More Zonkyness

Blog

  • Naked Celebrities!

    So apparently a whole bunch of celebrities have had their naked selfies leaked by some “hacker”. As to how this was done, we don’t really know and will probably never know given that Apple is so secretive. But we can guess some possibilities :-

    1. The hacker built up a list of possible account names – jennifer (Jennifer Lawrence) might be a good one to try – and then tried the top 100 dumbest passwords against each one in turn. You would not get every single account this way, and a fair few would turn out to be a fan of Jennifer Lawrence rather than the celebrity herself. But you would get a few that way.
    2. The hacker targeted the celebrities with a phishing attack – basically asking the celebrity what their account password is. This sounds too unlikely to succeed, but with a plausible looking login page it does work surprisingly often. It’s not just the terminally stupid that fall victim to such attacks; the victims are really those who are too trusting and often in too much of a hurry.
    3. The next method a hacker might use is to tackle Apple’s password reset service which uses “memorable information” such as the name of your first school, your mother’s maiden name, etc. There is always a bit of a problem with “memorable information” such as this – it isn’t really that private, and a celebrity is likely to have “leaked” all such private information over time.
    4. Through some unknown vulnerability in Apple’s iCloud service. Given that we suspect that iCloud has certain “issues” with security (apparently Apple has no intruder lock out to make password guessing attacks harder), this isn’t impossible but I would guess that it is less likely that the two more obvious attacks above.

    There’s a great deal of hateful “slut-shaming” going on over this celebrity leak which apart from anything else is really missing the point. It may be embarrassing for naked selfies to be leaked, but other personal information could be dangerous if leaked – the celebrity’s home address and alarm codes?

    It is not the victim’s fault; it’s the fault of the anonymous (at the moment) hacker.

    But the victim can improve their behaviour to make it harder to victimise them :-

    1. First of all if you’re called Jennifer Lawrence, don’t use any permutation of your name as a username; or even enter that as your full name into any cloud service. Make one up.
    2. Make sure you are using a sensible password. It needn’t be excessive, but anything that is just a single word is just not good enough.
    3. Be less trusting with your acount credentials. Make sure you know what the location bar in your browser is and where it is, and check it when you login. And don’t click on links in emails.
    4. If the service you are using offers two-factor authentication, turn it on.
    5. Learn about security; you are a target. Don’t go overboard (but see step 6), but spend an hour a week doing a little reading and taking steps to improve your personal security.
    6. Hire or befriend a geek who can act as your early warning system for threats. And someone you can go to for advice.

    Note that I haven’t said “don’t take naked selfies” – it may be a bit foolish, but a life without a bit of foolishness is hardly a life at all.

    And of course most of those suggestions work for ordinary people and not just celebrities!

  • Early August in Southsea

    Early August in Southsea

    #1: The Edge

    The Edge

    #2: Say Goodbye

    Say Goodbye

    Taken in early August when the summer was still on…

  • “Unusual” IP Representations, and Why HP Needs Slapping With A Rotten Haddock

    This post came about because HP (in their infinite wisdom) decided to make the web-based printer control all neat and tidy by aligning all of the IP columns and filling up the space with leading zeros. Spotted the problem yet?

    Well you’re quicker than I was; although I had the advantage of knowing that something was wrong and that somebody had pasted that IP address with leading zeros, it took me a few seconds to wonder if it was just possible that leading zeros might be doing something “odd”.

    The thing about IPv4 addresses (and IPv6 as well, but I’ll not be pasting in examples for those as they’re too long) is that they are not simply what we see on screen as 10.0.0.1 (or whatever). That representation is converted into a 32-bit binary number which is used as the address. As an example :-

    ✓ mike@pica» ping -c 1 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_req=1 ttl=255 time=0.688 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.688/0.688/0.688/0.000 ms
✓ mike@pica» ping -c 1 167772161  
PING 167772161 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_req=1 ttl=255 time=6.04 ms

--- 167772161 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 6.040/6.040/6.040/0.000 ms

    As you can see, you do not have to use the conventional “dotted quad” representation; you can use the integer equivalent instead. You can also see why the “dotted quad” representation was invented!

    To convert the “dotted quad” notation to an integer that can be used at the lowest level, certain calculations are performed. Either because of a peculiar clause in the original specifications of IPv4 addresses, or (and potentially more likely) as a side effect of one of the earliest implementations of IPv4, certain other representations are possible :-

    ✓ mike@pica» ping -c 1 0xa.0.0.1
PING 0xa.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_req=1 ttl=255 time=1.34 ms

--- 0xa.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.341/1.341/1.341/0.000 ms
✓ mike@pica» ping -c 1 012.0.0.1
PING 012.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_req=1 ttl=255 time=1.03 ms

--- 012.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.034/1.034/1.034/0.000 ms

    As you can see, each individual octet (the numbers between the dots) can be represented in decimal (as we expect), in hexadecimal (by prepending “0x”), or most dangerously, octal (by prepending at least one “0”).

    So an apparently innocuous IP address like 10.0.0.030 will actually by converted into an integer that can be converted back into a more usual 10.0.0.24 :-

    ✓ mike@pica» ping 10.0.0.030
PING 10.0.0.030 (10.0.0.24) 56(84) bytes of data.

    There are several lessons to learn from this :-

    1. HP needs slapping with a really rotten haddock to make them realise that their printers have web interfaces that are unhelpful in the extreme.
    2. Leading zeros may be harmful, or at least may result in being slapped with a rotten haddock.
    3. Leading zeros in IP addresses indicate the use of octal and so the result may not be what you expect.
    4. Reading the screen can be helpful when diagnosing problems. It may be easy to miss, but there are clues enough to solve this little challenge even without knowing about octal.

     

  • Kite Festival!

    Yes, I was there too :-

    #1: The Dragon

    The Dragon

    #2: The Owl & Friends

    The Owl & Friends

    #3: Just a Kite

    Just A Kite

    #4: The Crowd

    The Crowd

  • Christian Homophobes Are Really Sexual Perverts …

    Everyone knows who I am talking about – those christians who keep banging on about how homosexuals are “broken” or evil or whatever weird names they’ve come up with lately. Like Scott Lively, Fred Phelps, Laura Schlessinger, etc.

    The normal and sane response to finding out that someone prefers same-sex partners is to shrug it off as a matter that is nobody’s business but the people involved.

    But “god hates homesexuality” claim the christian homophobes. So I gather, but I also gather this god person hates lots of other stuff too – mixed textiles, women who try and stop men fighting, no cursing, no gossiping, weird foods, etc. So why are these people so bent out of shape when it comes to a little harmless sex between consensual adults?

    Well, when we normally encounter someone with a prurient interest in the sex lives of other people, we usually find that they like watching other people have sex. And we call them “voyeurs”.

    If we were to postulate a hypothetical group of voyeurs who for some reason or another (perhaps “christianity”) repressed their sexual perversion, we would be quite likely to find them coming to hate the “objects” of their unnatural desire.

    Which sounds a great deal like these christian homophobes.

    Perhaps we should be treating these christian homophobes with compassion. Telling them their desires are perfectly fine (if they get permission first) and sending them free porn!