Thanks to Ryan McGeehan, developer of the “My Public Key” application, you can now add your PGP public key to Facebook.

Hahahaha, hilarious!

Undercover reporter Michelle Madigan (Associate Producer of NBC Dateline) got a little more than she bargained for when she tried to sneak in to DEFCON 2007 with hidden cameras to get someone to confess to a felony. When DEFCON staff announced the “spot the undercover reporter” game and told the audience that an undercover reporter was taking video to catch someone confessing to a hacking crime, Madigan bolted from the conference premises followed by a pack of ~150 DEFCON attendees and reporters trying to photograph and video tape her.

[ Read more… ]

From Time:

In a startling decision this week, a federal appeals court in Cincinnati ordered the feds to keep their mitts off e-mail stored with an Internet Service Provider (ISP) like Yahoo! unless they notify the sender first or show that he doesn’t consider the e-mail private. The ruling was based on the conclusion that most people think e-mail, like letters or phone conversations, is private, and protected under the Fourth Amendment against unreasonable government searches and seizures.

That seems a pretty fair conclusion, but the amazing thing is that no court has ever reached it before. In other words, we’ve been living under a legal regime that essentially assumes we don’t much care if, say, Alberto Gonzales sees our e-mails after they leave our outbox. So for a federal appeals court to upend that regime is a big deal, as experts like Professor Orin Kerr at George Washington University Law School will tell you.

[ Read More… ]

This is awesome…

While surfing the web today, I came across these (funny) pictures of hacked street signs:

It got me thinking about these signs again. Occasionally I’ll pass one on the highway and I wonder about how they’re “programmed”. Do they have a wireless link back to some “central control” or — my guess — they have some type of console/serial port that the “programmer” plugs a special device (or perhaps even a regular laptop) into and then uses that to put in whatever message they want displayed. Anyone know how this stuff works? I’m curious.

EDIT: Since posting, I’ve found “How to Hack Roadsigns” and ““Hacking the Highway”, which both explain it — albeit differently.

Red Hat Linux has received a new level of security certification that should make the software more appealing to some government agencies.

Last week IBM Corp. was able to achieve EAL4 Augmented with ALC_FLR.3 certification for Red Hat Enterprise Linux, putting it on a par with Sun Microsystems Inc.’s Trusted Solaris operating system, said Dan Frye, vice president of open systems with IBM.

“This is the highest level of security function that anybody has,” Frye said. “We have delivered LSPP functionality in Red Hat Enterprise Linux 5 and we have certified that at the EAL4 level of assurance.”

[ Read more… ]

The Los Alamos, N.M., National Laboratory reportedly breached national security by sending classified nuclear weapons information over the Internet.

The e-mails resulted in “the loss of control of top-secret restricted data,” Reps. John Dingell and Bart Stupak, both Michigan Democrats, wrote Thursday to U.S. Energy Secretary Samuel Bodman.

Several Los Alamos officials in January used open e-mail networks to share classified information on the characteristics of nuclear material used in weapons, Dingell and Stupak wrote.

[ Read more… ]

I only post this because 1) phpBB is so freaking popular, and 2) I recently installed two instances of it at work (so it affects me too).

I first seen the announcement on the Internet Storm Center web site, then I went over to the phpBB website for the “real” announcement.

Anyways, the Changelog for 2.0.22 lists the following:

• [Fix] Check for user’s existence prior to showing email form
• [Fix] New members of moderator groups should always become moderators (Bug #382)
• [Fix] Proper message when replying to non-existant topics (Bug #459)
• [Fix] Changed column type of search_array to store more ids (Bug #4058)
• [Fix] Fixed annoyance with font-size selector (Bug #4612)
• [Fix] Fix optimize line in database updater (Bug #6186)
• [Sec] Check for the avatar upload directory reinforced
• [Sec] Changes to the criteria for “bad” redirection targets - kellanved
• [Sec] Fixed a non-persistent XSS issue in private messaging
• [Sec] Fixing possible negative start parameter - SpiderZ.
• [Sec] Added session checks to various forms - kellanved

Grab the updated version over on the downloads page.

I somehow missed the WordPress 2.0.5 announcement, but did catch the Gentoo Linux Security Advisory 200611-10 posting on the gentoo-announce list. While I was thinking of it, I figured I’d go ahead and upgrade.

I was quite impressed, it literally took all of 60 seconds to do (if you don’t count making the file and database backups, that is). Mark Jaquith (now the official 2.0.x branch maintainer) put out an “unofficial” .diff for upgrading from 2.0.4 to 2.0.5. I don’t run the 2.x branch on this site, but I do on another and I gotta say thanks to Mark for making it so easy to upgrade.

It was really simple. I SSH’d in to my web host, cd’d to the directory of the WordPress 2.0.4 install, fired up wget to grab the .diff file, tested it (patch –dry-run -p0 < wordpress-2.0.4-to-2.0.5-changes.diff), verified there weren’t any errors, ran patch again (without –dry-run), and that was it. I refreshed my page, checked the headers, and sure enough, it’s WordPress 2.0.5.

It’s little stuff like this that makes my day. Thanks, Mark!

First, a bit of background…

Last Tuesday evening (a week ago), I was playing around on MySpace when a friend of mine (who we’ll call “Betty Lou”) sent me a message. After a number of messages back and forth, I sent her a final message telling her that I was leaving (and on my way to her house). It was right about 8pm when I got there and probably between 9.15 and 9.30pm when I left to come back home.

At 1.27am, Betty Lou sent me a message saying “so i just got word that u were sending $idiot a mssg that said uwere on ur way to my house …..well, that was earlier supposedly. true or not? AND DONT LIE!!!!!!!”

Okay, couple of things…

First, $idiot is a friend of Betty Lou’s and doesn’t like me. Boo fuckin’ hoo, get over it. Second, there were exactly two people that knew that I went to her house that night: her and I. 1.27am is when she sent me that message, I have no idea when it was that $idiot talked to her and said I told him I was coming. Something was up…

Last Thursday afternoon, Betty Lou stopped by my office at work. While we’re talking, she mentions that she thinks that someone is reading her MySpace mail. Now, for those of you who don’t use MySpace, your messages have a “status” similar to standard e-mail (”unread”, “read”, “replied”, etc.). The main difference is that once a message is “read”, you can’t make it “unread” anymore. Betty Lou said that she would log in to check her mail and see “read” messages that she had never read.

So, a red flag goes up in my head and $idiot immediately comes to mind. It’s time for a trap.

With MySpace, you can enter certain HTML tags in your messages. <img src …> is one such tag. A plan quickly formulated in my head. Enter Google.

One Google image search later and I’m staring at an image of George W. Bush flippin’ the bird. Perfect! I upload it to my web server and pull it up in Firefox to make sure it’s accessible. It is.

As Betty Lou stands and watches, I send her a message (click here to see it) on MySpace with a subject line of “your nudie pics” Surely someone who was reading her mail would read this one, right? devious grin. I instruct her that she is NOT to open it. She agrees. We talk, she leaves, life goes on…

By the way, $idiot goes to Indiana State University, which is about an hour away…

So, later that night, we end up hanging out and I leave her house around 9.30pm to come home. At 11.50pm, Betty Lou sends me a message saying, in part, “someone read that mssg. and it wasnt me.” I was in bed then, however, and she called me a bit later. She told me on the phone that the message had been read.

I felt around for the laptop and booted up. I SSH into the server running Apache and head for the logfiles. A quick grep for the filename of the image I specified in the <img src…> tag turns up two hits:

x.x.x.x - - [28/Sep/2006:17:33:52 -0400] “GET /images/bushmiddlefinger.png HTTP/1.1″ 200 90003 www.jeremygaddis.com “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7″ “y.y.y.y”

…and…

139.102.249.199 - - [28/Sep/2006:21:42:30 -0400] “GET /images/bushmiddlefinger.png HTTP/1.1″ 200 90003 www.jeremygaddis.com “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)” “-”

The first hit, represented by IP address “x.x.x.x” was me. “x.x.x.x” is my proxy server at work (”y.y.y.y” is the IP address of my XP workstation, if you’re wondering).

The second IP address, 139.102.249.199, wasn’t me. It’s also not in any of the netblocks that would’ve showed up had Betty Lou accessed it Since I didn’t leave her place until around 9.30pm anyways, and it would’ve been physically impossible for her to make it to ISU in 10 minutes, it couldn’t have been her anyways… hmm, wonder who it belongs to then:

[jlgaddis@apollo ~]$ whois 139.102.249.199 [Querying whois.arin.net] [whois.arin.net]

OrgName: Indiana State University OrgID: ISU-1 Address: Office of Information Technology Address: Rankin Hall Address: 218 N 7th St. City: Terre Haute StateProv: IN PostalCode: 47809 Country: US

NetRange: 139.102.0.0 - 139.102.255.255 CIDR: 139.102.0.0/16 NetName: INDSTATE NetHandle: NET-139-102-0-0-1 Parent: NET-139-0-0-0-0 NetType: Direct Assignment NameServer: GATE.INDSTATE.EDU NameServer: CCTS.INDSTATE.EDU NameServer: WASHINGTON.IND.NET Comment: RegDate: 1990-02-25 Updated: 2003-09-24

RTechHandle: CE56-ARIN RTechName: Edwards, Champe RTechPhone: +1-812-237-2961 RTechEmail: cchampe@isugw.indstate.edu

OrgTechHandle: CE56-ARIN OrgTechName: Edwards, Champe OrgTechPhone: +1-812-237-2961 OrgTechEmail: cchampe@isugw.indstate.edu

ARIN WHOIS database, last updated 2006-10-04 19:10

Enter ? for additional hints on searching ARIN’s WHOIS database.

[jlgaddis@apollo ~]$

I’ll be damned, it’s allocated to Indiana State University, the same school that $idiot goes to. Coincidentally enough, it’s only an hour away from the .edu that I work at, and I know some people in I.T. there…

dials phone

So, to skip the details of a phone conversation and avoid incriminating anyone in the OoIT at ISU, I now know 100% without a doubt who that IP is assigned to. Yep, $idiot.

I sent him a few MySpace messages after that, but he never answered. Weird.

Ironically enough, apparently Betty Lou had mentioned to $idiot that she thought someone was reading her messages and he, of course, acted dumb and innocent. He also told her something to the effect of “…why don’t you get your computer geek friend to find out who it was?”

And she did. Isn’t that beautiful? =)

Oh, and in case you’re wondering who $idiot is… feel free to check his MySpace profile or Facebook profile.

Damn I’m good. ;)

Microsoft today released patches for the 0-day Vector Markup Language (VML) vulnerability. Microsoft Security Bulletin MS06-055 has all the details, and more information is also available in the US-CERT Technical Cyber Security Alert TA06-262A.

Now go patch those PC’s!