrite.

Everybody’s in

One of my shipmates, an engineer who served with me on the Elliot, posted a comment to one of my NSA Facebook posts that made me think. Referencing my cryptologic technician past, he said.

You should have been an engineer. No one would care what you say or think.

This implies that I have something worth listening to – which as anyone who’s ever read this blog knows is patently ridiculous. Tales of my past as a crypto tech are about as far removed from James Bond as possible. It would bore anyone to tears.
Continue reading

Mystery web traffic from DoD contractors identified?

A few years ago I noted very strange web requests coming from military bases and large defense contractors. Several of these sites were requesting a specific URL in my collection of over a decade of posts. That struck me as something highly unlikely for a casual web visitor to do, so I became alarmed at the possibility that these defense contractors and military units were compromised by a malware agent, perhaps planted by a foreign government. I emailed one of these groups, doing my patriotic duty by alerting them to this possiblity. Ususally when I point out potential hacking to a fellow sysadmin I receive some sort of thank you email in return. In this case I received no response (I’ll dig up my email and post it here if I can find it). I found the lack of reply unusual (and, well … rude), but kept open the possibility that I’d reached the wrong person.

Today, Techdirt had a story describing how a simple search through LinkedIn turns up a vast trove of resumes containing secret codeword programs. There’s obviously money to be made in surveillance – Edward Snowden made upwards of $200k per year – so analysts advertise the programs for which they have training. The corollary to this is that there are companies willing to pay for this experience – perhaps companies on the list I noticed knocking on my website door.

I can’t help but wonder if the unusual web traffic I noted might be part of one of these secret programs. Whatever it is (or was), it was obviously coordinated, so the only question is whether it was the bad guys or the good guys (i.e. Americans). Viewed through Occam’s razor, it’s more likely that these highly-secure defense contractors aren’t compromised (or at least they have some clue about network security), which leaves the possibility that the traffic came from some as-yet-unknown system. At least I hope our side’s responsible for it – we’re in a world of hurt if it’s not.

So, do I breathe easier knowing these massive defense contractors are not likely compromised as I once thought, or do I lie awake at night scared shitless that they appear to be spying on anyone and everyone?