I do not really recollect anything that large. Well, not counting dropbox’s 4-hour window of “any password fits all accounts”, but that was different.

Here are some of the news items about this seriously large hacking incident:

• NYTimes (Dec. 25, 2011)
• WSJ (Dec. 25, 2011)
• CNN (Dec. 25, 2011)
• relatively above-average write-up from Wired (Dec. 26, 2011)
• ABCNews (Dec. 26, 2011)
• The Register (Jan. 3, 2012)

Here come more technical reports:

• short pastebin document, supposedly by the hackers
• cryptome keeps track of the data being removed from the internet
• a 1MB report by the hackers
• TheTechGerald has some analysis of the leaked stratfor passwords (Jan. 2, 2012)

TheTechGerald’s analysis linked to above got my attention. Unfortunately, a while ago I’ve subscribed to stratfor’s “free intelligence mailing list”, and was wondering if my account information is now publicly available. I was the most worried about the password I’ve used to subscribe, because of the risk of using the same password somewhere else.

Unlike TheTechGerald, I haven’t used any dictionaries – just the default configuration of a well-known tool for finding weak passwords. Within a single hour, ~100k passwords were decrypted (~12% of all). Till the end of the day, ~50k more passwords were decrypted (totalling 17.4% of 860k). At this point my password was still safe, and I’ve found a way to verify that it is not used anywhere else, so I’ve aborted further decryption.

There are a few simple conclusions:

• anybody who had a stratfor account must verify that he/she isn’t using that password anywhere else, because if 1 PC can get 17% of all the passwords in less than a day, it is only a matter of short time until all the leaked passwords will be decrypted and made publicly available in various “md5 decryption databases”
• system owners should run periodic screenings for weak passwords (and implement policies to prevent creating obviously weak passwords from the very beginning)
• md5 is very fast to decrypt/bruteforce – a much slower hashing function wouldn’t hurt; also, using a more complex hashing approach, maybe even with a closed-source shared library, could help
• single-factor authentication (password-based) is likely to get replaced with 2-factor authentication in the nearest future
• one may enjoy increased personal data safety by using throw-away passwords in conjunction with antispam mailboxes like spam.la and mailinator.com (at least 1600 users – 0.186% – did use these services).

Fortunately, the top 10 passwords (by their counts) were exclusively “throw-away”, and added up to ~10% of the decrypted passwords. (I’m not showing any, as that would unnecessarily simplify further decryption – maybe thetechgerald should have also been more vague about actual passwords.)

Sooner or later this significant-size corpus of real-life passwords will find its way (after decryption by those who would actually use leaked passwords to gain unauthorized access) into various wordlists and wordlist mutation rules, making it even easier to decrypt any future leaks. This is where 2-factor authentication will, hopefully, come in handy to protect against similar leaks.

I wonder if I should put up a page “Check if my password was among those 860k”, to help people easily identify if they should change theirs – not even necessarily being a Stratfor subscriber. Unless similar pages/services had already been put up by others.

It is also unclear what will the future of Stratfor be, taking into account that their website is still dysfunctional.

It is sad to see Drupal (stratfor.com’s CMS) involved here. However, I have no idea if their installation was up to date, and if their website was the point of entry. The hacklog suggests that attackers somehow obtained the password of one of the system administrators, and then used it for SSH access, which would save Drupal’s face (Drupal’s security record to date was pretty reassuring).

Back in 2007 I wrote a brief review of web-based project management tools. After that, I started using dotProject for personal projects management. I’m still using it, but for collaborative project management, communication, and tasks/milestones tracking dotProject isn’t perfect.

I need a tool, which is

• collaborative
• web-based (to allow effective collaboration)
• preferably free
• has concise per-project activity log
• minimal required functionality: tasks, milestones, files, and status updates.

After trying a few things, our small team settled for now on using github + pivotaltracker jira + confluence + flowdock.

Here’s a full list of tools briefly reviewed. I’ve been already using ProjectPier, so I’ll start with this software.

ProjectPier (used myself)

• dashboard: all events log
• interface similar to Basecamp; themable/skinnable
• all the basic features are there (milestones, tasks, task lists, messages, files)
• modular (functionality is in plugins)
• easy to install (requires PHP and MySQL)
• is being maintained/developed (maybe slowly, but that doesn’t mean much)

Not much to add. Simple, functional, worked good for a 1-person “team” (that is, for personal projects management). Have no idea how it scales to more people.

Collabtive

• desktop: just an overview, no log of events; project view has ‘activities’ log
• [too much?] eye-candy, JS-reach default interface (themable/skinnable)
• projects, tasks, milestones, messages, files
• calendar, time tracking
• is being maintained/developed

Open Atrium

• Drupal-based, thus probably the most flexible (but requires time investments to change functionality)
• 6 features: blog, wiki, calendar, to-do list, shoutbox, and a dashboard to manage it all
• has “recent activity” log
• issues tracking
• I guess it is heavier than others in use patterns: requires more clicking and typing (as it has more features), and there seem to be no concepts of milestones and projects – just tasks

Projectfork

• possibly Joomla-based
• free, with commercial add-ons, themes, and maybe support
• projects, milestones, tasks with priorities, files
• calendar, discussion board, time tracking
• activity stream (premium add-on)

EGroupware

• hosted, commercial
• free community version is available for download
• projects, tasks, sub-tasks, files
• address book, calendar, chat, issue tracking system, time tracking
• knowledge base, wiki
• news, polls
• interface seems very responsive (JS-reach)
• large, feature-reach: might be an overkill where basecamp would do just fine
• actively developed

]project-open[

• not reviewed: seems even more feature-reach (complicated) than EGroupware

Redmine

• doesn’t seem to use “milestone” and “task” concepts
• issue tracking, gantt charts, calendar, time tracking
• wiki, files, forums, roadmap (similar to trac)
• repository browser (among others, git and svn are supported)
• is maintained/developed

Codebase

• non-free
• issue tracker for git/mercurial/others with project management features
• wiki, time tracking, milestones, files

Ofuz

• paid hosted version (free up to 5 projects), free version available for download
• contacts, time tracking, invoices
• projects, tasks, documents, files
• tight email integration (e.g. continue discussions by email, with replies logged to Ofuz)

RailsCollab

• activecollab-inspired, ProjectPier-based Ruby software
• interface (and features) very similar to ProjectPier
• tasks and task lists, milestones, files, messages
• time-tracking
• development/maintenance stalled in Feb 2010

Teambox (used myself)

• hosted service (free up to 3 projects), community edition available for download; RoR-based
• free plan has search disabled
• projects, tasks, task lists, files
• dashboard
• pages/wiki/writeboard, discussions
• gantt charts, calendar, twitter-like status updates, time-tracking
• light interface
• clients for mobile devices
• email notifications and email-to-web functionality

Seems best for conversations-oriented projects. A few times posted updates took lots of time to become visible to other team members (far not immediate, so comparison to twitter does not give the right idea), and page refreshes (even forced) didn’t help. Tasks system is basically an extension of conversations: once you created a task, you can only “extend” it with comments, but not edit. Personally, I found the tasks implementation too awkward to use – it might be different for writing-related projects. I liked the Pages functionality: it provides a good (easy and quick) way of organizing information accumulated by the project. Basically, we ended up using Teambox as a repository for external and internal documentation – but not for status updates, chats or planning.

As free time permits, I would love to compile a feature table, comparing all these tools, together with subjective “easy-of-use” scores (maybe collected with a poll of some kind). Any contributions towards this simple goal are welcome. If comments fail to work for you – use the contact page.

A few more related web-tools follow.

Pivotal Tracker (currently using)

• agile projects management
• concepts: icebox, backlog, current, done
• has: features, bugs, chores, releases; each of these can have description, comments and short tasks (all very easy to add and organize)
• features can have their complexity estimated in points, which are then used to calculate weekly team velocity, and also to move tasks from the backlog panel into current panel

I’m new to agile development tools, and after getting used to it – Pivotal Tracker is good. It is also useful as a place to keep the things you would like to eventually implement – just append these to the end of the icebox, and then start-move to backlog/current when determined to implement.

Flowdock (currently using)

• web-chat with history saved as an infinite scrollable page
• has a concept of “flows” (similar to chat rooms in campfire)
• tags (tab-autocomplete possible when writing messages); can be added/removed to/from existing entries
• files can be inserted directly into chat stream
• separate views for posted URLs and files
• full-text search (a recent feature), and search by tags
• mobile device support (haven’t tried)
• various desktop notification tools for all platforms (Linux, Mac, Windows); has minimally-configurable sound notifications
• tracks online/idle/offline statuses (e.g. idle for X hours or offline for Y hours)
• mails can be sent to a flow, and they can have tags
• Influx: an aggregator of external events (github, twitter, RSS, mails, PivotalTracker, Confluence and others)

Flowdock is just… convenient. After trying teambox, present.ly and campfire, we seem to have settled on this one for in-project communication (our team currently has only 3 people, though). The most convenient feature is probably the built-in aggregator.

WeDoist

• collaborative to-do lists
• tasks (maybe also sub-tasks), status updates, group chat
• hosted solution

ToDoist

• 1-person projects, tasks, sub-tasks
• hosted solution
• opera widget at http://widgets.opera.com/widget/15372/

SlimTimer (using this one)

• simple (perfect? ) tasks-based timetracker with nice reports feature
• hosted solution, has free plan

Present.ly (used myself, would use again)

• “corporate twitter”
• hash-tags autocompletion
• files can be attached
• “attach text” – when 140 symbols is not enough
• direct messaging and replies; replies can be viewed in threaded mode
• mobile devices support (haven’t tried)
• configurable email alerts
• concepts helping organize data: topics, feeds, tags
• separate views for files and links to find them faster

Overall, present.ly is very cool for within-team status updates – that is, to keep track of what anybody’s doing.

Campfire (used myself)

• web-chat with “rooms” (e.g. by topic, by department etc)
• each day is saved as a transcript of chats
• files can be attached directly within the chat flow
• full-text searchable
• free use tier implies chat-stream embedded ads (can be removed with adblock+ and element hiding helper)
• can be configured to track external resources (e.g. github commits), though those do not look as good as in flowdock

Overall, campfire is a nice chat. The best thing they have is the event sound – probably the best I’ve heard.

Finally, nice mantra (except for the very last phrase) from ToDoist – “The Zen of Todoist”:

Now is better than later.
Later is better than never.
Organized is better than messy.
Big things are composed by smaller things.
Smaller things are done by action.
Think like a person of action.
Act like a person of thought.
The beginning is half of every action.
The longest journey starts with the first step.
Everything should be made as simple as possible.
But not simpler.
Celebrate any progress.
Don’t wait to get perfect.
Deadlines and stress are a part of life.

Noticing weird narrow spikes in server load graph, I decided to investigate the most recent one – at 03:50 GMT+2 on Nov. 6, 2010.

The reason was simple: someone issued a few hundred HEAD-requests over a 30 second period to a PHP-based web-application.

All the requests were coming from IP 109.169.59.139, which belongs to the IP range of thrustvps.com:

inetnum: 109.169.58.0 – 109.169.59.255
netname: ThrustVPS_1
descr: Thrust::VPS
country: US
admin-c: RF5058-RIPE
tech-c: RF5058-RIPE
status: ASSIGNED PA
mnt-by: RAPIDSWITCH-MNT

However, it is the referrer string which is more interesting: in all those requests, decorated with varying UserAgents and even operating systems, there was only one referrer – www.dewlance.com.

Initially I thought that was a test of a new DoS attack – really, who would issue dozens of HEAD requests to the same page over a few seconds? However, after seeing that “referrer” string, I now think this is a cheap, blatant, poor and ugly SEO performed by dewlance. It relies on some sites displaying a box of ‘recent visitors’, sometimes including their referrer URL as a “page where this visitor came from” – this would give dewlance.com some free link-love. Or maybe dewlance.com expects administrators to investigate log files, notice that referrer string, and happily order some services from dewlance? No way

I’ll file a complaint with thrustvps if I see that kind of misbehaviour again. All that started on Nov. 4, so there’s still hope people behind this dumb SEO implementation will get fired.

Update 1: they do this every 4 hours since November 4, 2010 (Thursday). This results in loads up to 22, with ~50 apache processes struggling for a few CPU cores:

Update 2: some 20 hours after sending report to abuse at thrustvps.com nothing has changed – still a bunch of HEAD requests every 4 hours. I have written a fail2ban filter+rule to ban anything issuing more than about 1 HEAD request per second. If that rule works as expected – I’ll publish it here.

Update 3: the last HEAD request referring to dewlance occurred at 12:23 GMT on November 8, 2010. I have no idea if that was my complaint, or if that “experiment” just ended naturally.

I have been testing fail2ban rule for false-positives, and it now seems OK. However, I haven’t tested for true positives – I do not know if it will actually block extra HEAD requests (it should).

Put the fragment below into your /etc/fail2ban/jail.local (edit logpath to match your apache logs):

[head-dos]
enabled = true
port = http,https
filter = head-dos
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 8
findtime = 6
#ban for 25 hours
bantime = 90000
action = %(action_mwl)s

I recommend leaving action as specified for a few weeks to see if you aren’t blocking legitimate requests.

Also paste the fragment below into /etc/fail2ban/filter.d/head-dos.conf:

# Fail2Ban configuration file
#
# Author: bogdan.org.ua
#

[Definition]

# Option: failregex
# Note: this regex matches *any* HEAD requests; together with a maxretry=8 and findtime=6 (for example)
# this rule should ban anything issuing more than ~1 HEAD request per second.
#
# sample matching entry:
# bogdan.org.ua:80 109.169.59.139 – - [07/Nov/2010:04:38:33 +0200] “HEAD /2009/10/27/search-and-replace-in-a-mysql-table.html HTTP/1.0″ 200 – “http://www.dewlance.com” “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.221.7 Safari/532.2″
#

failregex = ^[^ ]+ -.*”HEAD /.*$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Update: this rule does work. There were a few false-positives over 2 weeks of testing, so you may need to tune number of requests and time period. After the initial HEAD attacks I’ve seen there were more of these, with other referrer strings – but always a website URL.

Please comment to report improvements/enhancements and problems you’ve encountered with this rule.

That’s my first encounter of Shapado, so it was interesting to read Shapado authors’ justification and a related question on meta.SO.

For about 2 weeks now, I am every day alerted of the suspicious behavior of some computer/server from the Google’s IP range:

Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[option]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[Itemid]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:33 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:33 mx suhosin[3701]: ALERT – ASCII-NUL chars not allowed within request variables – dropped variable ‘mosConfig_absolute_path’ (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[option]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘_REQUEST[Itemid]‘ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ’66.249.71.20′, file ‘html/index.php’)
Dec 5 05:39:42 mx suhosin[3701]: ALERT – ASCII-NUL chars not allowed within request variables – dropped variable ‘mosConfig_absolute_path’ (attacker ’66.249.71.20′, file ‘html/index.php’)

These requests repeat up to several hundred times per hour, with periods of no or very little malicious requests.

Here’s WHOIS information about 66.249.71.20:

OrgName: Google Inc.
OrgID: GOGL
…
NetRange: 66.249.64.0 – 66.249.95.255
CIDR: 66.249.64.0/19
NetName: GOOGLE
NetHandle: NET-66-249-64-0-1
Parent: NET-66-0-0-0-0

Does Google attack you, too?

These attacks initially started from a different Google IP – 66.249.71.2; I wrote to abuse at google, and got an automated response with the ticket number (in the hundreds of millions range). A week after that, requests started flowing from IP 66.249.71.20. I am not inferring “evil Google abuse department” here, just that there was no response, and the problem shifted to a different IP from the Google’s IP range.

Update: I decided just to ignore this class of problems.

“Evil?” image by copyblogger.com.

WordPress has a Global Translator plugin, which – among others – uses Google Translate service.

If someone uses Google Translate (e.g. using Global Translate’s mini-language-flags), and goes back to your blog – that someone might get banned by fail2ban (especially if you have set maxretry to 1), as the referrer will contain the php-URL-fopen attack signature. The bad thing is that you will not realize that until after you check one or several translations yourself, as a random site visitor experiencing the problem is highly unlikely to bother reporting this problem – especially when your blog’s Contact page is also inaccessible.

Clearly, Google Translate is not the only legitimate service which will trigger that rule.

Solution: The only solution I have found is to specify the whitelist regex for the php-URL-fopen rule.

Slow DoS attack with just 1 computer against a number of web servers, including Apache: slowloris. There is a solution for Apache, packaged for RedHat and also available for Debian.

Finally, there’s Go programming language. The most inspiring promise to me personally is the ease of execution parallelization with language’s built-in syntactic constructs. That is something highly desired. Also, I like that it is a compiled language. However, it might be 10%-20% slower than pure C. Let’s see how it grows.

Although I’m not using “single password for all sites”, PwdHash does look very convenient.

To help in this celebration, you can make a barcode with your site’s address (there is at least one more at barcodesinc, but at the moment of writing it is painfully slow).

I find these parameters nearly optimal:

• Type: Code 128-B
• Styles: Draw value text
• Size: 234×60 (half-banner size)
• Xres: 1
• Text font: 5
• Value: bogdan.org.ua

If you wish, you can also exactly replicate today’s Google logo – which says “Google”, as you could have guessed.

You can place this barcode on your “souvenirs” – pens, cups, t-shirts. Many phones now have barcode scanners (e.g. Nokia E71), so put this code onto your namecard.

Read on to learn about matrix barcodes.

You may also investigate further into matrix/2D codes, which may contain much more information. To the left is the QR code of my blog’s address – try and scan it with your cameraphone! Or make one for yourself.

Here’s an encrypted message:

There are many types of matrix/2D barcodes. QR code (above), datamatrix (left picture) and Semacode (right picture) were all successfully recognized by my phone.

I believe it is highly useful. Compare: watching an 8-10 minute video of someone’s research to reading their article on that same subject. For me, those 8-10 minutes make video option a clear winner.

One of the envisioned uses of SciVee is to upload videos describing peer-reviewed published articles. This has two benefits for the reader: quickly getting acquainted with the essence of the article, and having that article as a complete reference for any questions not discussed in the video. For the author, this gives an additional bonus of higher visibility of his research.

Personally, I’ve immediately found 3 videos pertinent to my topic. Of those, one was accompayning an article in PloS Biology, one was an hour-long lecture, and one was a poor quality audio recording of someone’s intended research.

SciVee is young, and that is currently the largest drawback: not much could be found in a narrow research field. But I’m sure it will grow.

The motto of Wolfram|Alpha is Making the world’s knowledge computable. Basically, it is like Mathematica plus a growing corpus of factual numeric data, plus a system to interpret user’s input. This is a nice online reference and computation platform.

One can clearly see that on weekends the number of unique visitors of my blog drops drastically to about 40-50% of the working week average.

And yes, that is an almost perfect 5+2 pattern, which I’m observing for many months, like a week-long circadian rhythm. “Almost perfect” must be due to the differences in time zones.

I wonder if the same pattern is characteristic for most web-sites… That is, if people mostly do the browsing at work, and not at home.

Anybody wants to share the secret cycles of one’s blog audience?

I’ve created a PDF of that article, containing some of the comments (all the ‘thank-you’ and ‘help-me-hack’ comments were removed): sql injection walkthrough pdf download.

Note: there were no specific license terms attached to the article; I believe that the word “free” on the SecuriTeam site logo refers to the “right of free use and copying”. If you know this is not the case – please let me know to remove this PDF from public access. (see Brian’s comment)

This is how to do that in Drupal 7 (Views 3):

1. edit the view which makes the block available (follow http://your.site/admin/build/views/viewname/edit)
2. in the Sort Criteria section (under Filter), look for and add Global:Random.

This is how to do that in Drupal 6 (Views 2):

1. edit the view which makes the block available (follow http://your.site/admin/build/views/viewname/edit)
2. in the Sort Criteria section, add the Random criteria.

It can’t be simpler than that.

For Gmailers, there’s a nicer generator.

If you’d like to convert larger amounts of text to images, then use hidetext.net:

http://bacteria.ensembl.org
http://protists.ensembl.org
http://metazoa.ensembl.org

During summer, two more sites – for Fungi and Plants – should be made available.

Learn more about Ensembl Genomes project.

I assume that the problem is caused by Google Analytics, namely the "track outgoing clicks" feature (as recalled, might be inaccurate feature name). "Track outgoing links" adds some JavaScript code to all outgoing links, and that script has tick characters like this one ' which, incidentally, are also used for delimiting the values of comment anchor tags.

To fix:

1. locate file wp-includes/comment-template.php
2. in that file, find the get_comment_author_link function (lines 140-150 in WP 2.7.1)
3. replace the line
   PLAIN TEXT
   PHP:

   1. $return = "<a href='$url' rel='external nofollow' class='url'>$author</a>";

   with

   PLAIN TEXT
   PHP:

   1. $return = '<a href="'.$url.'" rel="external nofollow" class="url">'.$author.'</a>';

This helped me and might help you.