Computer Security

Posted on by grahams

So the account compromises I mentioned the other day seems to be a symptom of a bigger epidemic. Several friends’ machines had a rootkits installed on them, and it took a while for my friends to contain and repair the damage (some machines are still offline). I am feeling a little bit better because it is seeming less likely that I was the cause of these failures and more just a victim, but I still used the same password on multiple machines, which is bad news. It is comforting that several of my friends had the same bad habit, so at least I’m in good company. :P

I’ve reset my passwords on those boxes to random characters and am using ssh keys to authenticate instead. There are a few systems I can’t do this on, however. CSH, for example, requires me to password authenticate to retrieve my email and use other house resources, so I can’t set that to a random password. I have, however, picked a password that is unique to each system where I have to use password auth and have unique ssh keypairs (with unique passwords) to each machine I have physical access to. I’ve also decided to never jump out from one remote machine to another (for instance, log in to CSH, then from there log into Matt’s machine), so if the first machine is compromised I don’t have to worry about some rogue sshd snarfing my password (which was one “feature” of the rootkit used in these attacks). Finally, I will change all of my passwords every few months.

As far as I can tell this is about as good of a policy as I can come up with. Any suggestions are appreciated..

Ugh

Posted on by grahams

I had a strange question asked of me today… Matt Weaver asked me if I had tried to ‘su -‘ on his machine today… I hadn’t, which opened a huge can of worms that ended up with me (and others) believing that my password was somehow obtained and used without my knowledge by persons unknown. This problem was exacerbated by the fact that I was using the same password on many systems. If the person was a good cracker, they would have covered their tracks, so it’s difficult to tell how long they’ve been at this, but if we are to believe logs it seems like it was only today (er, wednesday).

I do my best to choose good passwords, but I guess I had one bad habit left, which was using the same password on multiple systems… I suspect that many of you reading do this, so I don’t feel so guilty, but still…

Anyway, I have gone through all the Unix systems I have access to (or, at least the ones I remember) and changed my passwords to something unique to each system. I’ve also deleted any ssh keys I had floating around as they can’t be trusted anymore. At least this way if this happens again, using unique passwords on all the various systems will limit the blast radius. If you’re reading, I hope that was fun for you.. (P.S. If I have an account on your machine and I haven’t mailed you, let me know because I might have forgotten about you).

In less aggravating news I saw Henry Rollins tonight doing his Spoken Word act… As always, a wonderful show (although the seats sucked).

Posted on by grahams

Yesterday was ‘s birthday, and many of us descended down upon his place for drinking, food, video games, and general fun. Matt made like 100+ Jello Shots, which was clearly overboard. To contribute to the level of overboardedness, I gave him 16 boxes of “Boo Berry” cereal for his birthday. It took trips to 5 different grocery stores to find someone who was selling it. and I also brought over an Ice Cream Cake from Baskin-Robbins.. If I had given myself more time I would have gotten a custom one from a more respectable ice cream vendor, but I slacked off on the mission.

Anyway, a good time was had by all (except for possibly Katie O, who seems mostly incapable of enjoying much at all). There was even a heated game of Cranium…

Prediction

Posted on by grahams

Anyone else find it suspicious that ABC (owned by Disney) was the first network to offer its content through the iTunes Music Store, even though Pixar (also helmed by Steve Jobs) gave Disney the big ol’ fuck you to Disney? We all know how spiteful Jobs is… My prediction: Disney and Pixar kiss and make up…

What Not to Do

Posted on by grahams

Here’s a idea: How about you don’t go see MirrorMask? It was terrible. Going in, I thought to myself that even if the plot sucked I’d be able to enjoy the visuals, but boy was I wrong. First off, the movie never feels like it progresses, in fact, it plods. Once you get past the exposition-ville intro to all the characters, and you finally transition into the mirror world, you realize that the computer animation looks more like something out of “The Mind’s Eye” circa 1990… There are all these silly textures and odd choices made, and to be honest, there doesn’t seem to be any depth at all to the animation, everything feels very claustrophobic…

Looking for a shorter review? Well, usually chastises me on the rare occasion I check the time on my phone during a film, but last night I saw her check at least once less than an hour into the film.

WTG CambridgeSide Galleria!

Posted on by grahams

Last time I checked the CambridgeSide Galleria was charging for Wi-Fi access, but here I am at the mall, waiting for Corinna to finish shopping, using their wireless for free in the food court. I love free internet. =)

Going to see MirrorMask with the film club in an hour or so, which hopefully won’t suck.

Since I had time to kill here at the mall I decided to do a little preliminary shopping for a replacement for my Sidekick II. My contract with T-mo doesn’t end until May, so this is truly premature, but I had nothing better to do here, so wtf. The problem seems to be that nobody offers unlimited data service as cheaply as T-Mobile. Right now I pay $60/month for voice and data. And to be honest, I could probably drop down to $40/month (I only bumped it up because I was using the phone quite a bit while I was laid up with my leg.

I am addicted to having good data service on my phone, and so I’d like to score a Treo. AFAIK, the only (non T-Mobile) providers offering the Treo are Verizon and Cingular. Cingular’s cheapest voice plan is $40/month with another $40/month for the unlimited data plan. Verizon’s cheapest plan seems to $40/month for voice and $50/month for unlimited data. This sucks… Update: I forgot to mention that I get some pretty decent discounts from Cingular through work… I think I get 30% off on the phone and 10% off on the plan, but I don’t know if that applies to data as well.

Do you think that with the upcoming Zorro sequel we will have to endure more Bryan Adams?

Almost had a chance

Posted on by grahams

This week has been fun… the Ig Nobel Awards on Thursday were tons of fun, more so than I expected, actually. It turns out was there as well, and we discussed organizing a CSH or RIT delegation next year to show up all the Harvard and MIT delegations..

Last night was Stephen Lynch which was awesome. No opening act, but he had Teich and Rod with him, and he played an awesome selection of old and new songs (although he left out “Mixer at Delta Chi”, which is one of my favorites, but he played that last time, so…). He even busted out “Kill a Kitten”, which is rad. Our seats were good, 3 back on the Mezzanine, but I think I preferred our floor seats last time we saw him (I couldn’t get good floor seats because I was slow on the Ticketbastard draw this time around).