Autarchy of the Private Cave

Tiny bits of bioinformatics, [web-]programming etc

    • Archives

    • Recent comments

    Megahack of Stratfor

    9th January 2012

    If you haven’t heard yet – stratfor.com was hacked in December 2011, leaking full information about 75k credit cards (including owner’s addresses and CVV codes) and 860k (right, almost a million) user accounts. All Stratfor email archives were also reportedly stolen (around 160-200 GB of data), but those were not made publicly available on the internet – unlike the credit cards and user accounts information, which is still relatively easy to find and download.

    I do not really recollect anything that large. Well, not counting dropbox’s 4-hour window of “any password fits all accounts”, but that was different.

    Here are some of the news items about this seriously large hacking incident:

    Here come more technical reports:

    TheTechGerald’s analysis linked to above got my attention. Unfortunately, a while ago I’ve subscribed to stratfor’s “free intelligence mailing list”, and was wondering if my account information is now publicly available. I was the most worried about the password I’ve used to subscribe, because of the risk of using the same password somewhere else.

    Unlike TheTechGerald, I haven’t used any dictionaries – just the default configuration of a well-known tool for finding weak passwords. Within a single hour, ~100k passwords were decrypted (~12% of all). Till the end of the day, ~50k more passwords were decrypted (totalling 17.4% of 860k). At this point my password was still safe, and I’ve found a way to verify that it is not used anywhere else, so I’ve aborted further decryption.

    There are a few simple conclusions:

    • anybody who had a stratfor account must verify that he/she isn’t using that password anywhere else, because if 1 PC can get 17% of all the passwords in less than a day, it is only a matter of short time until all the leaked passwords will be decrypted and made publicly available in various “md5 decryption databases”
    • system owners should run periodic screenings for weak passwords (and implement policies to prevent creating obviously weak passwords from the very beginning)
    • md5 is very fast to decrypt/bruteforce – a much slower hashing function wouldn’t hurt; also, using a more complex hashing approach, maybe even with a closed-source shared library, could help
    • single-factor authentication (password-based) is likely to get replaced with 2-factor authentication in the nearest future
    • one may enjoy increased personal data safety by using throw-away passwords in conjunction with antispam mailboxes like spam.la and mailinator.com (at least 1600 users – 0.186% – did use these services).

    Read the rest of this entry »

    Posted in Links, Misc, Security, Software, Web | No Comments »

    Carol of the Bells is a thousand years old Ukrainian song

    24th December 2011

    Arranged by the Ukrainian composer Mykola Leontovych between 1901 and 1919, and performed in 1921 at Carnegie Hall, Shchedryk (with a completely different text and now titled Carol of the bells) rapidly became popular in the US.

    The original Ukrainian text tells the tale of a swallow flying into a household to proclaim the plentiful and bountiful year that the family will have. The title shchedryk is derived from the Ukrainian word for “bountiful”. This follows a tradition of praising the hosts of festivities in the songs during those festivities, or when coming to get sweets, small money bills or presents in exchange for nice singing by a group of children.

    English text was written separately, and is copyrighted.

    All the derived music uses the original’s four-note pattern by Mykola Leontovych. Folk song/chant was the basis for Leontovych’s work on this piece. I believe the original song had a similar musical (vocal) pattern, and that “ostinato” figure of music was already present in the song, so Leontovych’s work was probably to smooth out any uneven moments, and formalize the music in notes. Citing wikipedia article, “ostinato motif, a repeated four-note pattern within the range of a minor third is thought to be of prehistoric origins”.

    Posted in Misc, Ukraine | No Comments »

    tudu: a beautiful ncurses to-do list application

    11th October 2011

    tudu is just what it says in the title, and is written in C.
    All the functions are mapped to keys. Extremely flexible: you can use it either as a simple to-do list, or utilize a bunch of optional features (priorities, schedules, deadlines, categories, tags, maybe something else).

    If you (like me) love ncurses – you will love tudu :) Just give it a try.


    Screenshot copyright: Ruben Pollan (tudu author).

    Posted in *nix, Software | No Comments »

    MyISAM vs InnoDB vs Postgres benchmark

    6th October 2011

    For some reason, I believed that MyISAM storage engine should be very fast – faster than InnoDB and Postgres. After all, MyISAM does not support transactions, has no logging, and is overall simpler than “true” storage engines/databases.

    I was surprised to find out that this isn’t true, at least for the specific (simple!) query I’m interested in:

    1. SELECT primary_id FROM tablename WHERE indexed_varchar = %s AND intcol1 < = %d AND intcol2 > %d

    Read the rest of this entry »

    Posted in Notepad | No Comments »

    Good advice: /bin/false is not security

    1st October 2011

    SSH Security and You – /bin/false is *not* security.

    Posted in *nix, Links, Security | No Comments »

    Python performance: set vs list

    15th August 2011

    Sometimes there is a need to be sure that no identifier is processed twice – for example, when parsing a file into a database, with file potentially containing duplicate records. An obvious solution is to properly wrap the DB insertion code into try…except block, and process duplicate primary ID exceptions. Another, sometimes more desired solution is to maintain a set/list of processed IDs internally, and check against that list prior to attempting the insertion of anything. So is it a set or a list?

    There are already quite a few internet resources discussing “python set vs list”, but probably the simplest while elegant way to test that is below.
    Read the rest of this entry »

    Posted in Notepad, Programming, Python | 1 Comment »

    Phusion Passenger Apache users guide

    14th August 2011

    Phusion Passenger Apache users guide

    Also as a PDF.

    Posted in Links, Notepad, Software | No Comments »