The Obamacare website is giving away Americans' personal information to marketing agencies. They claim not to provide people's names, but Facebook and Twitter can correlate that and much more that from your IP address.


Jan. 17th, 2015 02:38 pm

Lizard Squad stored their customers' passwords in plaintext. They do have a skiddie reputation and this certainly adds to it.

On second thought, that may have been intentional. Most people use the same usernames and passwords on multiple sites. The Lizards now have a plaintext username and password pair for each of their customers, and there are certainly some people dumb enough to use a common username and password when doing business with criminals.


Jan. 4th, 2015 06:24 pm

Nim (formerly Nimrod) looks like an interesting language. Via lobsters. Some links:

  • From Risk Based Security's excellent timeline of events:
    • Sony was crushed on November 24.
    • Guardians of Peace at that time had public contact info and a facebook page. RBS was able to contact them.
    • GoP claimed to have collected 12 terabytes of data from Sony.
    • GoP began publishing Sony data on December 1, one week after shutting down Sony's network.
    • GoP uses a different e-mail address every day, and these emails are likely compromised accounts of real people.
    • NBC News was first to suggest North Korean responsibility on December 1.
    • The FBI attempted to visit security research Dan Tentler, who has been investigating the Sony hack, for "illegal downloading".
    • Someone claiming to represent GoP sent emails to Sony employees threatening the lives of their families. Another email from GoP denied responsibility.
    • Mandiant was hired to investigate the Sony hack before it became public.
    • From leaked emails, a group called God’sApstls had emailed Sony executives on November 21.
    • An anonymous pastebin identifies Guardians of Peace as Tunisian Hacker Team members Beent1988, sillux, TheEyetion, and Supothis. RBS warns that the information is not reliable.
  • From the FBI's Dec. 19 report:
    • The malware is similar to the malware used in the 2013 attack on South Korean banks
    • The malware is similar to malware previously known to be used by North Korea
    • The infrastructure used is known to have previously been used by North Korea
  • From CyActive:
    • The Destover file deletion tool used in the Sony attack is very similar to the Disttrack/Shamoon tool used in a 2012 attack on ARAMCO in 2012 and the wiper used in the 2013 DarkSeoul attack on South Korean banks and television.
  • From Marc Rogers, the top security guy of Cloudflare and the Black Hat conference:
    • The Shamoon source code was leaked and is widely available if you know where to look.
    • All but one of the alleged C&C servers are known public proxies used by multiple actors.
  • From Bloomberg:
    • From an anonymous source, the GoP used the network of the St. Regis hotel in Bangkok on Dec. 2 just after midnight local time
    • From Liam O Murchu of Symantec, the GoP used a C&C server that was used in the 2013 attack on South Korean banks.
    • McAfee had found similarities between the 2013 attack and attacks on US and South Korean military sites dating to 2009.
    • CrowdStrike has tracked the attackers since 2006 and identifies them as North Korean.
  • From the GoP hacker Lena, via Verge:
    • GoP had physical access to Sony's facilities and "staff with similar interests" let them in.
    • Lena initially claimed that GoP's goal was "equality", saying "We Want equality. Sony doesn’t. It’s an upward battle."
  • From Fusion Media and Business Insider:
  • From Kurt Stammburger at Norse Security, cited by CBS:
    • Stammburger has tentatively identified Lena as a ten-year Sony employee who left Sony in May and "was in precisely the right position and had the deep technical background she would need to locate the specific servers that were compromised."
    • The "North Korean" malware identified by the FBI is generic and in wide use by all sorts of hackers.
    • The GoP did not make any demands regarding the movie The Interview until late in their campaign.
  • From Brian Fung at WaPo:
    • Hackers claiming ties to Anonymous launched OpRIPNK to to DDoS North Korea.
    • TheAnonMessage endorsed OpRIPNK and was denounced by YourAnonNews for a separate issue.
    • Lizard Squad celebrated the DDoS of North Korea.
  • From Bloomberg:
    • The speed with which the national security apparatus blamed North Korea for the hack is suspicious.
    • IntelCrawler has identified several Lizard Squad members as members of Guardians of Peace.
    • Sony has been compromised by multiple hacking rings for years.
    • Sony was warned in late 2013 of hackers stealing gigabytes of data.
  • From Radar citing leaked Sony emails:
    • A high-ranking CIA agent met with Sony's head of security Stevan Bernard on October 31.
    • Undersecretary of State Richard Stengel and other feds asked Sony to produce propaganda against ISIS.
  • From Marc Rogers:
    • The Guardians of Peace text "reads to me like an English speaker pretending to be bad at writing English" rather than a Korean with poor grasp of English.
    • The Guardians of Peace did not mention North Korea or The Interview until after the media suggested that North Korea may have been behind the attack because of the movie.
    • The code was written on a PC with Korean locale, but Rogers suggests this is meaningless.
    • The destruction of Sony's data combined with the failure to take advantage of it suggests that the attacker was motivated by revenge.
  • From The Daily Beast:
    • The Guardians of Peace laughed at the FBI's assumption that North Korea was responsible.
    • The GoP linked to the "You Are An Idiot" video.
    • Richard Nixon once referred to South Korea as "the guardians of peace", a possible origin of the group's name.
    • An anonymous pastebin claiming to represent a group of 25-30 Anonymous members threatened further hacking attacks against Sony if they failed to release The Interview.

Comic relief:

Edit Dec. 26: Lizard Squad got doxxed by Finest Squad. Most of the lizards are high school age or younger, suggesting that there are leaders yet to be identified. The oldest name in the list is a 32yo who goes by "Criminal", "CGOD", or "Fatally" online, suggesting he might be the most experienced in the group (that we know of) and inclined to criminal behaviour. The full list of names is: chF/chFthemango/FTBG cHF, clerk/nitrous/verdict, TokenTheGod/OMG Treh/BaseSquad, kms/underscore, Criminal/CGOD/Fatally, Jordie, MLT. A separate doxx by "Dox Squad" identifies additional members: Satan666/Satan600, Teridax/AlphaQuintesson, PriNc£/Dox_Boi, Komodo/SYNACKtra, BP/Onion Cow/GaySexWithDad, Niko/PussySquirting, and Cedrick/Cedrick8I. Additional names are given for chF: chFTheCat, Clerk: Savaged/NotClerk. Another doxx lists TokenTheGod as Lizard Squad's leader, GDK Jordie as co-leader, chF as manager, and gives additional names: Souly (IP provisioning), dox_boi (doxxing and swatting), lolaristocrat (doxxing), Talos. It mentions that Criminal/Fatally had been raided. Most of the Finest Squad doxx was copied and pasted from a Dec. 9 doxx by YourAnonGlobo. Also, Lizard Squad is threatening to doxx Finest Squad back.

None of these doxx mention any alleged links between Lizard Squad and GoP, so IntelCrawler's claim that they are related has no outside support yet.

Edit Jan 10: Rumor has it that several lizards have moved to Team P0ison. The /baphomet/ group on 8chan is pointing the finger at DeleteSec / Deadman1420 as a lizard affiliate who was dumb enough to go to 8chan from his home IP and brag that he DDOSed them. It's not impossible that someone else was using his system as a proxy.

Edit Feb 1: Unconfirmed chatlogs and rumors suggest that Lizard Squad's Vince Omari and Julius "Ryan" Kivimaki got picked up by the police in January, were released, and then started attacking 8chan's Gamergate forum. That ain't suspicious at all.

IntelCrawler has released a report on Lizard Squad attempting to link them to Guardians of Peace.

  • The strongest link is that a lizard admitted "knowing some people from the GOP" and "handed over some Sony logins to them".
  • Lizard Squad domain host Abdilo/Notavirus/Survivaton "left Lizard Squad in October", has a history of hacking South Korean targets, and had tweeted about GoP after the group had been named in the press.
  • Teridax was tweeting jokes about 9/11 around the time a GoP paste mentioned 9/11, which is entirely meaningless
  • lolaristocrat joked about being from North Korea after the media blamed the Sony attack on North Korea, which is even more meaningless

That's not very strong. Additional Lizards named by IntelCrawler are ladykiller/labelled, sp3c, Vagineer, Chameleon, ryan (Kivimaki), dragon, and Gecko. I suspect that Chameleon, dragon, Komodo, and Gecko probably have different names and took lizard-themed names for Lizard Squad. Abdilo has been known to livestream his attacks, has openly attacked .gov and .mil sites for months from his home IP, and has not been arrested. The hacking group The Empire published Abdilo's request for membership.

So far it looks like the link between Lizard Squad and GoP is very weak.

Edit Dec 28: Not about the hack but worthy of a facepalm, Sony pirated some of the music in the movie. This from the same company that put rootkits on its music CDs.

Edit Dec 29: Norse Security has now identified six individuals involved in the hack. Charles C. Johnson has identified a second Sony employee as an involved hacker. This "lena2" is a senior systems administrator in Sony's payroll department, which Sony's consultants Bain & Co. eliminated. Leaked data suggests that lena2 may be Shahana Manjra, but nothing is confirmed yet.

From Jonathan Langdale: "They are looking at the wrong Lena. Lena was a June pink slip, used as a decoy. They have another name though."

Edit Jan 10: The FBI denounced Norse's information as not credible.

Edit Jan 10: The RBS timeline has updated.

Edit Feb 1: The NSA claims it had broken into North Korea's network and watched the attack go down. That would be exceptionally strong evidence if true.

Here's a conspiracy theory found while googling around for more info about the attack: TahoeBlue at Prison Planet thinks Sony did it to themselves to distract the public from the movie "Unbroken", about a Japanese POW camp during WWII. This idea has motive and nothing else going for it.

I want to run Google Earth. Old forum posts say that I can just install the package; there is no package. There may be a Linux version of Google Earth that may be compatible with FreeBSD, but I can't find a way to download it.

BSD developer nox has a Google Earth shar archive inside a tmp directory, but it doesn't work.

make fails with:

make: "/usr/share/mk/" line 16: Cannot open /usr/ports/Mk/

Inside /usr/share/mk/ we find this:


Improper capitalization inside the configuration file in the default PC-BSD distro.

Fixing that leads to another error:

make: line 47: Malformed conditional (${OSVERSION}<700055)

Maybe it requires gmake? pkg install gmake and continue.

Makefile:39: *** missing separator. Stop.

There is an alternative called Marble. Attempting to open it causes KWallet to open instead. Closing KWallet causes Marble to complain that some password for some account will be sent in the clear. I should not need to log into any account to use a Google Earth type of program for which my identity is irrelevant, so I get stuck in an infinite loop of closing programs until I kill marble from the command line.

A little while ago I took my laptop to Starbucks and used their wireless. Everything worked as expected.

A littler while ago I took my laptop to Starbucks and it refused to connect to their wireless. Other customers were connected, so the network was up. "Restarting the network" (whatever that does) through KDE, multiple times, made no difference. wlan0 had the correct ssid. status: no carrier. messages log contains:

wlan0: Trying to associate with 9c:1c:12:17:6f:d0 (SSID='Google Starbucks' freq=2412 MHz)
wlan0: Authentication with 9c:1c:12:17:6f:d0 timed out.
wlan0: CTRL-EVENT-DISCONNECTED bssid=9c:1c:12:17:6f:d0 reason=3 locally_generated=1

The "authentication timed out" message is curious because this particular starbucks has an open access point with no security and no authentication beyond asking you to take a cookie after you have connected.

According to a list of reason codes, reason=3 is DISASSOCIATION_REASON_CODE_STATION_LEAVING_ESS - Deauthenticated because sending station has left or is leaving IBSS or ESS. "Extended Service Set" is another name for a wireless network. "Independent Basic Service Set" is another name for a wireless access point. All this message means is that my laptop disconnected, likely whenever I tried to reconnect or when the authentication failed.

A related aggravation: selecting the starbucks network from the network systray icon caused KDE to delete the configuration for my home network, so I had to type it in again when I got hope.

scrap dump

Jun. 6th, 2014 05:15 am

I had intentions to write a blog post declaring 2011 as the Year of the Hacker but never got around to it. We had LulzSec, J3ster, and Web Ninjas. We had Stuxnet. We had Iran hacking certificate agencies. We had the iPhone "Towson" hack. We had noobs getting arrested for using LOIC from home. We had a virus hit control computers for the CIA's drones.

The benefit of modern Javascript+HTML is that you can do anything with it. The drawback of making Javascript+HTML a Turing-complete environment is that you can do anything with it.

I was studying Android programming a few months years ago, and they made this recommendation: "Don't call the UI-construction code directly! Use XML for your interfaces!"

The Android XML format is so painful to look at that I thought it worth my time to design my own alternate domain-specific language rather than use the one they gave me. (I never finished it)

The old practice of web development

<TITLE>My Webpage</TITLE>

The new practice of web development

var node_html = document.createElement("HTML");
var node_html_head = document.createElement("HEAD");
var node_html_head_title = document.createElement("TITLE");
node_html_head_title.innerHTML ="My Webpage" 

Android and the Web seem to be going in opposite directions there.

I propose a new baseball statistic that weights and combines multiple different types of failure. Call it Derps Per Perp.

For pitchers:

  • any appearance including:
    • an inning surrendering four or more runs, OR
    • any appearance of under one inning that is not the final appearance of that inning.
  • Balks
  • Hit batters

for batters:

  • Hitting into double and triple plays
  • Fielding errors

Divide batter stats by factors related to at-bats

Divide pitcher stats by factors related to innings pitched

Statistics for the AL might need to be adjusted due to pitchers not hitting and designated hitters not fielding.

There used to be something at There was the URL in my notes, and a web search shows people referencing the antiterrorism articles and conspiracy theories that used to be there. Now it's an autogenerated page controlled by a bot. I would have imagined that blogs under a major business domain might last until the business dies.

The developers of the hard-drive encryption software Truecrypt decided to go out in style, that style being Modernist with a touch of Dada. The most popular theory is that the anonymous developers were compromised by a government agency and forbidden from discussing it so they acted absurd enough that people would notice something is wrong. An alternate theory is a table-flipping mental breakdown on the part of whoever controls the web presence.

The Internet Archive saved a report on suspicious Bitcoin trading at MtGOX. Key allegations in the report:

  • A bot named Willy by redditors was repeatedly dropping $2.5 million on Bitcoins, never selling, and opening a new account to repeat the process after spending the pre-set amount.
  • Willy was able to make trades when MtGOX was disconnected from the Internet, suggesting that it ran from inside the MtGOX network or that it was able to backdate its trades.
  • Willy's user IDs were significantly higher than the highest user IDs of normal users.
  • A user nicknamed Markus by the report's author also had higher user IDs than those of normal users, and Markus stopped trading 7 hours before the first Willy user ID was created, suggesting that Markus may have been an earlier bot or the user that created Willy.
  • Markus's purchases show the exact same currency value as the previous user's trade even when the bitcoin value is different, suggesting that the trade records were created from dirty memory either when the trades were recorded or when the report was generated, in either case without money changing hands.
  • When MtGOX released an anonymized version of their trading logs, the new logs changed the currency values of Markus's trades to the market price and changed Markus's user ID to that of a user named MagicalTux, a name used by MtGOX CEO Mark Karpeles.

As of two days after this report was published, it has been taken down by Wordpress.

This blog has been archived or suspended for a violation of our Terms of Service.

The report ends by openly accusing MtGOX of fraud, which probably attracted the attention of lawyers. The author should have kept to the data and let it explain itself.

[Edit June 05] Wordpress has restored the Willy Report blog.

"Why Python Is Slow" is a quick read on Python's dynamic typing. I had not known that it was possible to change the value of an integer constant in Python.

Page generated Sep. 23rd, 2017 09:54 pm
Powered by Dreamwidth Studios