January 31st, 2010



I just found out about this.  Sorry, folks, but as much as I love Open Source, Mozilla is blowing it big time, and I have to speak.

There is a security exploit in ALL Mozilla based browsers.  Firefox, Sea Monkey, Mozilla, all of them.  No patch exists for it, even though it has already been used to take down IRC channels.  For you Linux users, it is easy to fix.  Other browsers like Konqueror, Safari, Opera, and (yes) Internet Exploder aren't affected.

It is called the Firefox XPS IRC Attack.  It has been exploited by a trolling group from Slashdot calling itself the GNAA (Gay Nigger Association of America) to crash Freenode for over a month.  It is a simple port exploit.  Mozilla closed most of the ones that could cause the most mischief, except for one -- 6667, the default port for IRC servers.  A simple Java script (read that:  cross-platform, no OS is safe) embedded in a web link fills out a HTTP form and sends it as a POST to port 6667 and floods it with a bunch of IRC commands.  This can be used against anything, given how many protocols don't bother with cookied handshakes to connect.  This is intended to make web browsers work seamlessly with other Internet applications.  But it had never been tried in the wild before.  In other words, it's a whole new world to conquer, and this was just the first strike.

But fret not, my faithful Linux brethren.  Blocking this attack from hitting you AND any servers you are running is simplicity itself.  Use iptables u32 to ignore the TCP and IP headers of the packet, and match the first 4 bytes of the packet against "POST".  This is the command that does it:

-m u32 --u32 0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0=0x504f5354 -m recent --set --name lastmeasure --rsource -j DROP

That's it. Literally. At least three IRC servers who got hit dropped this command into their iptables configuration and the attacks stopped instantly.  Efnet figured this out in about an hour.  Buttesnet, which has approximately one network admin, figured it out in four hours.  OFTC figured it out -- took them about a day, but they did.  They just used tcpdump and blocked it from the IP tables.  Freenode couldn't do this -- they instead upgraded the servers, and promptly got nailed again as soon as they came up.

Oh, for good measure, make a rule that will make any subsequent traffic refresh the drop entry.  Like so:

-m recent --update --seconds 86400 --name lastmeasure --rsource -j DROP

With that out of the way -- MOZILLA?!?  What the fuck is your problem?!?  You are the darlings of Open Source thanks to Firefox!  You are giving us a bad name!  I use Firefox and have yet to see an update for this!

Open source is about finding problems and fixing them.  You have ignored this at your own risk.  Things will only get worse if you don't figure out what to do now.  Lots of your users don't know about IP tables and that.  They rely on dedicated coders and engineers to protect them.  You are letting them down.  You are acting as bad as M$ does.  Get this fixed.
Peter G

Not sure what my last act was.  There are things that I just do that others regard as kindness, even though I put no such thought into it.  And there are times I try to do the right thing and it is seen as the polar opposite of kindness.

As for karma -- I want to believe in it, but the current state of the world kind of undermines the idea.
Peter G

Why I'm Glad I Don't Have Any Kids, And Why I Still Hate The World

Reported Jan 24, 2010 in the Boston Globe by Kevin Cullen.

Her name was Phoebe Prince.  She was 15 years old.  She had come from Ireland to the United States, her excitement to be here exceeded only by her excitement at returning to Ireland to see her dad.  She was a freshman at South Hadley High, and had a short romance with a senior on the football team.

And so she became a target.

The whole concept of "Mean Girls" isn't just a movie.  Anyone who has been on the receiving end of their ire (like me back in high school) knows that the vague platitudes of standing up for yourself don't work.  They are cruel, vicious, and heartless, and exist in all walks of life and all age groups.  Some are lucky and develop coping mechanisms, like how to employ simple avoidance.  Some are luckier and learn how to fight back in a way that discourages any further attention from them.  But we are rare.  And we are considered wrong.  First, there's the whole "you shouldn't pick on girls" thing that they employ as a convenient strawman that turns the Establishment into their own personal army.  Then, we are told we should be trying to get along and bridge our differences, not reinforce them.  They can't help it if they can't act without humanity, but we can, and we are expected to tolerate the abuse (and this is where some of us are luckiest, as we learned the art of subterfuge).

The Mean Girls clique in school started following Phoebe around, calling her a slut.  When they wanted to pile it on, they called her an Irish slut.  Name-calling, stalking, and intimidation were the marching orders of the day.

On Jan 14, Phoebe was walking home when a Mean Girl went by in a car.  The Mean Girl started insulting her and threw a canned energy drink at her.  Phoebe didn't react right away.  She just went home.  Then, she went into her closet and hung herself.  Her 12 year old sister found her.

The Mean Girls went on Facebook and made fun of Phoebe's suicide.  They continued to badmouth Phoebe at school.  They even went to a dance two days after Phoebe's suicide, bragging about how they were playing dumb with the police investigating.

A Springfield, MA TV station sent a camera crew to interview students.  One student talked on camera about the predators stalking the halls of the schools.  The camera went off, the crew left, and a Mean Girl grabbed the student, slammed her against a locker, and punched her in the head.

Instead of trying to deal with the bullies, people are asking why Phoebe hung herself instead of standing up to the abuse.  They are blaming the victim.  And the Mean Girls are left alone.  There are supposedly three investigations going on at the school, but the school says these things take time.  And a meeting that was planned to address all this this past week, but it has been postponed indefinitely.

Phoebe has returned to Ireland, but in a pine box.  Her family buried her in County Clare, because "they wanted an ocean between her" and her tormentors.

When you're a parent, you have the responsibility to teach your kids and protect them.

How in the world could I ever protect my kids against something like this?

The List -- A Sine Timore Production

End of the month!  So, how am I doing so far?

SOUND WAVES -- Wow.  I got almost nothing done.  I have part of page 1 of issue #9 penciled and inked.  Also, wrote the script for the Sound Waves Christmas Special to come out around November.  So, if I didn't get much done here, where did the time go?  It went to....

HEAD ABOVE WATER -- As I've mentioned, this series is harder to do because the art is more detailed and I am continually fretting the pacing, the layouts, the symbolism, everything.  Not to mention trying to use the artwork to convey the emotional thrust of the story.  Sound Waves is pretty straightforward, HAW isn't.  Last month, I had just barely gotten #3 done by the end of the month.

This month?  I'm halfway done with page 9 of #5.  That's right, in one month, I penciled and inked 30 pages of this.  Assuming I don't fumble (which, given the massive amount of distractions I have, could happen.  Like they say on MythBusters, failure is ALWAYS an option), I am on track for the March launch of the series, all five issues will be out before Wizard World Chicago.  I have 28 days to finish another 14 pages.  I better do it.

Once I get that done, I need to start laying out the comics and doing the cover art.  I'm not sure just yet what I will fill the other two pages with (22 pages for the story, two left over for whatever).  Stress Puppy strips are out, as that's a comedy and HAW is a serious moody existential fantasy.  I somehow doubt I'll get enough immediate interest for letter columns, so I'm thinking of putting the test sketches in there, showing the evolution of Amber and Becca.

I'm actually glad I've hit a stopping point with page 9.  Issue 5 is the climax.  After everything she's been through in the first four issues, Amber now has to face her past if she wants to have a future.  And I am working to make every pose, every gesture convey every emotion the characters are experiencing.  Once this page is done, the ultimate conflict kicks in for the next 9.  This is where the whole thing either comes together or falls apart.  Keep them fingers crossed for me.