WordPress hacking

So, I wanted to set up a blog for my Streamdales campaign — nathreee will be doing session write-ups and I’ll be posting background information and stuff like maps. Of course I wanted to use WordPress.
(As an aside, that’s how I found out that my current webhoster was running a PHP version from 2007 on the server that has one of my sites. I sent them a mail asking after it, and they failed to answer within a week — they fail. So I did some research and found a hoster who even advertises their phpinfo()-page. Last Thursday morning I registered a new domain with them, paid through e-banking and was up and running in five minutes!)

I spent quite a bit of time looking for a WordPress theme that suited the style I envisioned. It’s a fantasy campaign after all, so a hyper-modern theme just wouldn’t fit. After a lot of searching I found a theme that was sort-of what I was looking for, so I downloaded it and installed it on my local machine. (Running Ubuntu on your desktop means never having to search of a LAMP-stack, ever.)
And then I customised the crap out of it. New header image, removing one side-bar, making the content area wider and creating new background images for those, using the Google Font APIs to create an attractive entry header, etcetera. If you see the themes together, you can see the similarity, but they’re quite distinct.

And then I saw why the theme was free. It included links in the footer of the page, which linked to various Facebook pages for slimming products and shady financial firms. With an euphemism, this is called a ‘sponsored theme’. Basically, it’s SEO gaming at it’s worst: you use unsuspecting bloggers to promote your clients’ pages.
It’s not only spammy, it’s also a security risk. There was a chunk of obfuscated code in the functions.php file that was executed — and you just don’t know what your site is doing. For all you know, it’ll become part of a spam-bot network. And removing the function call that produces the links resulted in a red bar at the bottom of the page informing the viewer that this site had violated the terms of use.

I don’t mind people getting paid for their work. In fact, I try to pay for what I use — the only reason I have food and a roof over my head is because other people pay me for the work I do.
But if you get paid by introducing a security risk in my site and link-spamming, you’re at the bare-rock bottom of the ecosystem and you will not get any sympathy from me. And if you try to be ‘clever’ by obfuscating your code? Of course, that means war!

The fun thing about PHP obfuscation is that you get a giant string that’s Base64-encoded, gzipped, rot13’d — and then it’s ‘eval’ed. The solution is simple: change the ‘eval’ into ‘echo’ and you get the code that would be executed. That’s what I did, and I got another eval-statement. By iteration 9, I built a tool to do this automatically. It took some time, but it was a fun puzzle. I was actually a bit dissapointed that it stopped at iteration 23.
All the variables had been obfuscated too: instead of ‘$text’, you’d get something like ‘$am____p’. And some of these variables had values that were only one character long, and they’d get concatted elsewhere to form function names.
By then, I was unstoppable. I analysed the code, found the functions that did productive things (like producing the actual footer or providing the ‘read more…’-code for entries), and stripped the rest.

The rest of the code was very interesting too, to say the least. I found code that actually opened a socket to a website with a nonsensical name (a twelve-character random string, it seemed) to do some sort of AJAX-like call to retrieve the links that should be spammed. It also contained identifying information for the wordpress installation itself. The site would return the links and those would be spammed in the footer.
So: not only does every page hit on your site also result in a request to another site (slowing things down and costing you bandwidth), you also allow someone who you don’t know to have control over (part of) the content of the pages you serve.
As I stated before: I want people to get paid for their work, but I gleefully deleted this code. Then I packaged it all up as a new theme, and that’s what I installed.

I’m pretty pleased with the result — though I might change the headings and other text around, depending on whether we’ll be blogging in English or Dutch.

Years ago, sixteen year old Marianne Vaatstra was raped and murdered in a small rural town. The crime was never solved and there were no leads. There was a DNA trace, but there was no suspect to match the trace to.
A few weeks ago, it was decided that every male who lived within a certain radius from where she was found, would be asked to give up a DNA sample. People in the neighbourhood don’t move often, and families tend to stick together there — so by matching the Y-chromosome of the DNA trace with the donated samples, a family member of the perpetrator could possibly be found, giving more leads for further investigation. On Monday, a local farmer was arrested because his sample had a 100% match with the trace.

This is an important case. Not only because we can now hope that this terrible crime will be solved, but also because of the methods used: a large-scale DNA investigation amongst the complete male population of a certain area.
I have a few problems with the current investigation, and the implications for the future.

Donating the DNA sample was voluntary — but if you refused, the police would come to your house to have a chat with you. There must have been tremendous social pressure on giving up the sample: all these years, people have been suspecting each other, theorising, etcetera. Interestingly, the suspect has donated his DNA voluntarily — the police never had any reason to have a chat with him. He must have caved in to the pressure. I don’t know if he would have given his DNA if the deck would not have been stacked against him in this manner.
While not technically a violation of the principle that you can’t be forced to cooperate with your own conviction, the practicality of the situation is very different. (If I were the lawyer defending the suspect, I would go for this angle.)

Also, every man who lived in the area and was within a certain age band at the time of the murder, was, essentially, treated like a suspect. This is, unfortunately, nothing new. Technology has made large-scale surveillance feasible, and heuristics ‘tag’ people who are deviating from the norm — however that may be defined. You now draw attention to you by doing something different from your neighbours — attention that is, in many cases, completely unwarranted. Actively gathering evidence is simply a ‘logical’ extension of this: people are used to being treated as suspects.

If this case gets solved (and a DNA match is not enough evidence to convict someone in the Netherlands), the call for a national DNA databank will be getting louder and louder. As you may know, I have a big problem with being treated like a suspect — if I lived near the Vaatstra crime scene, I would have refused to give up my DNA sample.
And ‘respectable’ folk will say: “But if you have nothing to hide, then you have nothing to fear!” It’s an oft-heard ‘defense’ of ever-increasing incursions on our civic liberties. The argument is invalid and dangerous, as perfectly worded in this article.

In 2008 there was a proposal to create a DNA database with the profiles of every police-person. That way, if their DNA would be found on the scene of the crime, they could quickly match it with the profiles of the police personnel who were authorised to be at the crime scene during the investigation, and discard that particular DNA trace for further investigation. A sound idea — and surely the police have nothing to hide, right?
One of the police unions interviewed 700 of their members, and a full 80% did not want to be included in such a database. (Link is in Dutch.) Interestingly, the reasons given are exactly the same reasons why you shouldn’t want to be included in any DNA database either: scope creep and the security of that information.
So if the police doesn’t want to be in the database, why should we? I think you know the answer by now: we shouldn’t.

And if the government has nothing to hide, why are they refusing to answer FoI requests about their use of technology for surveillance? (Link is, again, in Dutch.) The information assymmetry between the all-knowing government and the innocent citizen is getting larger and larger. One of the main features of a democracy is that the citizens can monitor the work of their government, to keep them honest. If the government doesn’t want to answer these questions pertaining their surveillance, are they hiding something?
It seems to me that our government is being dishonest about how it monitors their citizens. If that is the case now, with the technology and information available to it right now, is it reasonable to expect the government to suddenly become honest when your DNA is stored in a national database?

I don’t think so.

The wonderful program I wrote to automate much of the tedious things I have to do to prepare for a day of caching turns out to be against the Terms of Use of the gc.com site. Or rather, the geo-* tools that the program calls is.

The ToU reads:
“You agree that you will not use any robot, spider, scraper or other automated means to access the Site for any purpose without our express written permission.”

I wonder what “automated means” is. Sure, I understand you don’t want millions of people screenscraping your site, because of performance considerations. But having to jump through three hoops in order to get the information you want (presumably to discourage ‘automated means’) actually makes it more more attractive to use those automatic scripts. It’s a bit like DRM, really.
Also, what is “automated means”? Is a browser that automatically downloads images in a HTML page “automated”? Is a browser itself not “automated”? Is it not automated when a user initiates an action? So if I call the script myself, it’s not automated? If you offer information through HTTP, does it matter through what tool that information is accessed, if that tool is a good citizen (as in: a reasonable interval between requests)?

For the time being, I will keep on using the tool. I might make a small script that processes Pocket Queries (the ‘sanctioned’ way to get information out of gc.com) and breaks them up into the individual geocaches, but that is for the future.

It reminds me of the time we got an angry call from a website owner. His site was broken (it generated links to nowhere in a never-ending recursive loop) and so our spider blew through his monthly bandwidth allowance in a single night. Whose problem is that? Whose fault is that? Who needs to repair their software? And if you don’t want to be crawled, why don’t you have a robots.txt file?

Amazon prices

So, I wanted to order some English-language books. Obviously, Amazon.com is the first choice. I selected the books I wanted (Absolute Sandman Vol. 3 and Spook Country), but then I thought: “Hold on, what about shipping costs? Perhaps Amazon.co.uk is cheaper?”
Turns out that Absolute Sandman Vol. 3 is USD 60 on Amazon.com, and GBP 50 on Amazon.co.uk. The price difference is about USD 30 (or EUR 22 if you convert to euros).

WTF is up with that? It’s the exact same book!?

In the Netherlands, we have a system for digital signatures for every (participating) governmental website — ranging from cities to the national government. It’s called DigID, and it couples your social/fiscal number (ironically now called ‘citizen service number’) to a username and password.

The way it works is that you enter your CSN, a username and a password of your choice. Through the population register, the system determines who you are and where you live. A (physical) letter is sent to you, containing an activation code (but not the CSN, username or password), which you have to use to activate your account.
Through a series of webservices and redirects, (authorised) websites can make you log in on the DigID website (without them having access to your username or password), getting your CSN as the result of a succesfull login. This makes it ‘reasonably’ secure for most governmental transactions that can be done digitally. Lots of transactions have to be done in person anyway (such as filing for a passport), and DigID doesn’t seek to solve that problem.
Things you can get through DigID are permits to fell a tree, for instance. Often there are costs associated with a governmental ‘product’, so the chance of someone forging a DigID entry and paying for such a permit in someone else’s name is pretty slim to begin with.

The tax office has had filing software for some time now. You can enter your data, calculations are made, and the whole thing is sent to the tax office servers through the internet. Previously, you had to register a 5-number PIN number with the tax office to ‘sign’ your tax filing. But since this year, you have to sign your tax filing with your DigID.
Getting a DigID takes a few days though (because of the physical letter), and it seemed that people would not be able to file their tax statements in time because they were too late with getting a DigID.

The solution offered by the tax office helpline? Use someone else’s DigID to file your tax statement!

I have never heard of a more boneheaded advice. Basically, the tax office invites you to forge the signature on your tax statement. Suddenly, no-one can be charged with tax evasion or false filings — just let your neighbour sign your filing! Surely you can’t expect your neighbour to look over your filing to ensure it’s all in order, and surely you can’t prosecute people when they never signed something!?

I hope someone gets their ass kicked. If the government starts to circumvent their own security systems, why have security at all!?

Even since we ended our subscription to UPC cable, we’re getting letters from them: “If you don’t react soon (read: start paying us), we’ll cut off your TV signals!” Which was the bloody point of ending our subscription.

Now I get a letter with an answer form that has an actual checkbox saying “No, stick your TV signals where the sun don’t shine and don’t bother me again!”. Which is certainly a step up from only having “ZOMG! Please don’t cut off the TV signals, and please let me pay you!” on the form.

However, there is also a link to a website where you can make your wishes known to the faceless hordes under UPCs command. And lo and behold, it even has the “NO”-option on the form!

Except that the Einsteins that made this form didn’t test it on that option. If you click on ‘No’, fill in your ‘unique letter code’ and click on ‘Send’, nothing happens. I checked the source, and the validation function requires that you fill in your name and adress etc — but that doesn’t show on the form if you check the ‘No’-option! You don’t get any feedback, it just sits there and does nothing.
Also, if they sent me a friggin’ letter with a unique code, why the hell would I have to fill in my address if I did want to renew my TV subscription?

UPC… Can’t they get ANYTHING right!? Sheesh.

Create LED advertisements, get charged with ‘hoax terrorism’.

Now, I understand that boxes with wires sticking out of ’em, placed in unorthodox places might give someone pause. What I do not understand is that bomb squads, who got called out, did not recognize the devices for what they were — LED signs. Besides, why would terrorists go through all the trouble to produce such damn fine PCB work for a one-off device?

Merriam-Webster defines “terror” as “violent or destructive acts (as bombing) committed by groups in order to intimidate a population or government into granting their demands”. Maybe Al-Qaida’s demands (come to think of it, what are their demands of the US?) haven’t been granted, but the US surely is intimidated if this prank causes such a widespread panic.

These people aren’t the first to be charged with “hoax terrorism” because of an art installation. Here’s the story of Jason Sprinkle, who was charged because a bit of graffiti on his car contained the word “bomb” (in a way that anyone with half a brain would recognise as non-threatening).

Think about that for a moment.

This simply means that you are responsible for the interpretations of your actions by total strangers — strangers who might not be interested in your message or your methods, but who simply see a box with some wires sticking out. And in a so-called “post 9-11 world”, that means that you can be charged with terrorism if someone does not understand your actions or something you made. If you do something that is “suspicious” by anyones definition, you can be arrested and charged with terrorism.
And because the US has all but suspended habeas corpus, you can be sent to Guantanamo Bay to be held indefinately, or even shipped to Syria to be tortured, without anyone knowing where you are.

All because some people mistook some blinken LEDs for a bomb.

For a society that prides itself on its freedom, and for the endless possibilities it offers for individual choice, the US is certainly getting a lot of fascist tendencies.

The past few months, the debate has been raging about Network Neutrality. In short, some ISPs want to charge Google for the transport of packets from Google’s servers to your machine. Right now, the network doesn’t care where a packet comes from and where it is headed, with respect to charges or priority — the network is a neutral transport layer.

Doing away with network neutrality is a preposterous idea (I already pay for my bandwidth!), but that’s besides the point.

There are people for and people against maintaining network neutrality. Some of the people who are in favor of network neutrality want to introduce legislation that enforces network neutrality. In response, some people say that they should ‘let the market decide’.
The idea is that legislation is bad, and that customers will leave ISPs that do away with network neutrality, and sign up with other ISPs. While this is a good idea in principle, it won’t work in practicality.

You see, there is a limited number of ISPs. As a consumer, your choice is limited. Where I live, I have the choice of three carriers: UPC (cable), BBned and KPN (both ADSL). There is a plethora of ISPs who offer services over the networks of BBned and KPN, but that’s more of a VPN connection than a physical cable running from your phone to the ISPs server.
If all three decide to do away with network neutrality, I am hosed — I can’t choose an ISP that keeps its network neutral.

“Ah!” the capitalists shout, “But that niche can be filled by another player!”
Therein lies the problem: it can not. Well, theoretically it can, but the cost of entry is incredibly high. You have to run a network cable (something fast) from all of the local telephone switching points to your own servers, which means digging cables. Which means you have to bother with permits etcetera. Not something you can do lightheartedly.
Capitalism works great if the cost of entry to a market is low. If the existing players slack off, a lean and mean operation can enter the market and start earning money that used to go to the established parties in that market.
Internet ventures have a ridiculously low cost of entry — all you need is a decent colocated server, and some PCs to code on, and you’re set. This is why Flickr, Digg and all those other sites work quite nicely: they have to, or else their niche will be taken by a better product or site. Capitalism works there.

But if you need a lot of buildings, or need to do a lot of investments, capitalism doesn’t work, because the choice of the consumer is limited.

Consider the market for operating systems. Here, the cost of entry is incredibly high — it takes a lot of talented engineers to build an OS from scratch. The market is divided amongst a few players: Microsoft, Apple, Sun, Novell… That’s about it. (Sure, there is a host of Linux- or BSD-based OS distributions, but those don’t count, because the vendors of those don’t have complete control of their product.)
What happens if you deregulate that market? Sure enough, monopolies start being abused. Vendors start to use their market share to up the cost of entry for other parties — proprietary file formats, patents that hinder interoperability, the works. Then, if they have secured their space in the market, they start to use their resources to forcefully enter other markets. Leveraging their monopolies, they start to up the cost of entry to that second market and forcing their competition to play ball or get out of the market.

Pure, unregulated capitalism begets monopolies. And monopolies are bad for the workings of ‘the market’. Deregulation can not be the answer to everything that ails society.

Suppose you own a business. A rather succesful business — the largest in its field, but not too large, large enough to keep about 70 people employed. You try to do everything by the book.

Then robber barons of the BSA send their thugs your way, and you have to cooperate, and they find that you don’t have licenses for 8% of your software (because your IT guys don’t always do a complete wipe of the harddisk, so that some software [that is not used by the current user of that particular desktop] still remains installed on that desktop). You are forced to pay tribute to the robber barons to the sum of USD 100.000.
But that is not all. They advertise the raid on your company in the evening news, to scare other business owners into paying up their tributes. The robber barons don’t consult you in this — your reputation as a honest business-man is down the drain.

So how can you get back at them? Simple: switch to 100% open source.

(OK, so it’s an old article, but it’s still interesting, if only to see the other side of how the BSA operates.)