Hinky Dink SEO almost back to normal

Lots of shit hit the fan back in April. It seemed like everyone wanted to put the smackdown on the Dinkster after that security announcement about PPLiveAV—those damned port 9415 proxies in China—hit the wire.

As if the GoDaddy DMCA takedown wasn't bad enough—taking out both ProxyObsession and MrHinkyDink.com—the next insult hit my "brand" like a rock. Some stupid cop show announced an episode titled "Bathhouse and Hinky Dink" and in the process snatched up all my Google search hits. (See also here).

Motherfuckers couldn't even spell "BOT House" right. heh. (If you don't play UT on my server you won't get it.)

FOX finally cancelled Chicago Code. I rejoiced, but it took a long time for the "Bathhouse and Hinky Dink" hits to go away.

As we say in UT, "DIE BITCH!"

This was the latest Hinky Dink hit...


... which is the new link on the "Hinky Links" side panel on the right. It is my public PGP key, with which you can use to send me encrypted email (dink-at-mrhinkydink-dot-you-know-what). I should have done that long ago, but I didn't.

You may have noticed other changes to the right-hand sidebar. Just trying to clean things up a bit. The link to the Proxy List was removed when it was taken down and I never put link back in. It has been restored. The Twitter bar was moved up and the search box was moved down. The BOT House tweets are gone since that hasn't worked for months (it was fun while it lasted).

Of things not working, the World Domination link is still down. I haven't fixed that yet. I wonder if it will ever get fixed because Google has lately made some "improvements" to the Maps API that are driving me nuts elsewhere. Never, ever depend on someone else's code because you'll always get screwed in the end.

De-bit.ly-fying a URL

Ever since the URL shortening services began with tinyurl.com, I've been extremely suspicious of them, probably because back in The Old Days it was a popular way to put up a goatse or a tubgirl link (if you don't know, don't ask) for the newbs.  Fortunately, that kind of abuse is A Thing Of The Past now.  But... you never know.

Just today, I got somebody else's SPAM in my mailbox (long story—some guy on my ISP thinks my email address is his wife's email address—this has been going on for years).  Normally I just delete the shit.  Today I was curious, so I dragged the email out of my InBox and onto the desktop and peeked at it with Notepad.

I'm not sure why, but I was quite surprised to find bit.ly links inside the email.  There was no way in Hell I was clicking on any of them, so I wrote a tiny kidscript called "debitly" to check them out. 

And before you decide to leave a comment to enlighten me, yes, I know you can hover your mouse pointer over a bit.ly link in a browser and get the full URL—this is different.  This is HTML I don't want to render in a browser or in an email or anywhere else.  It's plainly in ten foot pole territory. 

That said, here it is:

#!/bin/bash
URL=$(echo $1 | cut -d / -f 4)
echo -e "GET /$URL \
HTTP/1.0\r\n\
Host: bit.ly\r\n\
User-Agent: Mozilla\r\n\r\n" |\
nc bit.ly 80

"nc" is our old buddy, Netcat.  It might work with the Windows version of Netcat, but that's not how I roll.

Here is sample output from a random bit.ly URL posted on Twitter:

:~# ./debitly http://bit.ly/kQZUAt
HTTP/1.1 301 Moved
Server: nginx
Date: Sun, 01 May 2011 21:05:35 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Set-Cookie: [removed];
Cache-control: private; max-age=90
Location: http://home.comcrud.net/~joe-blow/VA7751.jpg
MIME-Version: 1.0
Content-Length: 137

[followed by some HTML BlogSpot can't render as text for some reason]

You could tack a "| grep Location:" on the end of that code to lose the headers, but they are there for your enlightenment.

"Joe Blow" is not his real name.  And comcrud.net is not the domain, but you get the picture.  And if I get into Deep Shit over this, it was Hypponen who Tweeted it in the first place, so don't harass me about it.  Keep your fucking Digital Millenium Copyright Act in your pants, OK?
 
As it turns out, the bit.ly links in the SPAM email were "legitmate".  That is to say they pointed to the opt-in SPAM customer's Web site, which is all well and good, but it was a disappointment to find out bit.ly is in the SPAM business, even if it is opt-in SPAM. 

Why was I disapppointed?  Well, they had a write-up of bit.ly's chief scientist, Hilary Mason, in Scientific American last month and I thought she was cute as Hell.  I was smitten, but now I know she's just another Advertising Slut.  sigh

But I was pleased to see they were using nginx!  That makes a lot of sense if you're throwing out a shitload of 301 redirects 24x7.  At least they have good taste in Web servers.

Insecure Defaults In PPLiveVA Client

Insecure Defaults In PPLiveVA Client
====================================

The Great Firewall is full of holes.

From http://www.synacast.com/en/ ...

"PPLive has more than 200 million user installations and its active monthly user base (as of Dec 2010) is 104 million, i.e, PPLive has a 43% penetration of Chinese internet users. With its innovative user experiences, such as live chatting, and SNS, average viewing time per person per day has reach over 2 hours and 30 minutes, the highest stickiness among all China websites."

The Intro
=========
Anyone who has followed public proxy lists in the past year has noticed there are thousands of new open proxies listening on port 9415 listed every day. In the past year I have documented over 394,000 port 9415 proxies from these public lists. Geolocation of the IP addresses indicates they are widespread mostly in China but also in Taiwan, Macau, Hong Kong, and pockets of the US where Chinese is likely to be spoken.

I initially suspected some kind of malware. Finding nothing in Google (searching for 9415 will get you a lot of proxy lists), I eventually started searching Baidu. The results were immediate.

These proxies are built into the PPLiveVA client to retrieve an internal PAC (proxy autoconfiguration) file from the following URL:

http://localhost:9415/tudouva.pac

Replacing "localhost" with the IP of an active port 9415 proxy (if you can find one) will get you the PAC file, shown below:

function FindProxyForURL(url, host){
if(isPlainHostName(host) || url.substring(0,5) != "http:" || shExpMatch(url,"http://localhost:*") || shExpMatch(url,"http://127.0.0.1:*"))
return "DIRECT";
if(shExpMatch(url, "*.flv*") || shExpMatch(url, "*.mp4*") || shExpMatch(url, "*.m4v*") || shExpMatch(url, "*.f4v*"))
{
if(shExpMatch(url, "*hzplayer0.tudou.com*"))
return "DIRECT";
else
return "PROXY 127.0.0.1:9415";
}
else
return "DIRECT";
}

Obviously, the proxy should be listening on 127.0.0.1 only, but in practice it listens on all interfaces.

The Outro
=========
It looks like there are 100 million open proxies in China, thanks to this software. Pick a Chinese IP address, scan for port 9415. You'll get one sooner or later. I don't consider this a 0day, since it's been going on for over a year. Responsible disclosure? meh. A little late for that.

The fact is, they're pretty crappy proxies.

More Info
=========
http://proxyobsession.net/?p=1534

More Proxies
============
http://www.mrhinkydink.com/proxies.htm

Originally published 04/19/2011

New Look For Fall!

Well, I finally did it. I gave Blogger a few months to come up with some new templates but they disappointed me. Same shit, different day. And although I've criticized the look of "Dark-Ass Security Blogs" in the past, the other options are just too happy, trendy, or touchy-feely for my tastes.

After all, this place is about HAXX and FLACK, not puppies and flowers.

So it's back to the same old, same old but with more horizontal space. The old style always seemed so cramped.

Script Haxx

Upgrading to 2.6.31 went so fast Saturday morning I was at a loss for things to do over the weekend. Before shutting down the servers to rebuild the kernel I noticed the scripts were running wild, so after I fixed the other problems with the video and iptables, I attacked the scripts.

All of this crap, Chat-O-Matic, Ban-O-Matic, the Map, and now this Twitter Shit is all built off data that's scraped from the UT Web Admin interface with bash scripts. There has always been one big problem with approach: it's really hard for all those scripts to tell when a game is over.

The main issue is when the last player leaves when a new game starts but before before the server is populated with bots.

This isn't a problem when the last player leaves an active game. A bot will simply take his place and the bots will finish the game off themselves, which is good since another player could jump in.

But the scripts get seriously confused when there are only, say, one or two bots wondering around waiting for players that will never show up. The game has to be reset for everything to work again. This has been a problem for a long time, and I usually ignored it because it usually fixes itself as soon as another game started.

Usually.

Sometimes you just have to SIGKILL all the games and game sub-processes and start over.

So I put the "Game Over" functionality into Ban-O-Matic. Now, if there's nothing but bots playing for more than two minutes, the game is restarted (future expansion: switch to a random map). B-O-M was a good place for this, since it deals exclusively with real players and ignores bots completely.

Plus, aside from banning bad players, B-O-M has very little else to do.

On top of that, I optimized a ton of other scripts and put together a script monitoring system.

With the new kernel and optimized scripts the place is running better than ever.

EXP IV Has Been Moved

The EXP IV box used to be the longest link on HinkyNet. I had a very long ethernet cable from the Old Days (1995 or 1996) that I used to link it in. The said cable spent many years in the trunk of the Hinkymobile and was used as an emergency measure back in my consultant days, which are now almost ten years behind us.

As a result of the use, abuse, and neglect of this cable, it was quite kinky and probably not a good choice to put "in production". And since I'm a Cheap Sun of a Bitch I was damned if I'd go out and actually buy a decent cable for this purpose.

So I moved the whole damned box across the room, as well as the UPS. I put it on a cable that is about six inches away from being too short. Hopefully this tightens up the whole "collision domain" and complaints of LAG will, if not disappear, be minimized.

But you never know.

I Hate Ads

Advertising is private sector propaganda. It's vile. It's evil.

I avoid it whenever possible.

Especially on the Internet. I've been running a Squid proxy at home for over ten years, primarily to use Ad Zap to eliminate the popups, banners, and ShockWave Flash crap all mainstream Web sites would like to shove down our pipes.

For example, here's a screenshot of ComputerWorld on a slow advertising day. Click for a larger view..

Again, this was captured on a weekend. Durig the week, when there is much more traffic from corporate proles such as myself, it is one hundred times worse.

Minimum.

Here is the same exact page when viewed through my Squid prozy with Ad Zap...

Much better.

One thing the screen captures don't show is the fact that all three of the ads are animated. Animation sucks primarily because the bandwidth required chokes a remote desktop connection. I do most of my browsing at work through an encrypted pipe back to my house, which uses the 785kBps (**SLOW**) uplink. Any animation sucks the lifeblood out of that link.

There are several other ways to accomplish the same thing. I had been using FireFox with NoScript exclusively for the past eight months, but I switched to Google Chrome because it is much faster than FireFox.

Blazingly fast. Un-fucking-believably fast.

Blogably fast! TROOF! But maybe some other time. We're talking about ads today.

Since there's no NoScript plug-in for Chrome, I had to go the Ad Zap route. As it's distributed in its stock configuration, it kills maybe 90% of all adds, banners, popups, etc.

But I want no less than 100%!!!!

The big problem I had with Ad Zap was the small town TV and radio news sites across the US. They tend to use more obscure Web advertising companies, or they use their own home-brew methods. These aren't included in Ad Zap out of the box, so you have to roll your own rules. This is simply a matter of setting a few variables and editing a text file or two.

The result is very clean and very safe Web surfing. Once you start blocking ads, you will never want to go back.

Never.

I have mentioned before I'm the Network Nazi at work. I run a commercial content-blocking software package - that will remain nameless - and I also block ads on my own corporate account. I've been doing so for a very long time with this package. I am so used to not seeing ads that I'm totally appalled whenever I have to use someone else's computer.

Why do people put up with that crap?

Lean Sock Puppets

sock puppet (noun) : a name or identity used online to deceive others and that is often used to direct praise or attention to oneself. (From Merriam-Webster's Open Dictionary)

Anyone who has spent any hard time in a corporation or bureaucracy knows that there are certain management fads that make the rounds. There is no escape. It's going to happen and it usually happens for a reason.

For our previous CIO, whose job it was to reorganize the IT department it was Who Moved My Cheese.

Back then, if you were a middle manager and didn't have a copy of the book prominently displayed somewhere in your loser cruiser or on your desktop, you could end up being branded as some sort of corporate insurgent. It was everywhere. The most faithful always carried a copy with them to meetings to spread the faith whether they believed it (or read it) or not.

The latest CIO is proselytizing The 7 Habits of Highly Effective People.

Ugh. Not again. The less said about that nonsense, the better. That crap has been making the rounds for almost twenty years now.

But this isn't about cheese or habits or CIOs. It's about IT Security and the CSO.

A few months back, the CSO sent us this link (don't bother reading it, it is crap) to an article on "Lean Security" and noted we would be hearing more about it in the months to come.

Uh-oh. In my mind that meant "here come the budget cuts, kiddies!"

I dutifully read the article and before going beyond the second paragraph I got an erie feeling of déjà vu.

I knew I had read it before, but something was different. The subject had come up in the late 90s, but back then it was "Lean IT". As I read on I became convinced that the author had simply recycled the "Lean IT" article by searching for "IT" and replacing it with "Security".

It was an astounding epiphany. "What now?" I asked myself. Was this going to be the Next Big Thing industry-wide? In order to answer that I created - what else? - a Google News Alert for "Lean Security".

The were very few hits over the next few months, and nearly all of them pointed back to the same article the CSO had provided a link to. That settled the "industry-wide" question in my own mind. There was no buzz. Anywhere.

The CSO never mentioned it again.

This brings us to the sock puppets. It turns out there's a Lean Enterprise Institute. They've been responsible for distributing this crud for over 11 years. It figures. They even have a Lean Forum, and that's where my most recent Google Alert came from. It pointed to this thread, which goes like this:

Sock Puppet #1: I've read several articles of applying LEAN principles to security operations. Can anyone suggest additional readings? Just a really interesting concept for me. Thanks!

Sock Puppet #2: It makes sense. Security is just another process, with a specified outcome.

Sock Puppet #3: I'd be happy to discuss this topic with you. I have co-authored the original article on applying lean principles to security and will continue a series of columns in Security Technology & Design Magazine for the next 10 months.

Oh, brother. Nothing stands out like a self-serving clusterfuck.