Warning: SSH root password hacking

I am pretty surprised to find out this is happening when I was debugging my L2TP/IPSec tunnel: someone is trying very hard to guess my root password over SSH. A quick check proved to me that my private cloud is under attack too.

Continue reading Warning: SSH root password hacking

Enforcing SSL

Somehow destiny brought me to StartSSL, a company that provides free SSL certificates. This prompted me to replace all existing CACert certificates and enforcing SSL on all publicly available entry points: blogs, bug tracker and git code repository.

If you have previously added the CACert root certificate to access my website, please remove them now as public entry points no longer requires that, and new entry points will be added with similar StartSSL (or other free services’) certificates.

Build Debian Almquist Shell (dash) for OS X (GNU bash ShellShock part 2)

Even after pushing bash to 4.3.26, the aftershock of ShellShock (pun intended) is still there, as a developer commented that even the bash43-026 patch is still a “whack-a-mole” job.

Since my other main operating system is Ubuntu and the 3rd most common used is Debian jessie/sid, I am replacing /bin/sh with dash, Debian Almquist Shell, at least for now.

Continue reading Build Debian Almquist Shell (dash) for OS X (GNU bash ShellShock part 2)

GNU bash ShellShock bug and how to fix it on OS X

Update: A new bash patch is released as bash-4.3.26. This article is updated to include the new patch.

Recently another UNIX bug broke out: ShellShock bug in GNU bash, the most commonly-used UNIX shell. It allowed arbitrary code execution. which is bad.

Test code, if you want to check:

env "() { ;:}; echo gah" bash -c "echo test"

If you see both gah and test, your system is vulnerable! Read on!

Continue reading GNU bash ShellShock bug and how to fix it on OS X

VyRT Hacking (Part II): How Hackers Finds out Your Password, Quickly.

Before I say anything on this post, I hereby urge you to change your VyRT password immediately, as well as any services that shares a same password with it, NOW! Read on to see why.

This is going to be the most disturbing part of this series on VyRT hacking. Brace yourself when reading.

After the hacker dumped the database of VyRT, they can start dwelling in their lair of evil and start figuring out your passwords. If you are technologically savvy you may start to think that it would take them forever to figure out those securely hashed passwords one by one. No, think again before proceeding.

Continue reading VyRT Hacking (Part II): How Hackers Finds out Your Password, Quickly.

VyRT Hacking (Part I): How a website accidentally give out your information

Recently news came that the official community website of the band 30 Seconds to Mars was hacked and information leaked. No public information is available yet, but I think I have a theory how this hacking worked, and how you Echelons can minimize damage.

This post is going to be a little bit hard on tech bits, so proceed with care. If you are greeted with some strange concept, Wikipedia will be your friend.

Continue reading VyRT Hacking (Part I): How a website accidentally give out your information

HTTPS

If you came to my website recently, you should have noticed that my website now have SSL enabled, but the certificate may not be trusted.

Settig up SSL is trivial, but setting up SSL with a trusted certificate is difficult and expensive.

I dont have all those spare money. That is why I used a free (but trusted by free software community) CA, CACert (http://www.cacert.org/) You can visit their page for their root certificate and trust that. That will automatically make your browser trust my website.