Archive

Archive for the ‘Gimpy internet nonsense’ Category

CBA’s Netbank platform was never vulnerable to Heartbleed

April 14, 2014 Leave a comment

The suggestion has been doing the rounds, at least at the more paranoid/self-fancying end of the technology spectrum, that the Commonwealth Bank of Australia (CBA)’s Netbank online banking platform might have been vulnerable to the Heartbleed vulnerability.

TL/DR: it wasn’t.

Heartbleed only hit sites that use certain versions of the OpenSSL secure toolkit, with its Heartbeat function enabled. Netbank runs on SAP for Banking, implemented by Accenture. SAP for Banking is not affected by Heartbleed, which you’d expect given that it runs on Microsoft IIS (“Microsoft” and “open” go together like anchovies and custard). This isn’t a great surprise: no major western-world banks’ online banking platforms were ever vulnerable, because of the massively proprietary, as well as security-crazy, way in which online banking software is developed.

So why all the derp? Well, CBA’s non-transactional Commbank.com.au website does use OpenSSL, was apparently vulnerable to Heartbleed, and was apparently patched after the Heartbleed news broke. You don’t use your Netbank credentials to log into Commbank, it isn’t linked to your secure data, and it uses a different security certificate from Netbank.

This created some scope for confusion – and the scope was fully brought to reality by the combination of utterly stupid PR people, and self-satisfied circle-jerking techies happy to spread unjustified fear among CBA customers.

CBA published a blog post that completely failed to explain the difference between the two platforms, and then responded to comments asking for clarification with a meaningless copy-paste of the original post. Rather than doing the basic research that went into my post here, a whole bunch of tech folk who should know better then went crazy with the “WE DON’T KNOW IF OUR NETBANK PASSWORDS ARE SAFE OR NOT, WOES!!!!!!” line.

Stop it. Your Netbank passwords are safe. Someone in CBA’s PR department needs a long walk off a short pier, is all.

(thanks very much to Johnny and Chris for pointing me towards technical details here. Any screw-ups in this post, of course, are solely my fault.)

Content filtering is stupid, but you are stupider

December 23, 2013 6 comments

There’s been masses and masses of fuss over the last couple of days about the implementation of opt-out content filtering for porn in the UK.

As everyone sensible argued in great detail at the time the PM promised it following a Massive Stupid Media Panic, content filtering is pointless: it’s easy to bypass, provides a false sense of security, leads to false positives so that sex education sites get blocked, and puts the infrastructure in place for a more Daily Mail-friendly government to run wider censorship modes.

However, and unfortunately, most of the last couple of days’ Twitter chat about content filtering has involved gibbering idiots who know fuck all about fuck all talking embarrassing nonsense.

O2, one of the UK’s larger ISPs, has thoughtfully provided a tool so you can see how your website is categorised.

Here’s this website:
Untitled

Like all websites, it’s allowed on the opt-in “open access” feed (where you tick the “I am a dirty whoremonger” box). Like nearly all websites, it’s allowed on the default “default safety” feed (if you leave the “I am a dirty whoremonger” box unchecked). And, like nearly all websites, it is blocked under O2′s opt-in-only under-12 filtering scheme, whose aim is to create a walled garden of whitelisted CBeebies-ish tiny-friendly sites which won’t produce unfortunate results when your kitten-loving sproglet searches for “i love little pussy”.

Because people are monumentally stupid, and crowds even more so, the fact that almost all websites show up as blocked under the under-12 filtering scheme has led to claims that they are blocked under the default filters. Which they aren’t. Almost every tweet today about a website being blocked has been a fuckwit claiming that a website is blocked under the default filter, when it’s actually blocked only on the whitelisted kiddy-friendly filter.

This is not to say that the default filter isn’t problematic. It is problematic. Because it focuses on sex, it is inevitably going to fail hardest at the areas of sex where young people (especially LGBTQ young people) most need information and resources. But if you’re wanking on about how your blog or Wikipedia or the Guardian or basically anything non-sexual has been blocked, then you are a fucking idiot and you are not helping and you should shut up.

Pharma hackers gonna pharma hack, 2013 edition

February 28, 2013 2 comments

I was Googling for an old Banditry post yesterday, as part of a discussion about that new ‘people lie about their drinking’ study. Eventually I found it, only to discover that I’d linked to a (London) Times article, and that therefore the paywall had ruined the whole thing (curiously, even though the Times now shows unregistered users the headline, lede and first sentence for new articles, it completely screws up on old ones). So I more or less gave up on the post [*].

While Googling, I was rather surprised to discover the amount of content that I’d apparently written about the availability, acquisition and applications of various medicinal substances (link will hopefully die in a few weeks as Google updates itself). I briefly considered the possibility that in a fit of poverty and/or drunkenness I’d decided to set up my own online pharmacy, then remembered that I’m based in the country with some of the tightest controls on prescription drugs in the world so that would be rather silly. Rather, I’d been hacked.

I’ve been blogging for more than a decade now, so this isn’t the first pharmaceutical spam I’ve experienced: but it is the most insidious.

Creepy crawling

The hacked pages are tainted only to Google’s crawler – if you or I or anyone in the world who isn’t Google’s crawler click through to them, then they appear as originally intended, both in the browser and in the source code. So the spam-merchant gets to benefit from my PageRank without doing suspicious things to my traffic stats or making suspicious links appear on my actual site, which has been the giveaway for previous hacks. They also, cleverly, didn’t go  for an out-and-out hack of all pages, so if you google for “johnband.org” or search the site for a specific term that isn’t drug-related, then you’ll get the correct result, with no indication that some of the pages (mostly tag pages, category pages, and monthly archives) exist to Google only as pharmaceutical billboards.

Conveniently, Google has a funky-cool Fetch As Google tool, described here by their engineer Matt Cutts, which allows you to see exactly what the Googlebot sees when it crawls any page on your site. Sticking the affected pages into the tool confirmed that Google was still seeing them as pharmaceutically compromised. And that they’d been this way since last July-August.

So, I junked my evening plans and settled in for a night of Fun With WordPress, PHP, MySQL, Unix Permissions And Google. Which is my favourite sort of fun, obviously.

Hope, cruelly dashed

The top Google hit on the pharma hack, from blogger Chris Pearson, was an extremely well-written summary which described an identical problem to mine. “Result!”, I thought. So I followed Chris’s steps, only to discover that absolutely none of them worked. The trouble is, the pharma spammers are cleverer bastards than I’d thought: once the tricks of your trade are readily visible with a quick Google, you’re at a disadvantage. And Chris’s post dates from April 2010. Three years of malware evolution later, although his macro-level points are still worth a read, the actual techniques described were way obsolete.

Bugger.

So I Googled a bit more, mostly finding sites that repeated Chris’s solution, but eventually happening upon a couple of write-ups that were closer to my problem – at least, in the sense that they also found none of the things Chris describes, nor any of the obvious hacks I’ve experienced before like a doctored .htaccess file or dodgy-sounding access permissions, nor any changes to the main WordPress database… at least, none of the changes that anyone has noted online.

The most comprehensive, although perhaps the least comprehensible unless you’re ultra-techie, was a post from Shaun Green from February 2012. Short version: the current version of the hack creates php files with names that sound like they should be real WordPress files, and distributes them throughout your WordPress install but especially in the wp-includes folder so that they’re almost impossible to find and tell apart from real WordPress files without doing extremely nerdy things.

I’m not really a deep-level coder, so following all of Shaun’s steps sounded rather painful. And my install didn’t contain the specific filenames he lists (https.php and class-sftp.php), so I would have had to literally retrace his steps rather than just following his conclusions.

Instead, I went for a slightly lower-tech option. Everything in the wp-includes folder is a standard WordPress file, which shouldn’t have changed since installation. The same is true for everything in the wp-admin folder, and for everything in the WordPress root folder except for wp-config.php (which I’d already checked to make sure it wasn’t compromised). So I downloaded a vanilla version of WordPress 3.5.1, deleted everything from my install except for the wp-content folder (where themes, plugins and pictures are stored) and wp-config.php, and then copied the untainted files across.

One quick check on Fetch As Google later and – hurrah! – the pharmaceuticals had all disappeared. Now all I need to do is wait for Google to update its cache, and everything should be back to normal.

Gone forever?

While the problem was solved in the short term, it clearly wasn’t solved in the long term: I’d started with an uncorrupted WP installation, and someone had managed to corrupt it. So – after doing the basic password changing things, obviously – I installed Wordfence and Better WP Security. If you host your own WordPress blog (anything that isn’t on wordpress.com), then so should you. Wordfence is the equivalent of an antivirus program for your WordPress install; Better WP Security automates a whole bunch of handy lockdown and obfuscation tricks. Wordfence threw up a few vaguely suspicious files associated with some of the themes that were installed, so I deleted them; everything was then fine.

I’ve also set up Google Alerts that notify me if any new content appears on johnband.org containing various spammy keywords (the usual suspects), which obviously won’t be much use until the current spam-buggered content is removed, but will then allow me to kill any future infections before they’ve completely ruined my search results. I’ll update this post in the event that anything else occurs. If I remember, I’ll update it in a couple of months if nothing else has occurred, since zero is sometimes a helpful data point.

TL/DR: Was quite painful, could have been much worse. If this happens to you I definitely recommend the “for every folder which shouldn’t have changed since WP was installed, delete the folder and reinstall” approach, although do check the database and fix any issues there first. And set up the security things even if this hasn’t happened to you yet, because it probably will.

[*] Short version of post I was going to write: epidemological studies into alcohol-related harm are also based on self-reported consumption, so while it’s likely that everyone drinks more than they say, it’s also likely that alcohol is correspondingly less bad for you than those studies have shown, by about the same margin – unless we can come up with valid reasons why people would underestimate in one sort of study but not the other. Also, News Corporation are still unimaginably bad at digital strategy.

An open letter to Roy Wood

December 24, 2012 Leave a comment

Dear Mr Wood -

For your information, in all known dialects of English, the phrase ‘snowman’ refers to a figure of a man which is made from snow (something like a statue, sculpture or perhaps golem), rather than a man who delivers snow.

I understand there is room for confusion here, when considering examples such as ‘milkman’, ‘postman’ and pizza boy’. However, ‘snowman’ is very much in the style of ‘wicker man’ (which is not a term for a gentleman who delivers baskets) or ‘iron man’ (which is not a term for either a gentleman who delivers ferrous metals, or a gentleman who works in a laundry).

Before seeking to write a song that seeks to summarise the Anglophone world’s Christmas traditions, one might have thought you would have done the most basic research into what these traditions actually were. I can promise you that none of them involve a snow delivery gentleman “bringing the snow”.

I look forward to this error being corrected in future releases of your popular chart hit.

Yours sincerely,
John B

PS Happy Christmas!

Artificial John B Impersonator

November 25, 2012 1 comment

The text below is the output of my phone’s AI autocomplete app (SwiftKey), based on its knowledge of the things I say and do. My only interaction was to choose between the three suggestions it offered.

I have been made to the park. I am not going anywhere, and I will not receive the item is faulty, but the most important things. The only way I could have a good idea. The problem isn’t with the loan companies, who is a good film, but the subway. I am a real Zeus, and I am not sure what to expect.

The problem is that it is not a good idea. The only thing I have been a bit of fun. I have been a while, but I can confirm that you can get round to the zoo tomorrow, zoo tomorrow. And I know that analgesics, and I am not sure what to expect. I have a glass of wine. I have a glass of wine. The only way I could have a great day and the Machine, but it is. It has an appointment. The quality is the most of my own.

We have to do it. I have a glass of wine.. I don’t vividly the best. If I identified and then I will have the same. Federalism the best. The only problem is the first place to find a job, but the best way of organizing emails into the address below and click the Help section for the next few days ago.

It was a bit of a fine example of the most important thing. But it was a very long time to get the latest version, and the Democrats are total pansies who are not responsible for any reason. I have a glass of wine.

The quality of life and I am not sure what to expect. I don’t think it’s a good time to do it. It is a bit of a new member. I don’t vividly recall his own words. The problem isn’t a problem with your friends, but I guess the queen plays by her own rules.

K is technically right here at the moment. The quality is not a good day and night and then the next day or night. The only way to get a quote from you soon as possible to make a decision on the phone and the other side of things to come and see if you are looking for a few weeks, but it doesn’t matter how much I love you so that.

I have a glass of wine.

Slightly worried that in the reasonably near future, my phone will replace me.

Shot by how many sides again?

March 7, 2012 1 comment

Everything is retro is coming round again, and so on. In that vein, I’ve dragged some offensive old blog or other from the depths of my spare hard drive. My foreword to the reprint may provide context. Dive in, if that’s your thing.

You’d probably do better just to watch this, though:

Fans of Sharpeners will like this

March 6, 2012 1 comment

All the content from the long-defunct Sharpener group blog (formerly at thesharpener.net, before pirates stole the domain name) is now available at sharpener.johnband.org. The formatting’s basic, and categories have been lost; this may improve in future.

That was the easy-ish task, building a new WordPress 3.3.1 site based on a fairly arbitrary selection of obsolete MySQL databases (while junking all actual blog skins etc because they were compromised by virus-injecting malware types over the years). The next task, which will be super-exciting for fans of masochism, will be to set up a WordPress 3.3.1 blog and then import a whole bunch of tables from a non-standard, custom-built Access database into it.

Fans of controversy and excellence, and/or readers of my last post, may be able to guess which particular Holy Grail of magazine-titled Internet history will be revived as if by Dr Frankenstein at the end of this process.

That worked remarkably well, all things considered

March 4, 2012 1 comment

If you’re seeing this, then my server migration was absolutely gangbusters-awesome, God’s in his heaven, and all’s right with the world. The Sharpener and SBBS projects may be slightly more challenging, but they are on the way. If you don’t know what the last sentence means, then I salute your wisdom in spending the mid-to-late 2000s on worthwhile pursuits.

Because I AM the Queen of the Zulus

October 27, 2011 Leave a comment

Shannon, who is aces, just came up with the best mashup concept ever.

Civ + sex devices + Lulu + Lady Popular = “No, fuck YOU. This bling does look fabulous against my fur, because I am the queen of the Zulus, and you’re still fucking an analog blow-up doll.”

Blogging is dead and no-one cares?

August 12, 2011 7 comments

My riot policing piece yesterday attracted 600 unique visitors in 24 hours. That isn’t exactly Perez Hilton, but is about six times my current normal run rate (I think the biggest this blog has ever been is about 1000 daily visitors, for some of the global financial crisis articles).

The fact that the piece had quite a few visitors isn’t too surprising, I suppose – it was a take on a newsworthy and important topic that dissented somewhat from the conventional wisdom, based on hours and hours of discussion with people who were on the scene across different English cities and/or who really understand counterinsurgency strategy. And it was pleasing to see strategy/COIN experts talking about it favourably.

The odd thing, though, is that whenever I’ve written a piece in the past that has gained masses of attention, it’s been through links from bigger blogs, news sources, or occasionally forums. This time, as far as I can see from my logs, there haven’t been *any* blog links to the piece. All the traffic is coming from retweets and reshares on Twitter and Facebook.

I wouldn’t go quite as far as to say that blogs are dead as a medium: the existence of a self-publishing platform with a fairly powerful off-the-shelf CMS, and that isn’t restricted to a particular social network, remains useful.

But it’s looking like the sense in which we’ve traditionally understand blogs – roughly, a community of people who link to each other’s posts, comment on them, and write pieces that track back to them – no longer really applies. Facebook and Twitter have killed it, in favour of something flatter and much less based on the blogger’s personal brand.