Archive for Life

Climbed Pikes Peak in the snow!

Z & I Climbed Pikes Peak Again!

Pikes Peak Summit

Despite heading up with a first-time hiker (Dillon, in tan/gray), losing the trail multiple times, Z (in full digital camo) demonstrating signs of Hypoxia & finding a semi-lost cyclist named Shawn (in red) we powered up Barr trail blazing the last two miles due to snow cover!

Checkout the full photo set on Flickr!

 

Submitting Personal Information with[out] SSL

UPDATE:As of September 24 2013 
TeachingChile.com is completely wrapped in SSL.  
~Thank you!

This post is no longer entirely relevant. TeachChile.com has updated their site and wrapped it in SSL. Thanks guys!

https://teachingchile.com

 


URL: http://teachingchile.com/apply_online/machform/view.php?id=6

TeachChile.com has an online application process that requires the submission of quite a bit of personal information including your Passport Details over plain text. Seriously? I almost feel like someone’s playing a prank here.  with SSL and ‘secure websites’ being pretty well understood it’s mind boggling to see websites like this still exist requesting personal information including passport number be submitted via plain text non-secured form data. What’s more amazing is that the lack of SSL is just one of what seems to be a whole ton of security-ignorance which pretty much guarantees anyone submitting data to these guys gets their identity (all their submitted data) jacked.

Wha? Google shows some love.

What makes it more astonishing is the domain was registered in 2005 and ranks #1 for “Teach in Chile” on google(us) and ranks really well for quite a few other keyword phrases. With the potential traffic exceeding thousands of visitors a month – I wonder how many fill out that insecure form?

Source: http://www.semrush.com/info/teachingchile.com

Google gives the page that links to the Non-SSL encrypted page a PageRank of 3.
http://teachingchile.com/to_apply.htm – With all the crazy search listing algorithms and such you’d think Google wouldn’t demonstrate much appreciation for this.

WTF? Guess until you find a stored form!

Saved forms can be easily brute forced!  Now this is so far over the top I’m not sure what to make of it but it offers to let you save the form if you provide an e-mail address like so:

Save Form & Resume Later

and upon saving you are presented with a ‘special link’ which at a quick glance looks like a simple 10 character alphanumeric hash.

Link to permanently saved form.

http://www.teachingchile.com/apply_online/machform/view.php?id=6&mf_resume=f4e2cdde3a

As far as I can tell that is permanent unless they purge the system of old resumable forms at some point. But to drive my point home – all one has to do is generate hash values 10 alphanumeric characters long. The following function ‘should’ generate those hashes.  Can’t say I checked but it is quite that simple.

function generate_random_hash($length=10){
 $chars = '0123456789abcdefghijklmnopqrstuvwxyz'; // Our Hash Building Alphanumeric Soup
 $char_count = 1; // Counter for how many characters our hash is (as it loops and grows)
 while($char_count <= $length){
   // Add random chars from our alphanumeric soup until we hit our target length
   $hash .= substr($chars,rand(0,35),1);
   $char_count++;
 }
 return $hash;
}

Replace the ‘special’ part of the resume URL with generated hash & test for live data.

There can’t be more then 6.something quadrillion hashes possible used to uniquely identify the  saved forms are in their database.  6 Quadrillion is a lot, don’t get me wrong but it’s really not if you break the work down across 1 thousand, 10 thousand or even more computers it becomes pretty easy to pull the task off in a very short period of time, even if approached in a slow enough manner as not to bring their web server down.  I’m digressing though – this isn’t the school of brute-forceology.

Verifiably Exploitable Platform…

If I were to assume TeachChile.com was using Mach Forms (which they are) based on ‘machform’ being in the url or some other simple means then a quick Google search for existing (and very well documented) Mach Form exploits might apply. The latest exploit having been uncovered less than two months ago.  *shakes head* … I’ll just stop there on the topic of exploits.

Just 1 of 1,000+ Other Sites on the Server

With over 1,000 other sites likely hosted at the same IP address (server) I wonder what the odds are that the server itself isn’t entirely compromised already? Source: http://www.reverseip.us/?url=teachchile.com

Running across this situation on a legit website isn’t something that happens anymore. I’m blown away by the seemingly legitimate operation being run on TeachChile.com.  Beyond notifying their contacts I’m not sure what else to do about it.  Should anyone beyond their posted contact be notified of this? Lets hope this application isn’t to teach web development. ^_^

The purpose of this post!

Be very aware of what you’re doing when you release personal information online.  In this case It’s pretty safe to assume that data submitted to TeachChile.com will become property of some nefarious individual. Unless you have some otherwise unobtainable insight in to what happens to your data after you submit it – be cautious.  It doesn’t take much for a web server to fall victim to an automated attack, especially and very specifically DATA because that’s what everything is all about anyway.  Nobody reads the ‘terms of use’ or ‘disclaimers’ anyway (and in many cases, neither do the writers of those things so they don’t identify how your personal information is being securely managed anyway; further – there is no code enforcement to ensure what you’re reading is in fact what happens) so it’s best to assume all the data you’re submitting to a website is going to be retained indefinitely by an individual or a staff that isn’t specifically driven by keeping your data safe. Most techs are extremely trustworthy however often quite lazy.  It doesn’t take much oversight for a whole database, server or better yet a cloud driven limitless data storage asset to become the property of an attacker.  It’s often just a password between the evil attacker and your personal information.  

Don’t EVER submit your Social Security Number or Passport information online.  Just don’t. Perhaps try using your dog or cat’s social security number as a temporary placeholder. ^_^

My Girlfriend is a Hacker…

The definition of ‘Hacker‘:

A “computer hacker,” [then,] is someone who lives and breathes computers, who knows all about computers, who can get a computer to do anything. Equally important, though, is the hacker’s attitude. Computer programming must be a hobby, something done for fun, not out of a sense of duty or for the money. (It’s okay to make money, but that can’t be the reason for hacking.)

~ Brian Harvey (University of California, Berkley)

The fact that Zahira is an amazing tech has been obvious for quite a while however it really set in yesterday as I walked past her desk.  On it were the following things:

  • an iPhone 3G displaying what looked like a linux console.
  • a 21″ LCD extending the desktop of a Dell [model] laptop running Ubuntu Linux (BackTrack) testing our Netgear WNDR3700v2
    • After disabling WPS on the wireless router it seemed to advertise that it had WPS enabled.
  • a Dell i5105 running Linux Mint Cinnamon x64 – Her favorite Operating system second only to OSx Mountain Lion.
  • a 27″ iMac w/Terminal, Google Chrome, iTunes & the Console [log viewer] app visibly running and Synergy operating in the back ground allowing her to use the iMac’s Apple keyboard and trackpad seamlessly across all three devices.
  • an iPad leaning against it’s protective shell displaying a paused YouTube video.
  • an iPhone 4Gs in an Otter-box minus the rubber external shell so it fit in the iHome doc.

Seeing Z surrounded by linux and an an android icon laid over a CLi on the phone brought it home.  As long as I’ve known her Z’s demonstrated the same attitude toward tech which is essentially and very simply being intrigued by virtually every tech ‘thing’.

What I really enjoy though is the awesome moments of revelation when something she’s been working on -clicks- and all the dots come together.  I love helping everyone with their technical issues but it’s been quite a while since I’ve seen the glow of self gratification after all the research comes together and she figures it out.  It’s nothing short of inspiring. ^_^  It’s awesome.  And of course she’s always working on something cool while we progress through the actual IT ‘work’.

For example:

There’s a Dell D630, Dell E6400 and a Toshiba Satellite A135 S7404 sitting in my office right now running OSx.  A couple months ago with a couple hard drives in hand and a bunch of support tools she set out to install Mac OSx on every PC she could get her hands on. hehehe.   Then as if to contrast the situation: she helped me prepare, develop and use our “install anything” network boot environment which has since been used to deploy our own highly customized versions of nearly every Microsoft operating system on any device that supports PXE booting.  Perhaps the icing on the cake i that most all of the really interesting projects get reverted and undone shortly after their launch due to some reason or another – often times simply the lack of appropriate licensing but that never derails the completion of the project.

I believe her iPhone 4Gs, iPad and iMac are currently running stock iOS ^_^ and according to the network management resources on our gateway – her iPad and iMac (in that order) are not only the 1st and 2nd largest consumers of bandwidth on our network but those two devices alone out-weigh all the other devices on our network combined.!.  She consumes and retains information like it’s easy. lol

According to our logs – I’m a wierdo with a secret lust for ad networks and tracking servers while Zahira has watched all of YouTube a couple times. Which brings about my last major note for this post.  I am perpetually blown away by how good she is at not only researching and finding information that leads to logical answers but in the same effort of digging for information she makes it seem effortless to bring it all back and put it together in writing that she publishes for others (and myself) to consume. No matter the topic she produces the most amazing results.  When we were re-structuring TechnologyBytes business model she produced an intense Employee Handbook and business brochures.  While developing Think Smart, Inc as the Marketing director during startup phase she created quite literally everything from the logo, Mission Statement, Investor Presentation, business plan, marketing plan, brochures and many more marketing pieces.  All while proactively managing her own web presence, maintaining all her sites and writing all the original content.

 

Zahira, You’re amazing.  You’re pure inspiration and I’m blessed to be graced with your presence every day in and day out!  Thank you so much!  I love youl <3

 


A couple sites Zahira actively maintains:

A couple social profiles for the real Zahira Schmidt ^_^

Arabic and Java

Rosetta Stone in hand and Netbeans on screen I’ve taken to two new languages.  I have for quite a few years now wondered why I don’t have a firm grasp of Java and considering I’m an avid developer capable of effectively supporting furthering development of applications sourced in Perl, Ruby and PHP (yeah, I’m a web developer – ya got me) there’s really no reason why I shouldn’t have a solid grasp of Java at least to the level of being able to comfortably support an open source project if nothing else.  What makes the deal really sweet thought is that Zahira is brilliantly intelligent beyond any claim I could make here and she’s motivated to learn and understand the use of Java so that just seals the deal.  I’m personally 100% confident Java will be commonplace in our household within months.

On an entirely different thought process I have become the average american and seemingly let go of any ability to be understood by any means other then this sad representation of written and spoken language most of us call English.  Normally when I felt like this I would force feed some spanish and submerse myself with a vacation or enlist someone to communicate with me in spanish at some semi-regular interval.  This time however I’m in an awesome new situation in which many people in my immediate bubble can speak in Arabic so I’m taking the opportunity to jump in and for the first time in my 30 years of espanglish existence I am taking on a truly new language. The notion of copy/pasting some Arabic here crossed my mind but I’m at such a lack of knowledge that I’m going to submit this post and begin dedicating some time to understanding it right now.

Live Love Life!