Autarchy of the Private Cave

If you haven’t heard yet – stratfor.com was hacked in December 2011, leaking full information about 75k credit cards (including owner’s addresses and CVV codes) and 860k (right, almost a million) user accounts. All Stratfor email archives were also reportedly stolen (around 160-200 GB of data), but those were not made publicly available on the internet – unlike the credit cards and user accounts information, which is still relatively easy to find and download.

I do not really recollect anything that large. Well, not counting dropbox’s 4-hour window of “any password fits all accounts”, but that was different.

Here are some of the news items about this seriously large hacking incident:

• NYTimes (Dec. 25, 2011)
• WSJ (Dec. 25, 2011)
• CNN (Dec. 25, 2011)
• relatively above-average write-up from Wired (Dec. 26, 2011)
• ABCNews (Dec. 26, 2011)
• The Register (Jan. 3, 2012)

Here come more technical reports:

• short pastebin document, supposedly by the hackers
• cryptome keeps track of the data being removed from the internet
• a 1MB report by the hackers
• TheTechGerald has some analysis of the leaked stratfor passwords (Jan. 2, 2012)

TheTechGerald’s analysis linked to above got my attention. Unfortunately, a while ago I’ve subscribed to stratfor’s “free intelligence mailing list”, and was wondering if my account information is now publicly available. I was the most worried about the password I’ve used to subscribe, because of the risk of using the same password somewhere else.

Unlike TheTechGerald, I haven’t used any dictionaries – just the default configuration of a well-known tool for finding weak passwords. Within a single hour, ~100k passwords were decrypted (~12% of all). Till the end of the day, ~50k more passwords were decrypted (totalling 17.4% of 860k). At this point my password was still safe, and I’ve found a way to verify that it is not used anywhere else, so I’ve aborted further decryption.

There are a few simple conclusions:

• anybody who had a stratfor account must verify that he/she isn’t using that password anywhere else, because if 1 PC can get 17% of all the passwords in less than a day, it is only a matter of short time until all the leaked passwords will be decrypted and made publicly available in various “md5 decryption databases”
• system owners should run periodic screenings for weak passwords (and implement policies to prevent creating obviously weak passwords from the very beginning)
• md5 is very fast to decrypt/bruteforce – a much slower hashing function wouldn’t hurt; also, using a more complex hashing approach, maybe even with a closed-source shared library, could help
• single-factor authentication (password-based) is likely to get replaced with 2-factor authentication in the nearest future
• one may enjoy increased personal data safety by using throw-away passwords in conjunction with antispam mailboxes like spam.la and mailinator.com (at least 1600 users – 0.186% – did use these services).

Read the rest of this entry »

Just a quick note: upgrading Drupal using a patch file is a really efficient and fast method, especially because diff/patch files are available for different Drupal version combinations.

This will be the 2nd DrupalCamp in Kyiv. Please click the logo to visit the official web-site to learn more.

Today I had a task of displaying random node in a Views-generated sidebar block.

This is how to do that in Drupal 7 (Views 3):

1. edit the view which makes the block available (follow http://your.site/admin/build/views/viewname/edit)
2. in the Sort Criteria section, look for and add Global:Random.

This is how to do that in Drupal 6 (Views 2):

1. edit the view which makes the block available (follow http://your.site/admin/build/views/viewname/edit)
2. in the Sort Criteria section, add the Random criteria.

It can’t be simpler than that.

Simplest way to develop your custom Drupal theme is to start with some skeleton/wireframe theme.

In this post, I’m briefly reviewing 4 themes (atck, blueprint, framework, and zen), made specifically to serve as theme developer’s starting point. All 4 are listed with their features (as per Drupal project page of each one), with my personal “impressions” (not based on actual use experience, yet). There’s also my choice and order of preference for the 4 candidates at the end.
Read the rest of this entry »

Some things to be aware of when enhancing Drupal site with FLV video playing/conversion features.

• Setup wizard for the free JW FLV Media Player (and the JW FLV Media Player itself)
• Flash Video in Drupal 5: A complete multimedia tutorial to the flashvideo module
• actual flashvideo module page on drupal.org

This post provides several links which would be useful for the beginning Drupal developers, or developers deciding which CMS to use as the base for their next project. Also, strengths of Drupal are highlighted.

Intensively working with Drupal during the past two weeks, I find it to be an excellent tool, and also much more than a YACMS.

Now I think that Drupal is also a framework – providing invisible to developer caching, session handling, access control, theming, localization, and more. The minimal effort required to extend already huge Drupal functionality is to write your own module – and, if done right, your module will immediately benefit from all the bonuses Drupal provides.

But Drupal also really shines as a CMS! You can start with a free design theme, and without any PHP knowledge have your custom portal built within a week – with your own hands, if you desire! (Note: “within a week” is true, but only if you already know what exactly you should be doing; learning time is short, but it’s not within that same week.)

What makes Drupal so powerful? I’d say that beautiful core and numerous modules.

What Drupal has to offer?
Read the rest of this entry »