Friday, April 29, 2011

Chicago Code Is Killing My Brand

In fact, the only reason I mention it is to ride the SEO bandwagon.

So here's the mandatory link.

If you're looking for The List, please be patient.

And don't ask.

All will be revealed in time.

Thursday, April 28, 2011


Yes, the List is down.

It will be back.

You explain away 100,000,000 open Chinese proxies and what happens?  Some people get jelluz.


You can't stop True Talent™.

Sunday, April 24, 2011

IPv6 & mDNS are the SHIT

I would not lie to you, bois & grrlz.

During the last UT99 server IP change, my IPv6 tunnel with Hurricane Electric , which had been running fine since February, got fucked.  One thing led to another and I never got around to fixing it until today.  Once I fixed it I realized my IPv6 name resolution was not optimal and I fixed that, too.  It was just a minor PowerDNS tweak to tell the recursor what address to do IPv6 name resolution on.  Once that was done, I didn't have to depend on the special IPv4+6 SQUID proxy I had set up.

Another by-golly swell thing that happened in February was the mDNS RFC finally got rewritten.  This sucker has been languishing for six years.

Why is it back now?  If I had to guess I'd say it's because of the rise of the iPad, since from Day One mDNS was always an Apple Thing™.

What does mDNS do for you?  Apple fanboys will always tell you that their MAC just works.  In fact, if you ask them how it does that, they don't know, and they'll admit they don't know.

All they know, they'll say, is it just works.

And that is the sum total of their knowledge about MACs (ask one someday, s/he will gladly tell you).

Apparently they're not inquisitive enough to find out why.  Or maybe they're just stoopit.

mDNS is one of those things that enable that particular feature.  When a MAC fanboy walks into an environment that supports mDNS (not very common in the Windows world), all local devices are available.  Need to print?  Most printers, copiers, and fax combo device built in the last five years will be available because of mDNS.  Want to listen to some music?  You can hook up to a local user's iTunes and get in the groove.

All sorts of Good Shit will be available to you.

(NOTE: security wonks such as myself don't think this is necessarily a Good Thing)

When you combine mDNS with IPv6, like I did today, the future will be revealed to you.

Soon, your ISP will be giving you a shitzillion IPv6 addresses, more than you will ever need.  Every device in your home will have its own IPv6 address and those devices will need to talk to each other and you.  mDNS will help enable that communication.

While your devices are chatting, you still have to make sure that some IPv6 enabled samovar in East Fuckistan isn't attacking your Mr. Coffee in Cleveland, so you'll still need a firewall.  But—and this is the best part—you'll be able to forget everything you ever didn't want to know about NAT, which has been forced on you because of that one crappy IPv4 address your ISP currently allows you.

The future is coming.

Saturday, April 23, 2011

Insecure Defaults In PPLiveVA Client

Insecure Defaults In PPLiveVA Client

The Great Firewall is full of holes.

From ...

"PPLive has more than 200 million user installations and its active monthly user base (as of Dec 2010) is 104 million, i.e, PPLive has a 43% penetration of Chinese internet users. With its innovative user experiences, such as live chatting, and SNS, average viewing time per person per day has reach over 2 hours and 30 minutes, the highest stickiness among all China websites."

The Intro
Anyone who has followed public proxy lists in the past year has noticed there are thousands of new open proxies listening on port 9415 listed every day. In the past year I have documented over 394,000 port 9415 proxies from these public lists. Geolocation of the IP addresses indicates they are widespread mostly in China but also in Taiwan, Macau, Hong Kong, and pockets of the US where Chinese is likely to be spoken.

I initially suspected some kind of malware. Finding nothing in Google (searching for 9415 will get you a lot of proxy lists), I eventually started searching Baidu. The results were immediate.

These proxies are built into the PPLiveVA client to retrieve an internal PAC (proxy autoconfiguration) file from the following URL:


Replacing "localhost" with the IP of an active port 9415 proxy (if you can find one) will get you the PAC file, shown below:

function FindProxyForURL(url, host){
if(isPlainHostName(host) || url.substring(0,5) != "http:" || shExpMatch(url,"http://localhost:*") || shExpMatch(url,"*"))
return "DIRECT";
if(shExpMatch(url, "*.flv*") || shExpMatch(url, "*.mp4*") || shExpMatch(url, "*.m4v*") || shExpMatch(url, "*.f4v*"))
if(shExpMatch(url, "**"))
return "DIRECT";
return "PROXY";
return "DIRECT";

Obviously, the proxy should be listening on only, but in practice it listens on all interfaces.

The Outro
It looks like there are 100 million open proxies in China, thanks to this software. Pick a Chinese IP address, scan for port 9415. You'll get one sooner or later. I don't consider this a 0day, since it's been going on for over a year. Responsible disclosure? meh. A little late for that.

The fact is, they're pretty crappy proxies.

More Info

More Proxies

Originally published 04/19/2011

Monday, April 11, 2011

Server IP Change

If you bookmarked BOT House, BITCH House, et. al., in UT99 your bookmarks are now out of date.

This time it wasn't a power outage.  It just had to be done.

Last week, I ragged on GoDaddy's DNS services (I didn't say one word about Bob Parsons shooting the elephant... not one word!).  By early Saturday morning, between 1AM and 2AM they took away my ability to resolve my own DNS name through their servers.  After banging my head on the wall for several hours over this issue, it became obvious from the responses I received from their DNS servers ("Query refused") that they had blocked my IP at their servers.

No, I'm not paranoid.  Changing my IP fixed everything.  At least, everything DNS.  My IPv6 tunnel with Hurricane Electric broke, but I'm working on that.


For some reason I confused Bob Larson with Bob Parsons.  For all I know Larson could be an elephant killer, too.

Sunday, April 03, 2011

Dropping the -ly

A few years back I started hearing certain people in everyday conversation dropping the -ly in adverbs. For example, instead of saying...
I am literally swamped with work.
... they would say...
I am literal swamped with work.
... dropping the -ly from "literally".

This drives me nuts. Not because I'm a grammar cop. It simply hurts my ear. ("It simple hurts my ear." - can you stand that?)

First it was one person, then multiple people. Then, horrified, I started seeing it in print. Here is the most recent offender.

The offensive fragment is "Man previous convicted...", which should read "previously convicted". I guarantee this is not a typo. This is how the author (and obviously his editor) speaks. Why he didn't go for the double whammy and drop the -ly in "allegedly strikes" is anyone's guess. Maybe because it didn't sound right? Maybe because it sounded bad enough already?

OK, here's another one, which you could conceivably (conveivable?) blame on Twitter's character limit, but this guy, whoever the fuck he is (I hate retweets), had 18 characters to spare...

Again, I guarantee this is how he speaks. Do I have to spell it out? It should be "absolutely love it".

How wrong is this? I got 912,000 hits on Google for "absolute love it" and 80,000,000 hits for "absolutely love it".

Where the fuck does this come from?

04/16/2011 — Here we go again...

I'd give "work slow" a pass (technically it should be "work slowly") but "temporary inaccessible"?


OK, the guy's name is "Sergey", so he's probably not a native English speaker.

The guy who wrote or translated this article got "temporarily crippled" right but absolutely blew it with "repeated delayed"...

It never stops!


I would've let this slide because it was Twitter but "inevitably" has the same number of characters.

I never forget.

12/14/2011 Here we have yet another fine example, this time from Security Week...

Oh, come on, people!

I have to assume this was on purpose, because nobody talks like that, right?

I took some liberties with the image.  See if you can guess what they were.  The original is here.


SHAME ON GLENN S. PHILIPS!!!!  For this crap, published in Dark Reading...

Why stop at "possible understand"?  Why not "communicate effective" or "discussed sensible"? 

NO excuse.



If you could see me now you would be able to tell that I am visibly upset by the content of this story from WSOC-TV in North Carolina, which contains the following sentence...

If you watch the video, you will hear the reporter, Andrew Doud, say "visibly upset", so whoever made the transcription decided to "correct" him.

I hate when that happens.


Hey look boys and girls!  I'm not the only one bothered by this crap...

The original is here.

I have been seeing "remote exploitable" for a long, long time and I just have to grit my teeth every freakin time it pops up and it pops up all the fucking time, mostly from a Certain Security Company That Will Remain Nameless.

I appreciate that the editor tried to correct this doofus, but I would have gone with (sic) instead of (sp).


I doubled the RAM, from 1G to 2G, on EXP5 today.

This is a "salvage upgrade" of pieces/parts from my old—circa 2003—Windows XP box, which suffered a fatal hardware malfunction.  The heatsink on the chipset sproinged off and cooked it, causing numerous spontaneous reboots.  This is the second time in ten years this kind of heatsink failure has happened to one of my boxes.  Otherwise, it was a pretty solid machine.  But now it rests in pieces in Hinky's Hardware Graveyard.  Caches to ashes, DOS to dust...

It had 3G, so I took the two matched 1G chips and moved them over.  It seems to be running fine.