beer planet

From time to time my, still curious, mind accumulates a variety of questions and concerns which it has to spill onto the pages of this blog. How random are these? Pretty damn random, and I need to see some answers, quick. Oh, and I’m deliberately not searching Google, as I want to facilitate discussion. What fun would it be if I just looked up all these?

Password Protected Garage Door Remotes

As a paranoid person and a recent homeowner, I started to wonder how safe I actually am in my house. Consider this likely scenario that nobody seems to be concerned with:

I park my car outside for one night and don’t take out my portable garage door remote, the one with a single open/close button. Or, even worse, the remote code is programmed into one of those garage opener buttons built into the car. A car burglar comes along, breaks the window, and trashes my car. Wow, an added bonus – a free entrance into the house!

Needless to say, this is bad already. How many of you lock the door between the house and the garage? What if you forget to do that as well? Is there a spare house key laying around in the garage? You may say “but I’ll hear the garage door open” but does it actually make you feel better? You will be present with an intruder in your house, which will scare the living shit out of you non-governator types.

So here’s my question to you, Internet, is there a garage door remote I can buy that has a programmable keypad, so that a password is needed for the button to work? In fact, it would be almost the same as the one that mounts next to the garage door. And can it not cost $100?

Twitter Security

This part is not about computer security, as you may have thought at first, although I did recently discuss it in the Clickjacking article. I also know that I’m not the first one to bring this issue up but I think it’s worth discussing some more. Consider this scenario:

You’re a cheerful, outgoing snowboarding enthusiast with 3000 twitter (plurk, facebook, or another social network but twitter is the most relevant example) followers. Or maybe you have 3 followers. There’s a 99.9% chance that your profile and updates are public (if you have 3000 followers with a private profile, you must be some sort of a chump. And yes, I did just make the stats up, want fight about it?).

So, on Friday night, you send the following tweet: “Gone snowboarding for the whole weekend. But not before getting piss trashed Friday night at the casino. Wooooo”.

Since anybody can watch your tweets absolutely anonymously and it’s extremely easy to dig up an address knowing very little about a person, what you just said was “If you are a burglar looking for the next opportunity, just drop everything and come on by Friday night. I will be far-far away but my house (located at 123 Main St) will be available for your robbing pleasures. You only have 2 days before anyone is home, so feel free to crash on the couch and eat my food. Don’t forget to feed the cat. Kthx.”

Is this a likely scenario? Not really, unless twitter raises the tweet length to more than 140 characters, but otherwise you see where I’m going with this. Don’t be stupid – avoid advertising exact details of your whereabouts, vacation plans, etc. There are plenty of uses for Twitter without giving up most of your privacy. Ask yourself: would you post a note with your whereabouts on your door every time you leave the house for a while?

How Do Trains And Buses Know Where They Are?

If you live in a relatively large city, you have seen relatively accurate bus and train arrival predictions and, in some cases, almost exact locations of each vehicle. For example, here in San Francisco we have MUNI stations with live maps of trains’ whereabouts and bus stops with bus predictions on small electronic displays.

What is the technology behind it? It cannot be just GPS, because trains go underground where there is no reception. If it’s a combination of externally mounted sensors, are they also placed outside, once the train gets out into the street? Or is it some sort of a 2-way GPS (a conventional GPS device is just a receiver) underground that switches to sensors above ground? I don’t know but I want to.

Train/Bus Drivers And Bathrooms

While I’m on the public transportation subject, here’s what I want to know: if you are a train/bus/trolleybus driver, what do you do if you NEED to go somewhere when you are half way down your route? All of us had such moments at least once, and sometimes you just HAVE TO drop the bomb, sink some submarines, drop the kids off at the pool, release the chocolate hostage, plant some potatoes, give birth to a VB programmer, down the proctoscope, bake some brownies, you know what I mean (if you don’t, you’re a senile muppet, what are you doing on the Internet?).

They can’t just leave the train in the middle of the street, can they? Have you ever seen one run out in the middle of the street? I’m really curious here.

All Of Dilbert

Is there a Dilbert collection somewhere that has every Dilbert comic in an easily browseable manner, ideally with ratings I can sort by? 100 Dilberts per page would be ideal. Ah, looks like the new Dilbert.com finally made it a reality: all Dilbert comics sorted by votes, 49 per page.

Where Can I Buy A Circus Tent?

Who sells them? The ones where elephants and clowns could fit. It could also double as a portable office.

Who Gets To Eat The Most Delicious Burger In Burger Commercials?

And where do I sign up? I’m serious.

● ● ●

Yeah, so that’s pretty much what’s on my mind right now. What’s on yours?

Updated: June 9th, 2009

Introduction

Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function (credit: Wikipedia).

Clickjacking is hard to combat. From a technical standpoint, the attack is executed using a combination of CSS and iFrames, which are both harmless web technologies, and relies mostly on tricking users by means of social engineering. Additionally, the only server side technique against clickjacking known to me is “frame breaking”, which would cause a legitemate site to break out of any iFrames it may be embedded in. This is not always the desired behavior and is generally frowned upon.

Generic Example

In laymen’s terms, clickjacking means that it is quite possible for websites to trick you into, for example, clicking a button to show a cute kitty while in reality prompting a deletion of all your hotmail email. A malicious site uses an iFrame (which essentially allows embedding sites within other sites) with hotmail loaded inside and hidden using CSS (which is a web language for styling HTML elements). A button named “Show Me The Next Awwww Kitty” is then placed by the malicious site and positioned below the iFrame layer (manipulated by CSS, yet again). However, because the iFrame is hidden, it looks like the “Aww” button is all you’re clicking. Wrong!

Latest Example: Twitter

This morning a new, though harmless, epidemic hit twitter. Hundreds and thousands of messages saying “Don’t Click: http://tinyurl.com/amgzs6” started showing up. Clicking the link shows a simple page with 1 button:

Clicking (which I of course did) uses clickjacking to repost the message to your own twitter account. Take a look yourself: http://search.twitter.com/search?q=don%27t+click.

All of these are a result of an experiment by some French guys to mess around with twitter and show the effects of clickjacking. Thank you for that, French guys. Creating awareness via the most social platform on the web is the best thing they could do for us.

Fight Clickjacking

James Padolsey recently wrote an excellent blog post about clickjacking and mentioned Twitter specifically. Because clickjacking relies mostly on social hacking (i.e. tricking people into clicking malicious links and buttons), Twitter is nothing but a perfect platform. James gives some nice background info and code examples. He correctly highlights, as I did earlier, that clickjacking is not a software bug – it’s a malicious technique exploiting harmless technologies.

So how does one fight clickjacking?

At this point the most reliable way is to use Firefox and the NoScript extension. NoScript provides a simple, yet amazingly effective feature, called ClearClick. From their site:

“…it's enabled by default, protecting NoScript users from Clickjacking everywhere: it even remains active if you switch NoScript in the less safe Allow scripts globally mode. How does it work? Clickjacking hides or displaces or partially covers something you wouldn't want to click, if you could see it in its original context. ClearClick does the opposite: whenever you click a plugin object or a framed page, it takes a screenshot of it alone and opaque (i.e. an image of it with no transparencies and no overlaying objects), then compares it with a screenshot of the parent page as you can see it. If the two images differ, a clickjacking attack is probably happening and NoScript raises a "ClearClick warning", showing you the contextualized and "clear" object you were about to click, so you can evaluate by yourself if that was really something you wanted to do.”

Did ClearClick work in the earlier twitter attack? Sure did! After I clicked the “Don’t click” button Noscript promptly popped up a warning showing the hidden iFrame (since the original malicious page has been removed, I found another similar page from the same author for screenshot purposes).

So, even if you don’t want to enable NoScript globally, install it anyway, just for ClearClick.

That about covers what I had to say about clickjacking. Stay safe, folks!

Updated: May 12th, 2007

Edit: Ha! Google now returns 1.6mil results (when I first put the key up, it was only 800). Also, almost immediately after this post was indexed by google, the server started experiencing DoS attacks from various IPs in US and Germany. Your dirty tactics didn't work, bastards, the key is all over the place now.

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.

Destroy DRM.

Shocking…

An unbelievable security flaw in locks, this is a very good lockpicking technique, works on at least 90% of all pin locks, very interesting, the man in the video is Barry Wels, a lock and security extrodinaire.

Updated: July 15th, 2006

Edit: this has now been fixed, but I'm sure many sites are still vulnerable.

Here's the link: click here

Unbelievable! This exploit is claimed to exist on 250+ sites. Here's the quote from the guy who found it:

"Look by yourself - this is how citibank.com cares about phishing and password theft. I reported it 20 hours ago. Nothing happened. Maybe it's time to make it public? It is an active link to working exploit, ready to send YOUR data from citibank.com domain to attacker's server - so dont give your real login and pass please."

Reported on digg.com.