I do not really recollect anything that large. Well, not counting dropbox’s 4-hour window of “any password fits all accounts”, but that was different.

Here are some of the news items about this seriously large hacking incident:

• NYTimes (Dec. 25, 2011)
• WSJ (Dec. 25, 2011)
• CNN (Dec. 25, 2011)
• relatively above-average write-up from Wired (Dec. 26, 2011)
• ABCNews (Dec. 26, 2011)
• The Register (Jan. 3, 2012)

Here come more technical reports:

• short pastebin document, supposedly by the hackers
• cryptome keeps track of the data being removed from the internet
• a 1MB report by the hackers
• TheTechGerald has some analysis of the leaked stratfor passwords (Jan. 2, 2012)

TheTechGerald’s analysis linked to above got my attention. Unfortunately, a while ago I’ve subscribed to stratfor’s “free intelligence mailing list”, and was wondering if my account information is now publicly available. I was the most worried about the password I’ve used to subscribe, because of the risk of using the same password somewhere else.

Unlike TheTechGerald, I haven’t used any dictionaries – just the default configuration of a well-known tool for finding weak passwords. Within a single hour, ~100k passwords were decrypted (~12% of all). Till the end of the day, ~50k more passwords were decrypted (totalling 17.4% of 860k). At this point my password was still safe, and I’ve found a way to verify that it is not used anywhere else, so I’ve aborted further decryption.

There are a few simple conclusions:

• anybody who had a stratfor account must verify that he/she isn’t using that password anywhere else, because if 1 PC can get 17% of all the passwords in less than a day, it is only a matter of short time until all the leaked passwords will be decrypted and made publicly available in various “md5 decryption databases”
• system owners should run periodic screenings for weak passwords (and implement policies to prevent creating obviously weak passwords from the very beginning)
• md5 is very fast to decrypt/bruteforce – a much slower hashing function wouldn’t hurt; also, using a more complex hashing approach, maybe even with a closed-source shared library, could help
• single-factor authentication (password-based) is likely to get replaced with 2-factor authentication in the nearest future
• one may enjoy increased personal data safety by using throw-away passwords in conjunction with antispam mailboxes like spam.la and mailinator.com (at least 1600 users – 0.186% – did use these services).

Fortunately, the top 10 passwords (by their counts) were exclusively “throw-away”, and added up to ~10% of the decrypted passwords. (I’m not showing any, as that would unnecessarily simplify further decryption – maybe thetechgerald should have also been more vague about actual passwords.)

Sooner or later this significant-size corpus of real-life passwords will find its way (after decryption by those who would actually use leaked passwords to gain unauthorized access) into various wordlists and wordlist mutation rules, making it even easier to decrypt any future leaks. This is where 2-factor authentication will, hopefully, come in handy to protect against similar leaks.

I wonder if I should put up a page “Check if my password was among those 860k”, to help people easily identify if they should change theirs – not even necessarily being a Stratfor subscriber. Unless similar pages/services had already been put up by others.

It is also unclear what will the future of Stratfor be, taking into account that their website is still dysfunctional.

It is sad to see Drupal (stratfor.com’s CMS) involved here. However, I have no idea if their installation was up to date, and if their website was the point of entry. The hacklog suggests that attackers somehow obtained the password of one of the system administrators, and then used it for SSH access, which would save Drupal’s face (Drupal’s security record to date was pretty reassuring).

The original Ukrainian text tells the tale of a swallow flying into a household to proclaim the plentiful and bountiful year that the family will have. The title shchedryk is derived from the Ukrainian word for “bountiful”. This follows a tradition of praising the hosts of festivities in the songs during those festivities, or when coming to get sweets, small money bills or presents in exchange for nice singing by a group of children.

English text was written separately, and is copyrighted.

All the derived music uses the original’s four-note pattern by Mykola Leontovych. Folk song/chant was the basis for Leontovych’s work on this piece. I believe the original song had a similar musical (vocal) pattern, and that “ostinato” figure of music was already present in the song, so Leontovych’s work was probably to smooth out any uneven moments, and formalize the music in notes. Citing wikipedia article, “ostinato motif, a repeated four-note pattern within the range of a minor third is thought to be of prehistoric origins”.

HandBrake is a very high-quality piece of software – next time you need recoding something into H.264/MPEG-4 (using MKV or MP4 containers) – try HandBrake. It easily saturated all my CPU cores – which I failed to achieve with ffmpeg, which even with threads=8 was only saturating 2 cores.

Attached to this post are 2 profiles for recoding movies for Nokia E71. The “_best” profile has exhaustive motion detection, otherwise is identical to the base profile.
E71.plist
E71_best.plist

Related:

• x264 ffmpeg mapping and options guide
• ffmpeg audio/video encoding cheat sheet

There is an excellent, in-depth, well-argumented article by Geoff Chappell on the issue. Highly recommended in its entirety to those who want a complete understanding (additional side-reading and facts verification might be necessary).

A single citation to get you started:

There is already on the Internet and elsewhere an awful lot of rubbish to read about this question. Hardly any of it would be worth citing even if I didn’t want to spare the authors the embarrassment. A surprising number of people who claim some sort of attention as expert commentators would have you believe that using more than 4GB of memory is mathematically impossible for any 32-bit operating system because 2 to the power of 32 is 4G and a 32-bit register can’t form an address above 4GB. If nothing else, these experts don’t know enough history: 2 to the 16 is only 64K and yet the wealth of Microsoft is founded on a 16-bit operating system that from its very first version was designed to use 640KB of RAM plus other memory in a physical address space of 1MB. Some remember this history and add seemingly plausible qualifications that exceeding 4GB is possible only at the price of nasty hacks that require everyone—well, all programmers—to jump through hoops. Fortunately, Intel’s processors are a lot more advanced than the 8086 from all those years ago.

P.S. Unfortunately, patching the kernel won’t help make Windows XP see more than 4GB RAM: even though the kernel itself does support more RAM (with PAE), starting with SP2 the HAL was modified in a way prohibiting access to any RAM beyond 4GB. Patching may only be suggested to devoted geeks with Vista’s and 7′s.

Nokia Ovi Suite could not connect to the Nokia account server. Make sure the internet connection is working properly and try again.

However, both my internet connection, and logging into ovi.com using a browser work fine. Even looking for updates from within Ovi Suite works fine!

Here’s the solution (tested on Nokia Ovi Suite 3.0.0.290):

Important: before trying the solution below, try downloading and running root certificates update program from Microsoft, then restarting Ovi Suite to see if the problem is gone. (Thanks Finn for sharing this one.)

• Navigate to Start – Control panel – Internet options (or: start Internet Explorer – Tools – Internet options). It doesn’t matter that your default browser is not IE.
• Select Content tab.
  
• Click Certificates, select Trusted root certification authorities tab, and sort ascending by expiration date.
  
• Now delete all GTE CyberTrust certificates whose expiration date has passed.
• Click Close, then OK
• Restart Ovi suite.

If that didn’t help: try removing all expired certificates:

A word of warning

Deleting all expired trusted root certs is not a good idea. You could end up with vital parts of the system not working, or unable to access some documents (especially if you have encryption turned on). Thing is, expired certs can still be valid for anything signed or encrypted before they expired.

Sources used:

• http://discussions.europe.nokia.com/t5/Nokia-Ovi-Suite/NOKIA-OVI-Suite-could-not-connect-to-the-nokia-account-server/m-p/878427
• http://betalabs.nokia.com/apps/nokia-ovi-suite-3-0-beta/bugreport/19143/ovi-sign-in-failed
• http://betalabs.nokia.com/node/5251

Just a single quote from Glyn Moody, Computerworld UK:

The criticisms made in the video are not really the point – they are mostly about OpenOffice.org not being a 100% clone of Microsoft Office, and compatibility problems with Microsoft’s proprietary formats. The key issue is the exactly the same as it was for the Mindcraft benchmarks. You don’t compare a rival’s product with your own if it is not comparable. And you don’t make this kind of attack video unless you are really, really worried about the growing success of a competitor.

See also what Savio Rodriguez (Infoworld) has to say about that video.

Aurora Borealis timelapse HD – Tromsø 2010 from Tor Even Mathisen on Vimeo.

Noticing weird narrow spikes in server load graph, I decided to investigate the most recent one – at 03:50 GMT+2 on Nov. 6, 2010.

The reason was simple: someone issued a few hundred HEAD-requests over a 30 second period to a PHP-based web-application.

All the requests were coming from IP 109.169.59.139, which belongs to the IP range of thrustvps.com:

inetnum: 109.169.58.0 – 109.169.59.255
netname: ThrustVPS_1
descr: Thrust::VPS
country: US
admin-c: RF5058-RIPE
tech-c: RF5058-RIPE
status: ASSIGNED PA
mnt-by: RAPIDSWITCH-MNT

However, it is the referrer string which is more interesting: in all those requests, decorated with varying UserAgents and even operating systems, there was only one referrer – www.dewlance.com.

Initially I thought that was a test of a new DoS attack – really, who would issue dozens of HEAD requests to the same page over a few seconds? However, after seeing that “referrer” string, I now think this is a cheap, blatant, poor and ugly SEO performed by dewlance. It relies on some sites displaying a box of ‘recent visitors’, sometimes including their referrer URL as a “page where this visitor came from” – this would give dewlance.com some free link-love. Or maybe dewlance.com expects administrators to investigate log files, notice that referrer string, and happily order some services from dewlance? No way

I’ll file a complaint with thrustvps if I see that kind of misbehaviour again. All that started on Nov. 4, so there’s still hope people behind this dumb SEO implementation will get fired.

Update 1: they do this every 4 hours since November 4, 2010 (Thursday). This results in loads up to 22, with ~50 apache processes struggling for a few CPU cores:

Update 2: some 20 hours after sending report to abuse at thrustvps.com nothing has changed – still a bunch of HEAD requests every 4 hours. I have written a fail2ban filter+rule to ban anything issuing more than about 1 HEAD request per second. If that rule works as expected – I’ll publish it here.

Update 3: the last HEAD request referring to dewlance occurred at 12:23 GMT on November 8, 2010. I have no idea if that was my complaint, or if that “experiment” just ended naturally.

I have been testing fail2ban rule for false-positives, and it now seems OK. However, I haven’t tested for true positives – I do not know if it will actually block extra HEAD requests (it should).

Put the fragment below into your /etc/fail2ban/jail.local (edit logpath to match your apache logs):

[head-dos]
enabled = true
port = http,https
filter = head-dos
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 8
findtime = 6
#ban for 25 hours
bantime = 90000
action = %(action_mwl)s

I recommend leaving action as specified for a few weeks to see if you aren’t blocking legitimate requests.

Also paste the fragment below into /etc/fail2ban/filter.d/head-dos.conf:

# Fail2Ban configuration file
#
# Author: bogdan.org.ua
#

[Definition]

# Option: failregex
# Note: this regex matches *any* HEAD requests; together with a maxretry=8 and findtime=6 (for example)
# this rule should ban anything issuing more than ~1 HEAD request per second.
#
# sample matching entry:
# bogdan.org.ua:80 109.169.59.139 – - [07/Nov/2010:04:38:33 +0200] “HEAD /2009/10/27/search-and-replace-in-a-mysql-table.html HTTP/1.0″ 200 – “http://www.dewlance.com” “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.221.7 Safari/532.2″
#

failregex = ^[^ ]+ -.*”HEAD /.*$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Update: this rule does work. There were a few false-positives over 2 weeks of testing, so you may need to tune number of requests and time period. After the initial HEAD attacks I’ve seen there were more of these, with other referrer strings – but always a website URL.

Please comment to report improvements/enhancements and problems you’ve encountered with this rule.

That’s my first encounter of Shapado, so it was interesting to read Shapado authors’ justification and a related question on meta.SO.

Find out more about the depicted office. That would be a nice setup for flight and/or space simulators, I guess.

TinEye Firefox extension helped finding more nice workplaces.

And Stefan in his office description provided some more links to multi-display workplaces – Mitch Haile’s and Kevin Connollie’s among others.

Now, welcome the Terrafugia’s Transition transformer flying car! It can drive as a car (and is sized as a car with wings folded), and it can fly as an air-plane! Now your trip to anywhere looks like “drive to the airport – fly – land – drive to gas station – repeat as needed”. Terrafugia claims that (on average) there’s a suitable airport every 60 miles in the US. And you can fit Transition into your average garage!

That doesn’t (yet) feel like something from the future – and maybe that is why their prototype already had test flights, and they plan mass-production for 2011, and already have over 80 pre-orders.

If only it had vertical take-off…

Only marginally related: Dunning-Kruger effect

Префікс мікро в українській мові є, і позначає певну кратність (10^-6) числової величини (а також просто щось маленьке) – тому його можна зберегти при перекладі першої половини складного слова microarray. Цей префікс також входить до системи одиниць СІ.

А от слова арей (як вживають деякі автори) в українській мові немає. Також немає сенсу його запозичувати, оскільки існують переклади (слова-еквіваленти). Один зі словників пропонує такі варіанти перекладу слова array українською (у різних контекстах):

• множина, набір, комплект
• розташування, решітка, сітка
• масив, список, поле, ряд
• решітка даних
• масив даних
• матриця

Я пропоную використовувати термін мікромасив (та похідний від нього мікромасив-експеримент). Цей термін має перевагу над вживаним у Російській Федерації “микрочип-экспериментом”, оскільки “мікрочіп” або просто “чіп” – це усталений термін електроніки, де він позначає кремнієвий електронний елемент з високим ступенем упаковки напівпровідників; натомість “масив” – це і набір/список [даних], и [двомірна] матриця [даних/ознак/зондів/будь-чого]. Відповідно, мікромасив – це маленька матриця або маленький набір [олігонуклеотидних/кДНК зондів]. Додатковим аргументом проти використання слова чіп вважаю його запозиченість.

Використання інших варіантів перекладу слова array або не відповідає суті об’єкту, або має неоднозначне трактування. Наприклад, мікроматриця: в молекулярній біології матриця – це ланцюг ДНК, з якого іде синтез, а в ширшому значенні – взагалі будь-яка модель, з якої виготовляють зразки. (Звичайно, слово матриця також є синонімом слова масив у значенні двомірний масив / двомірна матриця, але слово масив не має – наскільки мені відомо – альтернативних трактувань у молекулярній біології). Розглядати інші варіанти перекладу слова array не вважаю за потрібне, оскільки вони ще менш вдалі за матрицю.

Таким чином, вірним перекладом терміну microarray є слово мікромасив.

For about 2 weeks now, I am every day alerted of the suspicious behavior of some computer/server from the Google’s IP range:

Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[option]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[Itemid]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:33 mx suhosin[3701]: ALERT – ASCII-NUL chars not allowed within request variables – dropped variable ‘mosConfig_absolute_path’ (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[option]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[Itemid]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – ASCII-NUL chars not allowed within request variables – dropped variable ‘mosConfig_absolute_path’ (attacker ’66.249.71.20′, file ‘html/index.php’)

These requests repeat up to several hundred times per hour, with periods of no or very little malicious requests.

Here’s WHOIS information about 66.249.71.20:

OrgName: Google Inc.
OrgID: GOGL
…
NetRange: 66.249.64.0 – 66.249.95.255
CIDR: 66.249.64.0/19
NetName: GOOGLE
NetHandle: NET-66-249-64-0-1
Parent: NET-66-0-0-0-0

Does Google attack you, too?

These attacks initially started from a different Google IP – 66.249.71.2; I wrote to abuse at google, and got an automated response with the ticket number (in the hundreds of millions range). A week after that, requests started flowing from IP 66.249.71.20. I am not inferring “evil Google abuse department” here, just that there was no response, and the problem shifted to a different IP from the Google’s IP range.

Update: I decided just to ignore this class of problems.

“Evil?” image by copyblogger.com.

Slow DoS attack with just 1 computer against a number of web servers, including Apache: slowloris. There is a solution for Apache, packaged for RedHat and also available for Debian.

Finally, there’s Go programming language. The most inspiring promise to me personally is the ease of execution parallelization with language’s built-in syntactic constructs. That is something highly desired. Also, I like that it is a compiled language. However, it might be 10%-20% slower than pure C. Let’s see how it grows.

A total of 80k people were registered with respiratory infections (not classified by flu type). Several small samples tested for A/H1N1 (which is the cause of swine flu pandemic) indicate that 30-50% of all cases could be swine flu (with other cases being “seasonal flu” – that is, previously known influenza types and subtypes). It is reported that ~37 died since Monday, with symptoms matching those of swine flu. Most of the statistics come from the Western regions of Ukraine, which were the first to face rapid daily temperatures decrease – which could have been the trigger of massive infections.

Today I’ve seen a number of people in Kyiv’s underground railway wearing medical face masks (or just pulling their scarfs up to cover noses). Drug stores were literally stormed for anti-virus medications, immune system stimulators, medical face masks, vitamins, etc.

If not the virus, then panic is definitely in the air. I do not recollect seeing something like that before.

To help in this celebration, you can make a barcode with your site’s address (there is at least one more at barcodesinc, but at the moment of writing it is painfully slow).

I find these parameters nearly optimal:

• Type: Code 128-B
• Styles: Draw value text
• Size: 234×60 (half-banner size)
• Xres: 1
• Text font: 5
• Value: bogdan.org.ua

If you wish, you can also exactly replicate today’s Google logo – which says “Google”, as you could have guessed.

You can place this barcode on your “souvenirs” – pens, cups, t-shirts. Many phones now have barcode scanners (e.g. Nokia E71), so put this code onto your namecard.

Read on to learn about matrix barcodes.

You may also investigate further into matrix/2D codes, which may contain much more information. To the left is the QR code of my blog’s address – try and scan it with your cameraphone! Or make one for yourself.

Here’s an encrypted message:

There are many types of matrix/2D barcodes. QR code (above), datamatrix (left picture) and Semacode (right picture) were all successfully recognized by my phone.

an organization that aims to help make biology a worthwhile pursuit for citizen scientists, amateur biologists, and DIY biological engineers who value openness and safety.

DIYbio also has a google group, where a wide range of questions – from bio-patents to DIY gel electrophoresis shopping list and model organisms is dicussed. There is also a DIYbio/biohacking FAQ.

Today for me is the day of discoveries. I learned about the International Open Space Initiative (to give robotics enthusiasts a way to send their tele-controlled and/or intelligent robots to the Moon and Mars), about the DIYbio and biohackers, about OpenManufacturing (which doesn’t seem to have produced enough content to link to), Open Source Medicine (ouch!), BioBrick Assembly Kit (with an assembly manual), OpenWetWare, and a whole bunch of other awesome and inspiring community efforts, which do not belong here.

Do you feel the wind of change?