Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

November 29, 2003

Hot Lava

For one project I’ve been working on recently, I’ve had recourse to some wonderful online mathematical resources, courtesy of Neil Sloane:

The former, in particular, is the “lava lamp” for the mathematically-inclined. Endlessly fascinating, in a hypnotic sort of way…

Posted by distler at 12:16 AM | Permalink | Post a Comment

November 28, 2003

Baby Eaters

Back in January, The Independent published a cartoon which played heavily on the medieval anti-semitic Blood Libel for effect. I thought a side-by-side comparison with a typical cartoon from the Arab Press would make it perfectly clear why Dave Brown’s cartoon was so offensive.

No such luck. The cartoon has just won first prize in the British Political Cartoon Society’s annual competition. What this says about the state of British … umh … political cartooning, is left as an exercise for the reader.

Posted by distler at 12:00 AM | Permalink | Followups (2)

November 27, 2003

DHCP Vulnerability in MacOSX

Here’s a fun one: a remote root hole in MacOSX, just in time for Turkey Day. It’s not a “new” vulnerability, in the sense that rogue NetInfo servers were a potential problem way back in NeXTStep days. Now we can add rogue LDAP servers to the list, but the idea is the same. What makes the exploit “new” is the prevalence of MacOSX laptops, and WiFi, which make it far more likely that you’re going to boot up your MacOSX machine in “hostile” environment, where one of these rogue servers might be lurking on the same subnet.

The main philosophical failing in this issue was to explicitly trust information from a network by default. Trusting information from the any network can be a very dangerous matter and especially the hostile realms of IP and the Internet. Ideally, data from the network should only be trusted when the user explicitly says they would like to, or when accepting that data cannot have possibly any destructive repercussions.

Usually, no harm can come from accepting data from a DHCP server. One presumes that even if the server isn’t legitimate it won’t cause any unavoidable harm. In the average case, the user will wind up with an IPv4 address that won’t work or some similarly benign difficulty. In the worst case, a malicious DNS server assignment could cause harm through social engineering approaches …

In this case, the netinfod processes accept the authentication server information at face value even though the source is unknown and unverified. This information should be untrusted unless the user has explicitly told the machine otherwise.

The fix, as detailed in the “Workarounds” section of the Advisory is to turn off the automatic binding to a DHCP-provided NetInfo/LDAP server. “Off” shoulda been the default setting from the 'git go.

It is now …

Update (11/26/2003): Apple has posted a Knowledge Base article with the workaround.

Posted by distler at 12:24 AM | Permalink | Post a Comment

November 23, 2003

More MT Spam Vulnerabilities

I think we got us a theme going…

Remember insecure formmail scripts? How very 1990s, eh?

As if comment spam were not bad enough, MovableType includes, in its default installation, a CGI script called mt-send-entry.cgi which — you guessed it! — can be used to send email anonymously to anyone in the world.

And, no, this is not a merely theoretical issue; it’s being actively exploited by spammers.

Ben Trott has proposed the following patch to address the issue

--- mt-send-entry.cgi.orig      Sun Nov 23 20:21:12 2003
+++ mt-send-entry.cgi   Sun Nov 23 21:23:48 2003
@@ -37,6 +37,8 @@
         die "Missing required parameters\n";
     }
 
+    die "Invalid from or to value"
+       if $to =~ /[\r\n]/ || $from =~ /[\r\n]/;
     my $entry = MT::Entry->load($entry_id)
         or die "Invalid entry ID '$entry_id'";
     my $blog = MT::Blog->load($entry->blog_id);

But that addresses only one of the various ways in which this script can be exploited. Spammers can still send as much email as they want, with arbitrary message body content, to whomever they want, and do so completely anonymously. The only thing they can’t get rid of is the subject line

Subject: [Your Blog Name] Recommendation: Your Entry Title

which serves only to sully your reputation, and the first line of the message body,

Some fake email address has sent you a link!

(The link to your blog entry itself — at the bottom of the message body — is easily omitted, not that anyone will care.)

Unless you feel you absolutely must use this CGI script to allow anonymous visitors to mail arbitrary messages to whomever they please, you’d be much better off simply disabling it. Change the permissions on the offending script to make it inexecutable, or remove it entirely.

Do it now, before your blog is exploited by spammers.

Update (11/26/2003): Ben Trott has posted a message warning the vast majority of MT users, who don’t use this CGI script, to disable/remove it. He’s also posted an improved version (better than the patch above, but still only “spam-resistant”, rather than “spam-proof”) of the script.

Posted by distler at 9:57 PM | Permalink | Followups (25)

November 22, 2003

If You Can’t Beat 'Em

Speaking of spam, here’s a site to restore your faith in humanity.

Posted by distler at 10:03 AM | Permalink | Post a Comment