Friday, March 24, 2017

Despite my previous stance... (also, server security!)

The feed from my blog  is now the default news that will be displayed on 666igma.com - I've set this up because I think it will be easier to have all of my updates posted to a single platform. Unfortunately, this has caused me to lose some of the previous news posts that existed, but I really think that is not a very big deal.

Give me some time to get it looking and functioning properly on the website... it really should not take too long.

I am also posting this during the midst of CONSTANT intrusion attempts on my server. I've literally got a backlog of various IPs trying to access tons of different services on different ports and authenticate. I've recently moved my SSH port and disabled root login from it entirely as one of my security precautions, and if you run a Linux server with SSH enabled, I suggest you do the same.

Security through obscurity (STO), is not a great practice... that is what it is called just changing you SSH daemon to some random port in the hopes that it will not be found - It is very easy to find all services on a given machine. Hackers right now are not just discovering websites that are on the internet and randomly trying to attack them they are trying to attack entire IP BLOCKS. What this means is that they are running brute-force style attacks on any given ip that might exist within a particular range of IPs.

No big deal! There are tons of ways you can improve the security of your server. Fail2Ban is a nice option, it tries to detect these types of intrusions and eliminate them.

Here is an example of what my /var/log/auth.log looked like during the attacks:
Mar 20 07:35:05 jserve sshd[31187]: Failed password for root from 218.65.30.53 port 36066 ssh2
Mar 20 07:35:05 jserve sshd[31187]: error: maximum authentication attempts exceeded for root from 2$
Mar 20 07:35:05 jserve sshd[31187]: Disconnecting: Too many authentication failures [preauth]
Mar 20 07:35:05 jserve sshd[31187]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=s$
Mar 20 07:35:05 jserve sshd[31187]: PAM service(sshd) ignoring max retries; 6 > 3
Mar 20 07:35:07 jserve sshd[31191]: Failed password for root from 183.214.141.101 port 14556 ssh2
Mar 20 07:35:08 jserve sshd[31448]: pam_unix(sshd:auth): authentication failure; logname= uid=0 eui$
Mar 20 07:35:10 jserve sshd[31191]: Failed password for root from 183.214.141.101 port 14556 ssh2
Mar 20 07:35:11 jserve sshd[31448]: Failed password for root from 218.65.30.53 port 8127 ssh2
Mar 20 07:35:13 jserve sshd[31191]: Failed password for root from 183.214.141.101 port 14556 ssh2
Mar 20 07:35:14 jserve sshd[31448]: Failed password for root from 218.65.30.53 port 8127 ssh2
Mar 20 07:35:15 jserve sshd[31191]: Failed password for root from 183.214.141.101 port 14556 ssh2
Mar 20 07:35:17 jserve sshd[31448]: Failed password for root from 218.65.30.53 port 8127 ssh2
Mar 20 07:35:18 jserve sshd[31191]: Failed password for root from 183.214.141.101 port 14556 ssh2
Mar 20 07:35:18 jserve sshd[31191]: error: maximum authentication attempts exceeded for root from 1$
There are literally pages upon pages of these attempts and failures. Far too many for me to post here, even. When did they start? I'm uncertain. When did they stop? When I changed my SSH port, first, but I also changed my SSH configuration.
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
This was previously set to PermitRootLogin prohibit-password - In some earlier versions of the SSH configuration files, this was styled as PermitRootLogin no-password which is confusing, right? That would seem to indicate that root could login with no password! However, that was not the case, just an issue with how the configuration was named. With prohibit-password and no-password there is still the ability for root to login via a public key. Fairly secure, but why allow root to login AT ALL? The root user is not even really used any more by any semi-secure system for any operation.

In addition, several of the forms I have provided for many of the websites I host have experienced attacks recently. Most were trying to utilize some form of SQL injection attack. In a hilarious twist of events, one of the forms that was being targeted did not even interact with SQL at all. If you take form input from users, make sure to sanitize the data. There are a lot of ways to go about this and I am experimenting with some novel methods even as I write this to make forms very secure in a way that I do not think has ever even been tried before.

Oh, that got you interested? Well, let me explain. Normally, an attacker might try to do things with an input form that will cause their input information to be read and executed by the server. If you normally take a variable and put it as part of the INSERT command as a string, for instance, malicious code can be run. The normal ways of preventing this are to make sure the user can ONLY input information compatible with that particular form. A good way to stop most attacks dead in their tracks are by limiting the input data to a certain number of characters.

This might not always be possible though, what if you are allowing them to post large blocks of text... say like on a forum post or as a comment? That could obviously create an issue. Tons of commands can be run against the input string to check it for malicious code or try to disable it in some manner if it includes characters that might lead to the input of malicious code.

One of the new ways I've devised to sanitize the input of user data is to COMPRESS it!
$string = "Compress this string to death!";
$compressedString = gzcompress($string, 9);
echo $compressedString;
That code will create this string as output:
x�s��-(J-.V(��,V(.)��KW(�WHIM,�P �* &  
Obviously some of those characters are errors, but that is the point here. There would be no real way to structure most attacks to take advantage of this compression to accurately execute their attack (and even if they could, two advantages here... STO (Security Through Obscurity - how would they know I am even compressing it in this manner?) and second, even if they were, in theory, able to create a string that might compress into an attack, it would be horribly obtuse and likely exceed even the most generous character limitations on form inputs.

Maybe "SVC", or Security Via Compression, will become a thing some day. If it ever does, remember that you read about it here first!

Interesting concept, right?

Dymaxion Map of the World

This is my favorite type of world map. According to Wikipedia:

The Dymaxion map or Fuller map is a projection of a world map onto the surface of an icosahedron, which can be unfolded and flattened to two dimensions. The flat map is heavily interrupted in order to preserve shapes and sizes.

You can really see how close all the world is to being a single contiguous landmass. I was first exposed to this map from a random page in a Wired magazine that actually was just using the map to convey some data and did not actually explain what the map was or how it was created.


Map of the world in a Fuller projection with Tissot's Indicatrix of deformation

Example of use illustrating early human migrations according to mitochondrial population genetics (numbers are millennia before present)

There are two more examples from Wikipedia. The human migration aspect is important, the creator of the map used it in a book he authored:

Showing the continents as "one island earth" also helped Fuller explain, in his book Critical Path, the journeys of early seafaring people, who were in effect using prevailing winds to circumnavigate this world island.

Here are some other interesting facts about this map... all of my quotes are from Wikipedia:

Fuller claimed that his map had several advantages over other projections for world maps.

It has less distortion of relative size of areas, most notably when compared to the Mercator projection; and less distortion of shapes of areas, notably when compared to the Gall–Peters projection. Other compromise projections attempt a similar trade-off.

More unusually, the Dymaxion map does not have any "right way up". Fuller argued that in the universe there is no "up" and "down", or "north" and "south": only "in" and "out".[4] Gravitational forces of the stars and planets created "in", meaning "towards the gravitational center", and "out", meaning "away from the gravitational center". He attributed the north-up-superior/south-down-inferior presentation of most other world maps to cultural bias.
Fuller intended the map to be unfolded in different ways to emphasize different aspects of the world.[5] Peeling the triangular faces of the icosahedron apart in one way results in an icosahedral net that shows an almost contiguous land mass comprising all of Earth's continents – not groups of continents divided by oceans. Peeling the solid apart in a different way presents a view of the world dominated by connected oceans surrounded by land. 

All off this information should hopefully convert you to a believer of this map and maybe even a user of it, next time you have to consider which projection of the world to select for an image or to illustrate various data metrics. Personally, I am a huge fan of this map, even before I was aware of all the advantages it offers. It just makes sense! If you have to view the world in two-dimensions, then this is the map to do it with.


Tuesday, March 21, 2017

The Oxford comma and how my writing style differs because I am a nerd

One thing you may notice that is missing from my writing is the Oxford comma, also knows as the Harvard or "serial" comma. What is the Oxford comma, you ask? Let's see what Wikipedia has to say on the subject:

In English language punctuation, a serial comma or series comma (also called an Oxford comma or a Harvard comma[1]) is a comma placed immediately before the coordinating conjunction (usually and or or) in a series of three or more terms. For example, a list of three countries might be punctuated either as "France, Italy, and Spain" (with the serial comma), or as "France, Italy and Spain" (without the serial comma).[2][3][4]

Opinions among writers and editors differ on whether to use the serial comma. In American English, a majority of style guides mandate use of the serial comma, including APA style,[5] The Chicago Manual of StyleThe MLA Style ManualStrunk and White's Elements of Style,[6] and the U.S. Government Printing Office Style Manual. In contrast, the Associated Press Stylebook and the stylebook published by The Canadian Press for journalistic writing advise against it. It is used less often in British English,[7] but some British style guides require it, including The Oxford Style Manual.[8] According to The Oxford Companion to the English Language, "Commas are used to separate items in a list or sequence ... Usage varies as to the inclusion of a comma before and in the last item ... This practice is controversial and is known as the serial comma or Oxford comma, because it is part of the house style of Oxford University Press."[9] Some use it only where necessary to avoid ambiguity,[10] in contrast to such guides as Garner's Modern American Usage, which advocate its routine use to avoid ambiguity.

This is actually one of the many differences and nuances you may notice in my writing style. I actually honed the majority of my writing skills on the internet.. mostly on forums and IRC (Internet Relay Chat). At a very pivotal point in my development with the English language and from a very early age, the internet was my primary form of communication. IRC, more than anything else, forced me to become a very fast and accurate typist. Making a typo or using most forms of abbreviation are generally frowned upon by the citizens of most IRC channels.

During this same time frame, I also took up programming. This may have actually hurt more than anything else. In programming, you must be very careful to have a certain type of syntax, or format, to every line of code you write. The order and manner in which you open and close any type of quotations, brackets, parenthesis, etc. are vital to getting your code to compile and run properly. This may have been where my aversion to the serial comma originated.

In my mind, a list of items ends with the last item. Anything following that is some new concept entirely. In most programming languages, adding the serial comma would be equivalent to making the "and" that follows part of the serial list of items that came before it.

Con: "Those at the ceremony were the commodore, the fleet captain, the donor of the cup, Mr. Smith, and Mr. Jones."
This example from the 1934 style book of the New York Herald Tribune shows how a comma before "and" can result in a lack of clarity. With the comma, it reads as if Mr. Smith was the donor of the cup, which he was not.
I have taken this particular example from a mental_floss article. There are many other examples where using a serial comma can cause confusion. Also in existence, however, are many instances where not using it may create problems for the reader. In all instances, proper sentence or paragraph structure can help to eliminate any problems that may arise.

One issue that I had for a long time was in understanding how quotations were supposed to work, especially in reference to works of fiction where the is a lot of dialogue between characters. This is 100% related to my programming background.

When programming, quotations are often used to contain specific parameters or data, with any punctuation that occurs inside of them belonging to that data, which punctuation which occurs outside of those quotations is used to designate other things. Most programming languages require a semicolon at the end of every line, for instance. An example from my favorite language, PHP, of the popular programming concept "Hello Word" (which is usually the first output a beginner will make with a given language):

echo 'Hello World';
The semicolon at the end is not output, neither is the word 'echo' or the quotation marks. The end result only returns a black screen with "Hello World" on it (minus the quotations). This ends up distilling a strong sense that whatever comes outside of quotation marks is in some way SEPARATE from what occurs inside of them. To make things more of a hassle, some types of punctuation are meant to occur inside quotation marks, while others must not, while writing.

When you say someone is “square,” do you mean he is antisocial or merely old-fashioned?
Periods and commas go inside, while semicolons do not. That was an actual example from WritersOnlineWorkshops. For a programmer, having that comma, which seems to logically be part of the sentence syntax and structure, occur inside of the quotation marks, is frustrating, to say the least.

An example you may have just noticed about my writing style in the previous paragraph is my gratuitous use of commas. This may not have come from programming. My paragraphs are also typically much shorter than they should or could be. This is an after-effect of so much online chatting. Getting a point across as quickly as possible is of the utmost importance on the internet, which can lead to ideas becoming fragmented and compartmentalized.

I use a few tools to help me write better, such as Grammarly, but there are still many problems with my writing and I'd like to make you aware that I am cognizant of these issues while providing a few excuses as to why I write the way that I do.

Languages are constantly evolving. They are living things. We've only just begun to witness the effect that the internet has on written language. Many words we use on a daily basis did not even exist a few decades ago. Is it safe to assume that, a few decades from now, many of the rules that currently govern writing may become obsolete are modified to fit our new favorite medium, the internet?


The difference between state/federal prison, parole/probation and jail/prison.

For those of you that do not know, I was actually on the front page of popular news aggregation website Reddit. My post was in the format of something called an "IAmA", which invited the users at large to ask me various questions about my recent trip to the federal prison system that lasted several years too long for my liking. If you'd like to view the original post, here is the link Jack on Reddit IAmA.

At the time of this writing, the post as over 12,500 votes, over 9,000 of which were positive. There are also over 3,000 comments, many of which I responded to (as that is the purpose of doing an IAmA).  To my surprise, most of the comments/questions involved what the federal prison system was actually like on the inside and how a person might fare in there. I was actually expecting more dialogue concerning what actually got me indicted in the first place - importing chemicals from China to the United States.

Several readers suggested I write a book about my ordeal. One of the main purposes of this Blog is for me to be able to collect and maintain some writing specific to my experience(s) in Federal prison which could one day serve as chapters or a template for such a book.

My experience on Reddit makes me aware that what most people are interested in is how the actual process works and what day-to-day life is like behind the walls and bars. While in prison, I thought it would be a great idea to write an epic story about how I ended up in prison, my forays into the underground Research Chemical market and all of my various escapades as a drug dealer and criminal in general.

I should have known! Prison culture is popular in the United States. Your chances of going to prison, this day and age, are much greater than they were at any time prior. Almost everybody knows somebody who knows somebody who is either in prison or has been to prison. Shows like "Orange is the New Black" highlight how successful even fictional accounts of prison life may be. I've actually never seen that show, but have heard that it is much closer to real life than many other depictions of the prison system, especially the federal prison system.

One of the big misconceptions that people have is that they think that all prisons are just "prison", or worse yet, "jail". There are many nuances to the actual structure of the system. Did you know there is a difference between "probation" and "parole"? As someone who must spend the next 3 years or so on federal probation, it is very frustrating to hear people constantly refer to it as "parole". What are the differences?

Let's start with the difference between STATE and FEDERAL prison. When you go to state prison, it is because you were prosecuted under the jurisdiction of a particular state. This is the most common scenario, as the majority of criminal cases fall within the jurisdiction of a particular county. As counties are part of the state in which they reside, the judges which handle state cases end up sending those defendants to state prison systems (when and if they are found guilty during criminal proceedings). States typically process the more mundane and common criminal cases.

Federal prison is where a defendant goes when they are indicted by a grand jury and prosecuted by the actual United States government. Rather than seeing "The State of Florida Versus (Defendant)", they will get nice pieces of paper with "The United States of America Versus (Defendant)" typed in usually all capital letters across the to of the page. Federal prosecutors handle any type of case which has international components, for a start, but federal judges have jurisdiction over a wide variety of crimes, some of which would make more sense for a state to prosecute.

You know those alphabet agencies, like the FBI, DEA and ATF? Those are federal agencies. When they get involved, the likelihood of the case making it to federal court increases substantially. This means that rather large cases involving numerous defendants or a high volume of drugs/money/victims will end up going before a grand jury and indicted on a federal, rather than state, level.

While a defendant is awaiting trial, they are held in facilities that are called jails. The difference between a jail and a prison is that jails do not typically house sentenced inmates. Some jails will hold inmates that have been found guilty on a state level, but only when their sentence is very short. In Florida, for instance, getting a sentence of over one year is what determines if an inmate will spend their time inside of a jail rather than a prison.

Once actually accepted into the prison system, there are numerous transfer and sorting facilities that process inmates on their way to their final destination. These add further confusion to outsiders who are unfamiliar with the mechanics, as these housing systems are harder to classify and come in various shapes and sizes.

A lot of state courts and all federal courts have removed parole as an option for inmates. What is parole? Parole is what happens to an inmate when they serve part of their sentence inside of prison and then serve the remaining sentence outside of prison for whatever reason. A prisoner who violated parole would be sent back to prison to finish the original duration of their sentence. Probation is different because it can occur as an alternative to a prison sentence, or as conditions for release after a prison sentence has been fully served, which is the case with federal prisoners. The minimum amount of time a federal prisoner will spend on probation is typically 3 years. Some federal inmates actually face lifelong probation after their incarceration ends.

You should now be much more informed than the average citizen about what the differences are between these various components. Besides lawyers, judges, prosecutors and the other people who are employed by the legal system, inmates are usualy the only people aware of these differences.

Monday, March 20, 2017

I have terrible news...

There may be some more content here in the future, which will be much worse than this original post. Essentially, it is all just going to get worse from here on in.

Why require escalated permissions?

Moving stuff to my server and find it pretty strange that an open source software (not going to name any names), recently started attempti...