Elliott C. Back: In Aere Aedificare

The two who posted a Craiglist ad saying that anyone could take what they wanted from a home in Oregon have been tracked down and arrested by following their IP address. The stunt was a diversion to steal two horses.

It’s nice to see that internet crime doesn’t pay. Unfortunately, it’s also troubling to read this article and realize that had this couple simply used an anonymizing service, a proxy chain, an internet cafe, or a TOR node, there would have been no way to catch them from what they posted on Craigslist.

Reading about the poor MIT student who was recently arrested at submachine gunpoint on BoingBoing I saw a few comments that interested me enough to write a brief rebuttal. For example, comment #63 by Jacob Davis:

On another note, to everyone saying, “It’s obviously not a bomb, they should have known better!” : that’s really condescending. My mother doesn’t know what a breadboard is. My neighbors don’t. Several of my friends don’t. I’d wager the great majority of the US doesn’t know, for better or worse. Don’t pretend that everyone else knows what you know, especially when you are judging circumstances after being given all the facts at once in hindsight.

See the problem is that security personnel, if expected to guard against bombs and bombers, should be able to positively recognize bombs. Your mother and neighbors are not airport security officers, military police, or Boston police for exactly that reason; they don’t know what bombs look like.

Then there are comments #7 and #8, which feel like the police brutality (they arrested her outside the airport with force) is justified:

Wow, she sure put the “mor[on]” in sophomore! Maybe for her next art project she can run around the airport screaming “I’m Al Qaida! Look at me! I’m Al Qaida!”

I’d have wished the above moron had written “more[on] in sophomore;” it would have bee more funny. That said, there’s nothing wrong with a geeky girl wearing a hoodie with some blinking LEDs. As far as I know (and I think the statistics support me here) no one has ever died or been injured, directly or indirectly, by an LED. And, I fully support her right to voice her political opinions, even in the airport. Unfortunate the climate these days means wearing we will not be silent arabic / english t-shirts will probably get you detained.

I thought MIT students were supposed to be a bit more intelligent than the rest of us. Walking into an airport with an electronic device strapped to her chest ….. a very stupid action. She is lucky to just be in a cell, but I have a feeling a lot of people (including her) will never understand why, this time, the Boston Police are in the right.

This one is begging for me point out that 99.99998% of people walk around airports with iPods tucked around their chest or body somewhere… and I’m not even going to start counting people with pacemakers, who actually have an electronic device embedded in their chests! An electronic device isn’t a bomb, and if you think airport security can prevent terrorism, you’re wrong.

Finally, on a lighter note, Rob Cockerham’s comment #27 takes the cake, and eats it too:

I can’t believe NBC is promoting Bionic Woman like this. What a terrible idea.

Taking Paul’s great article How To: Bulletproof Server Backups with Amazon S3 a step farther here’s an easy way to automate your Wordpress database backups. First, follow all the steps to get ruby and the s3sync client installed. Once that is setup, create a text file somewhere with the databases you’re interested in. I called mine s3backup-db.txt:

[root s3sync]# cat s3backup-db.txt
db-one
db-one-user
db-one-pass
db-two
db-two-user
db-two-pass

Then you’ll need to make a folder for your backups, which I put in /home/s3backup/. The shell script that does the backups is as follows:

#!/bin/bash

BUCKET=your-bucket-here
BACKUP=/home/s3backup/
ROOT=/root/s3sync/
NOW=$(date +%m%d%y)

if [ $(($# % 3)) -ne 0 ]
then
echo “Wrong number of arguments!!”
exit
fi

i=0
while [ $# -gt 0 ]
do
DBNAME=$1; shift
DBUSER=$1; shift
DBPWD=$1; shift

echo “Backing up MySQL db ‘$DBNAME’ with ‘$DBUSER:$DBPWD’”
nice mysqldump -u $DBUSER -p$DBPWD -C -q $DBNAME | gzip -9 > $BACKUP$DBNAME.$NOW.sql.gz

cd $BACKUP
tar -r -f backup.$NOW.tar $DBNAME.$NOW.sql.gz
rm -f $DBNAME.$NOW.sql.gz
cd $ROOT

i=$(( $i + 3 ))
done

nice ruby ${ROOT}s3sync.rb -r –ssl –progress ${BACKUP} $BUCKET:
rm -f ${BACKUP}backup.$NOW.tar

This will dump a file called backup.040506.tar in the Amazon bucket you picked earlier containing the full database backups of the arguments you specified. You can run the script like this, and it will produce a little bit nicer output than Paul’s bare-bones backup:

[root s3sync]# cat s3backup-db.txt | xargs /root/s3sync/s3backup-db.sh
Backing up MySQL db ‘*****’ with ‘****:****’
Backing up MySQL db ‘*****’ with ‘****:****’
Update node backup.080507.tar

The next step is just to set it up with cron to run every night at midnight:

[root s3sync]# crontab -e
crontab: installing new crontab
[root s3sync]# crontab -l
0 0 * * * cat /root/s3sync/s3backup-db.txt | xargs /root/s3sync/s3backup-db.sh

If you want an easier way to backup all your databases than specifying some of them, just use your MySQL administrative password and username with mysqldump’s –all-databases parameter. However, on my host there are things like Plesk databases I’m not particularily interested in backing up, so this works better for me. Just make sure you make s3backup-db.txt u=rw so that no one but root can see those passwords:

-rw——- 1 root root 148 Aug 5 13:40 s3backup-db.txt

Wow! A blog of mine running Wordpress 2.0.4 just got hacked. The attacker, without logging in, was able to inject a bunch of spam links into three of my posts. I caught the attack because I read my own Wordpress feeds, and noticed the update. The IP address the attacker used was 64.252.168.207. Here is the timeline of his penetration into my poor, but out of date, Wordpress installation:

1) Visit Video Games Blog pretending to be Googlebot
2) Visit random pages just to confuse me
3) Visit the three target pages (1, 2, 3)
4) Grab the nonces from wp-admin/post.php?action=edit
5) Use the nonces to do something weird to /wp-admin/inline-uploading.php?action=view
6) Post to the regular edit page

If you don’t want to be hacked, here’s what you need to do:

• Upgrade to the latest version of Wordpress (2.0.10 in my case)
• Remove crap you don’t need. If you’re not using comments, remove wp-comments-post.php. If you don’t know what xmlrpc is, remove wp-xmlrpc.php as well.
• Permission your files. If you are on a shared host, it’s especially important that you don’t make your wp-config world read/writable, or anyone can steal your database login information, or just overwrite it with their own.

If you’re interested, here’s the full server log, as a text file: wordpress-hack-log.txt. The attacker didn’t compromise or access any other services, just used the web interface to insert his spam into my post.

A new attack on RSA called Simple Branch Prediction Analysis promises to reveal “almost all of the secret key bits” by executing a parallel spy process that only needs to watch a single execution of the RSA private key. Some more technical details show it to be a sophisticated, dangerous attack:

Namely, in the context of simple side-channel attacks, it is widely believed that equally balancing the operations after branches is a secure countermeasure against such simple attacks. Unfortunately, this is not true, as even such “balanced branch” implementations can be completely broken by our SBPA attacks. Moreover, despite sophisticated hardware-assisted partitioning methods such as memory protection, sandboxing or even virtualization, SBPA attacks empower an unprivileged process to successfully attack other processes running in parallel on the same processor.

If that weren’t bad enough, a rootkit now can be persisted in your PCI device. A paper called Implementing and Detecting a PCI Rootkit details how PCI cards execute bios code which can be flashed from the windows software if the user is running as an administrator. Combined with a remote exploit, this could lead to a remote rootkit injection. Also, given that PCI BIOS software is not verified in any way, the rootkit would difficult to detect.