Organizing the Rat’s Nest

In a previous post I mentioned that I needed OSX Mountain Lion for development and that I moved from using a laptop to a Mac mini. After using the setup for a while, I moved the rat’s nest of cables out of sight behind the desk.

I picked up a shelf that is close to the color of the desk and bolted it to the back. Then I drilled a few holes in it for cables mounted all of the dongles and cables on the board. This is what used to be on the top of the desk. There are two power strips, one that is visible in the picture and another under the drawer.

Desk Rat’s Nest

And this is what the desk looks like now.

Desk

There is only one cable that the bird can chew and no power cords, so we’re both happy—he’s happy that he can help me type and I’m happy that he can’t electrocute us.

100,000 MySQL injection attacks in a few days

Recently my site has been hit with huge numbers of injection attacks. Right now, I trap them and return a static page.

Here’s what my URL looks like:


/products/product.php?id=1

This is what an attack looks like:


/products/product.php?d=-3000%27%20IN%20BOOLEAN%20MODE%29%20
UNION%20ALL%20SELECT%2035%2C35%2C35%2C35%2C35%2C35%2C35%2C35
%2C35%2C35%2C35%2C35%2C35%2C%27qopjq%27%7C%7C%27ijiJvkyBhO%27
%7C%7C%27qhwnq%27%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35
%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35
%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35%2C35

I know for sure that this isn’t just a bad link or fat-fingered typing so I don’t want to send them to an overview page. I also don’t want to use any resources on my site delivering a ‘missing’ page.

Based on a couple of comments on Stackoverflow, I looked up how to return ‘page not found’. This Stackoverflow answer by icktoofay suggests using a 404 and then the die(); – the bot thinks that there isn’t a page and might even go away, and no resources are used to display a page not found message.

Here’s what mostly works.


header("HTTP/1.0 404 Not Found");
die();

I still get attempts, but they usually only try 20 or so times and then they go away for a few days.

Reason #42 why you don’t want to pay me by the hour.

My mother-in-law is coming to stay for a while and she has trouble with steps. We put grab bars by all the places she has trouble with—the tub, the two steps up into the living room, the steps up from the garage, and on the stairs. We’re getting quite good at installing them securely.

Deck Stair Rail

So I figured, how hard could it be to install a rail up to the deck? It wasn’t particularly hard, but it took 11 hours. Though to be fair, about an hour of that time was googling, talking to people about how to do it, and seeing how they installed a rail at the nearby hardware store.

In the end, it is very secure—no wobble at all. The posts are just about perfectly plumb in both directions and the top rail doesn’t wobble.

I think I could do the other side in a couple of hours. The first problem I ran into was that I couldn’t get the top post to sit on the step. Then it occurred to me that they had sloped the step just a tad to let the water flow off. Several iterations on the chop saw and I had it sitting flush on the step.

The next problem was tacking the rails up so that I could cut the tops. I ended up getting some 5 inch nails so that I could keep the posts in place while I marked the angle for the top rail. I had pre-drilled the holes, but none of my drill bits were 4″ long so they wouldn’t go all the way through the post. I ended up using the lag bolts to go through the post, then drilling a pilot hole where they dimpled the wood.

The angle for the rail ended up being 40° so it was easy to cut on the chop saw. There is an anchor piece under the rail that also has the same angle for each end.

I made the anchor piece and the top rail out of scrap redwood from an old deck. The surface was pitted and cracked, so I used the table saw to plane the edges. I tried to plane the top of the rail but the riv knife in the saw kept the board from going through the saw. A belt sander worked to smooth off the top and bottom. The edges were rounded for better grip with a router.

Password Security

A couple of recent posts on identity theft, card readers on gas pumps, and break-ins to the computer systems of large companies has prompted me to finish writing up my thoughts on how you can increase the security of your credit cards and on-line transactions.

Summary for those who don’t have time to read the whole thing. Crackers are not targeting you. They are looking for the low-hanging fruit and it’s not that hard to make it not worth their time to mess with your accounts.

1. Change your password on your email and all bank accounts, brokerage, phone plans, etc. to have at least 13 characters—upper, lowercase, at least a few numbers, and few special characters.

2. Use a different email address for your financial accounts than you use for general email.

3. Do not ever re-use the same password. It’s not as hard as you might think to have a different password for each site. For example, I have a generic password for sites that don’t have any financial information and I just prefix it with the first two letters of the site. Since lots of sites have two word site names, I use the first letter of each word. So BeachTalk is BTbazmarle! The ‘word’ in the middle isn’t a dictionary word (or words) or something that pops up on Google. Make the password 9 letters or more.

Here’s a simplified version of what crackers are doing. Crackers sometimes break into sites and steal the entire password file. If the site has even rudimentary security the passwords are encrypted—but surprisingly enough not all sites do this. But even if they are encrypted, computers are fast enough now that they can compare the encrypted passwords to a ‘rainbow table’ of encrypted passwords and decrypt them. Basically, they can compare the password to all possible combinations of letters, numbers, and symbols. At the moment rainbow tables are easy to construct for 8 character passwords. It’s basically impossible to construct rainbow tables for 13 characters. Longer passwords are still subject to dictionary attacks, so you don’t want to make a password by combining two dictionary words.

The first thing they’ll do when the get the passwords is try to use them to log in to banks, Amazon, Best Buy, etc. Many people use the same email and password for all their logins, so they get a lot of logins for places they care about from small sites that aren’t secure. My server gets thousands of break-in attempts every day and I don’t have anything worth stealing. I can’t even imagine how many attempts that sites with millions of users get.

Unless you are someone famous, you don’t have to worry about using things that you know as your password. So you can use the initials of your family for the first four letters, JMJD, then append one or two made-up words that you can remember—maybe you fly a TSIO Bonanza, tsiobonan, your street address is 874 and your the special characters corresponding to your birth year are %&. So your easy to remember password is JMJDtsiobonan874%&

If you use a laptop, don’t let the computer remember your passwords for financial sites. You should write them down, but don’t keep them in your wallet.

Now, here’s why you want a separate email address for your financial accounts. I have a different one for each of my accounts. If I get an email sent to john@LF about my bank account being overdrawn, or a shipment has been made, I know it’s a fishing attack. If I get an email to BofAJohn@LF then I am fairly confident that it’s legit. But that’s not the main reason I use a different email. Most sites will let you change your password if you forgot yours by requesting a new one with an email. Once someone has your email address and can log in to your account, they’ll start requesting a password reset everywhere they can think of. Banks are getting better at requiring another authentification factor, like your favorite candy, but not every site does this. If your bank has an email address that you only use for them, crackers won’t be able to reset the password.

Spammers will pay for cracked accounts. I’ve gotten spam from people who have had their Yahoo, Hotmail, or Facebook accounts hacked. Outright thieves will pay for other accounts. Cracked iTunes accounts are worth $8, AT&T and Verizon accounts are worth $4 and Twitter and Facebook are worth $2.50.

These techniques won’t stop the NSA, Rupert Murdoch, or someone who is targeting you specifically, but will make it less likely that some random cracker will get your info.