I have some excellent news. Mark Maunder (who originally reported the zero day in timthumb.php) forked timthumb.php into a new, more secure (and more functional) solution called WordThumb. I read over the source code and it is much better designed than the original. Excellent work!

Perhaps something positive will come out of this episode. First off, I hope that Ben Gillbanks (who maintains timthumb.php) learned a few lessons about secure programming. Second, I hope that the rest of the online community learned proper zero day procedures. While I give Mr. Maunder all due respect for releasing a much better version of this utility, I really wish he had written this version, then announced the vulnerability.

Yesterday evening, I read an article and had one of those truly classic ‘facepalm’ moments. Someone named Mark Maunder, who runs a Seattle based company called Feedjit decided to write an article detailing a zero day vulnerability in a very popular WordPress utility called timthumb.php. This particular script is bundled in many free/commercial WordPress themes, so this is a very dangerous exploit.

Timthumb.php has some pretty serious problems which make me question why it was released in the first place. The script has this cute little $allowedSites array which lets users remotely load files from domains like flickr.com, or picasa.com. Not really a bad idea, except the developer decided to use strpos to see if that string appears anywhere in the domain. This means that if you are malicious, you can set up something like http://flickr.com.criminals.com/attack.php and timthumb will fetch the file for you and put it in your cache directory ready to be executed. From a design point of view, this is about as bad a mistake as a developer can make.

As I see it, nobody in this sad affair can go without blame and frankly, I am pissed.

(keep reading…)

The mainstream media kicked into high gear yesterday with news that 14 members of the pseudo-group Anonymous had been arrested. These arrests, which stemmed from attacks against Paypal (which were in response to that service’s decision to stop collecting funds for Wikileaks) were greeted with near universal happiness. The evil ‘hackers’ were arrested and the web was a safer place.

But, is the web really a safer place?

When you go through the indictments, a different picture emerges. The people arrested were not charged with being high level cyber criminals – these people did not engineer attacks against major websites. Rather, for the most part, they were people who downloaded a tool called Low Orbit Ion Cannon (LOIC) and chose to use it against Paypal (and other sites) during Operation Payback. Or, there is the case of Lance Moore, a 21 year old AT&T contractor from Las Cruces, New Mexico who used his access to download confidential corporate documents (which he then posted online).

(keep reading…)

While checking out Hacker News, I came across an article by the founders of a company called Grinnit. Titled “Five Takeaways from Folding a Startup“, this article was seriously thought provoking and got me thinking about my own failed startup. I have been carrying the ghost of my own failed startup around for three years now and I think this gives me a great opportunity to exorcise it.

I went back to University in my late 20s after a fairly long hiatus away. When I returned, I realized that several things had changed. First, I was usually one of the oldest people in every class. This meant that my peers were usually the professionals who were taking classes to upgrade their skills or for pure recreation. Second, because of my age, I found it easier to make friends with grad students and professors instead of undergrads. Third, I realized that I was a little too old to be on student loans – the experience of incredible poverty (after having worked full-time for several years) was a huge shock to my system.

(keep reading…)

My long silenced, investigative nerd has been salivating over the story of Lulzsec. If you’re not familar, Lulzsec is a group (thought to be affiliated with Anonymous) that has attacked websites belonging to Sony, Fox, the CIA, etc. While their actions have, no doubt, been criminal, I have a certain amount of respect for their message. Let’s consider the Sony attack for a moment. Lulzsec took down the Sony Playstation network and compromised over 1 million user accounts. On one hand, that is a vile example of theft. But on the other hand, Lulzsec broke into Sony using an SQL injection.

Rather than give a long, drawn out technical definition of whan an SQL injection is, I am going to use a very famous comic from XKCD.

(keep reading…)

This post’s random (creative commons attribution) Flickr photo was taken by a photographer who goes by 1wan. This untitled photograph makes me want to condense my life into a backpack and hit the road.

Have any of you used Dropbox? If you aren’t familiar, Dropbox is a file hosting/synchronization service that essentially acts like one big online hard drive. You can save files onto your Dropbox and then access them from any device with an internet connection. This means that you can save a .pdf on your PC at home, then open it up with your iPhone when you’re on the other side of the world. Cool idea, right? Adding to its appeal, Dropbox has an amazing interface – you sit down and instantly feel comfortable using this particular offering.

Dropbox is in the data storage business, which means that it has to provide two totally unique (and often competing) experiences to users:

• It must make it easy to save and retrieve files from Dropbox
• It must keep customer data secure

(keep reading…)

I found the image to the right on Flickr, found it haunting and decided that I had to use it. Luckily, Styro (the photographer) released it under a Creative Commons Attribution license, so I can show the rest of you. Check out Styro’s photostream for more great shots.

For the first time, Lulz Security (the group of programmers who broke into Sony, PBS, and Fox) has spoken publicly about its exploits. Yesterday, they posted a ‘1000th tweet statement’ on Pastebin.com. I’m not sure how I feel about Lulzsec. On one hand, they attacked privacy, stealing (and in some cases releasing) a large amount of personal information. But, on the other hand, their paste raises some very valid points. Consider this quote from their pastebin:

But what if we just hadn’t released anything? What if we were silent? That would mean we would be secretly inside FBI affiliates right now, inside PBS, inside Sony… watching… abusing…

(keep reading…)