Tag Archives: unix

How Long Was the iPhone Location Vulnerability Known?

I’m very intrigued by the Guardian’s piece iPhone keeps record of everywhere you go | Technology | guardian.co.uk but I’m wondering how new this information is, and whether other less transparent folk have already been using this gaping hole. Charles Arthur writes:

Security researchers have discovered that Apple‘s iPhone keeps track of where you go – and saves every detail of it to a secret file on the device which is then copied to the owner’s computer when the two are synchronised.

The file contains the latitude and longitude of the phone’s recorded coordinates along with a timestamp, meaning that anyone who stole the phone or the computer could discover details about the owner’s movements using a simple program.

For some phones, there could be almost a year’s worth of data stored, as the recording of data seems to have started with Apple’s iOS 4 update to the phone’s operating system, released in June 2010.

But it seems that folk on a forum have already been talking about it since January: Convert Iphone 4 Consolidated.db file to Google earth:

Someone called Gangstageek asked on Jan 6:

Is there a way to, or a program (for the PC) that can read the Consolidated.db file from the Iphone 4 backup folder and accurately translate the cell locations and timestamps into Google earth?

Other forum members helped him out. Indeed, an earlier forum, from November 2010, looked at the same file. kexan wrote on Nov 26:

We are currently investigating an iphone used during a crime, and we have extracted the geopositions located within consilidated.db for analysis. During this we noticed that multiple points have the same unix datestamp. We are unsure what to make of this. Its kind of impossible to be on several locations at once, and the points are sometimes all over town.

Going back even further, Paul Courbis wrote on his site (translated from the French), including a demo:

Makes it relatively easy to draw the data on a card to get an idea of ​​places visited by the owner of the iPhone..

I don’t have an iPhone so I’ve not been able to test this. But I’m guessing that this issue may have already been known for some time by some kind of folk. Indeed, there are tools in use by police and others that may have already exploited this kind of vulnerability.

The Hazards of Recommending

image

Think twice before you agree to recommend someone on LinkedIn. They may be a logic bomber.

You may have already read about the fired Fannie Mae sysadmin who allegedly placed a virus in the mortgage giant’s software. The virus was a bad one: it

was set to execute at 9 a.m. Jan. 31, first disabling Fannie Mae’s computer monitoring system and then cutting all access to the company’s 4,000 servers, Nye wrote. Anyone trying to log in would receive a message saying “Server Graveyard.”

From there, the virus would wipe out all Fannie Mae data, replacing it with zeros, Nye wrote. Finally, the virus would shut down the servers.

Luckily the virus was found and removed. But what has yet to be removed is the suspect’s LinkedIn page which shows that since he was fired he has been working at Bank of America, something I’ve not seen mentioned in news covering the alleged incident.

(Apparently this piece mentions this fact but the information has since been removed. This raises other interesting points: What way is there for a company to police claims by people on networks like LinkedIn that they indeed worked at that company? Why was this information removed from the story or comments?)

image

What must also be a bit awkward is that the suspect, Rajendrasinh Makwana, has a recommendation on his LinkedIn profile from a project manager at AT&T, who says that

he was much more knowledgable at the subject matter than I was. He demonstrated leadership at times of crisis. He helped me learn the ropes. I would love to work with Raj again.

The recommendation is a mutual one; the person in question gets a recommendation from Makwana as well. But what adds to the awkwardness is that the recommendation was posted on October 25, 2008, which was, according to an affidavit filed by FBI Special Agent Jessica Nye, the day after Makwana’s last day of work—which was when he allegedly planted the virus:

“On October 24, 2008, at 2:53 pm, a successful SSH (secure shell) login from IP address 172.17.38.29, with user ID s9urbm, assigned to Makwana, gained root access to dsysadmin01, the development server. … IP address 172.17.38.29 was last assigned to the computer named rs12h-Lap22, which was [a Fannie Mae] laptop assigned to Makwana. … The laptop and Unix workstation where Makwana was able to gain root access and create the malicious script were located in his cubicle.”

Ouch. If the FBI is right, the suspect was buffing his CV, seeking recommendations from former colleagues right after planting a script that could have deleted all of Fannie Mae’s data.

Lesson: Think hard before you recommend someone on LinkedIn. How well do you know this person?

Directory of Distraction-free Writing Tools

(2009 June: added two no delete editors)

Editors

A working list of tools to reduce writers’ distraction. I’ve been using some of them for a while; I was inspired by Cory Doctorow’s latest post on the matter to collect what I could together. All are free unless otherwise stated. 

No backspace/delete editors

Typewriter “All you can do is type in one direction. You can’t delete, you can’t copy, you can’t paste. You can save and print. And you can switch between black text on white and green on black; full screen and window.” Freeware, all OS.

Momentum Writer Same idea, really. “Momentum Writer is the ultimate tool for distraction-free writing. Like a mechanical typewriter, users are prevented from editing previously written text. There are no specific formatting options, no scrolling, deleting, or revisions. Momentum Writer doesn’t even allow you to use the backspace key. Momentum Writer forces you to write, to move forward, to add new words. It halts the temptation to linger, revise, and correct. Momentum Writer is a typewriter for your PC.” Freeware, for Windows.

Multiplatform

JDarkroom (works on Windows, Macs and Linux, thanks. Tris): “simple full-screen text file editor with none of the usual bells and whistles that might distract you from the job in hand.”

Windows

TextEdit (there seems to be a Mac product of the same name. The Windows website is under reconstruction so I can’t grab a description, but downloads are available.)

NotePad ++ “a generic source code editor (it tries to be anyway) and Notepad replacement written in c++ with win32 API. The aim of Notepad++ is to offer a slim and efficient binary with a totally customizable GUI.”

EditPad “a general-purpose text editor, designed to be small and compact, yet offer all the functionality you expect from a basic text editor. EditPad Lite works with Windows NT4, 98, 2000, ME, XP and Vista.” Lite is free; Pro is $50

PSPad code editor

And some so-called ‘dark room apps’ which blank out the outside world:

WestEdit “a full screen, old-school text editor and typewriter. No fuss, no distractions – just you and your text.”

Dark Room: “full screen, distraction free, writing environment. Unlike standard word processors that focus on features, Dark Room is just about you and your text.”

Q10: “a simple but powerful text editor designed and built with writers in mind.”

Mac

TextMate: “TextMate brings Apple’s approach to operating systems into the world of text editors. By bridging UNIX underpinnings and GUI, TextMate cherry-picks the best of both worlds to the benefit of expert scripters and novice users alike.” ($54)

The Mac dark room is WriteRoom “a full-screen writing environment. Unlike the cluttered word processors you’re used to, WriteRoom is just about you and your text.” ($25)

GNOME etc

image

gedit

Distraction reducers

Write or Die: “web application that encourages writing by punishing the tendency to avoid writing. Start typing in the box. As long as you keep typing, you’re fine, but once you stop typing, you have a grace period of a certain number of seconds and then there are consequences.”

Directory of RSI Software

This is the first in a number of posts about RSI, or Repetitive Strain Injury, the subject of this week’s column, out tomorrow. Here is a collection of software designed to ease RSI. RSI software tries to help in a number of ways:

  • working out how long you’ve been at the keyboard and reminds you to take breaks;
  • suggesting exercises for you to perform while you’re taking those breaks;
  • records macros (shortcuts) to specific tasks you do a lot so you don’t have to use the keyboard as much (especially keystroke combinations);
  • reduces mouse usage by allowing you to control the mouse from the keyboard (including dragging)
  • reducing mouse clicks by automating the process (move the cursor over something you want to click on and hold it there, and the software figures out you want to click and does it for you)

Here are some programs I found. I’m sure there are more. Let me know!

RSI Shield provides breaks, records macros and controls the mouse via hovering or via the keyboard. For Windows only. About $40 from RSI-Shield.

RSI Guard includes a break timer that suggests breaks at appropriate times, mouse automatic-clicking option and shows animations of exercises. Windows only. £81 from Back in Action, or $40 for the Standard and $65 for the Stretch Edition from RSI Guard.

Workrave frequently alerts you to take micro-pauses, rest breaks and restricts you to your daily limit. For GNU/Linux and Windows (can be run on a Mac using Fink). Free from Workrave.

WorkPace Personal charts your activity, reminds you to take breaks and guides you through exercises. For Windows and Mac. $50 from Wellnomics.

AntiRSI forces you to take regular breaks, yet without getting in the way. It also detects natural breaks so it won’t force too many breaks on you. For Macs, free (donations welcome) from TECH.inhelsinki.nl.

[resting]

Xwrits reminds you to take wrist breaks, with a rather cute but graphic graphic of a wrist which pops up an X window when you should rest. For Unix only. Free from Eddie Kohler’s Little Cambridgeport Design Factory.

OosTime Break Software for reminding yourself to take rest breaks from your computer. For Windows only, from the University of Calgary. Another break reminder: Stress Buster for Windows, £10, from ThreadBuilder. Another break reminder for Windows, also called, er, Break Reminder for $60 a year (that can’t be right) from Cheqsoft.

Stretch Break reminds you to stretch, then shows you how with Yoga-based stretches and relaxing background music. For Windows only, $45 from Paratec.

ergonomix monitors keyboard and mouse activity and helps structure computer use. For Windows only, $50 from publicspace.net.  (A Mac version called MacBreakZ is also available for $20.)

ActiveClick automatically clicks, drags content and makes you stretch. For Windows only, $19 from ActiveClick.

No-RSI monitors keyboard and mouse activity and suggests you to take a break regularly. For Windows only, $15 from BlueChillies.

Also check out the Typing Injury FAQ for some more RSI software. A more recent collection can be found in a piece by Laurie Bouck at The Pacemaker. A good piece, too, by Jono Bacon at ONLamp.com.

There are also mice that try to help counter RSI. The Hoverstop, for example, “detects if your hand is on the mouse. It then monitors if you are actually using it (clicking, scrolling). If you are not using it for more than 10 seconds, it will vibrate softly to remind you to take your hand away and relax.” About $90 from Hoverstop.

My favorite? Workrave, though I must confess I often ignore the breaks. More fool me.

Directory of RSI Software

This is the first in a number of posts about RSI, or Repetitive Strain Injury, the subject of this week’s column, out tomorrow. Here is a collection of software designed to ease RSI. RSI software tries to help in a number of ways:

  • working out how long you’ve been at the keyboard and reminds you to take breaks;
  • suggesting exercises for you to perform while you’re taking those breaks;
  • records macros (shortcuts) to specific tasks you do a lot so you don’t have to use the keyboard as much (especially keystroke combinations);
  • reduces mouse usage by allowing you to control the mouse from the keyboard (including dragging)
  • reducing mouse clicks by automating the process (move the cursor over something you want to click on and hold it there, and the software figures out you want to click and does it for you)

Here are some programs I found. I’m sure there are more. Let me know!

RSI Shield provides breaks, records macros and controls the mouse via hovering or via the keyboard. For Windows only. About $40 from RSI-Shield.

RSI Guard includes a break timer that suggests breaks at appropriate times, mouse automatic-clicking option and shows animations of exercises. Windows only. £81 from Back in Action, or $40 for the Standard and $65 for the Stretch Edition from RSI Guard.

Workrave frequently alerts you to take micro-pauses, rest breaks and restricts you to your daily limit. For GNU/Linux and Windows (can be run on a Mac using Fink). Free from Workrave.

WorkPace Personal charts your activity, reminds you to take breaks and guides you through exercises. For Windows and Mac. $50 from Wellnomics.

AntiRSI forces you to take regular breaks, yet without getting in the way. It also detects natural breaks so it won’t force too many breaks on you. For Macs, free (donations welcome) from TECH.inhelsinki.nl.

[resting]

Xwrits reminds you to take wrist breaks, with a rather cute but graphic graphic of a wrist which pops up an X window when you should rest. For Unix only. Free from Eddie Kohler’s Little Cambridgeport Design Factory.

OosTime Break Software for reminding yourself to take rest breaks from your computer. For Windows only, from the University of Calgary. Another break reminder: Stress Buster for Windows, £10, from ThreadBuilder. Another break reminder for Windows, also called, er, Break Reminder for $60 a year (that can’t be right) from Cheqsoft.

Stretch Break reminds you to stretch, then shows you how with Yoga-based stretches and relaxing background music. For Windows only, $45 from Paratec.

ergonomix monitors keyboard and mouse activity and helps structure computer use. For Windows only, $50 from publicspace.net.  (A Mac version called MacBreakZ is also available for $20.)

ActiveClick automatically clicks, drags content and makes you stretch. For Windows only, $19 from ActiveClick.

No-RSI monitors keyboard and mouse activity and suggests you to take a break regularly. For Windows only, $15 from BlueChillies.

Also check out the Typing Injury FAQ for some more RSI software. A more recent collection can be found in a piece by Laurie Bouck at The Pacemaker. A good piece, too, by Jono Bacon at ONLamp.com.

There are also mice that try to help counter RSI. The Hoverstop, for example, “detects if your hand is on the mouse. It then monitors if you are actually using it (clicking, scrolling). If you are not using it for more than 10 seconds, it will vibrate softly to remind you to take your hand away and relax.” About $90 from Hoverstop.

My favorite? Workrave, though I must confess I often ignore the breaks. More fool me.

Firefox Moves To Mass Market?

NetApplications, a ‘leader in Web-based applications that measure, monitor and market Web sites for the Small to Medium Enterprise (SME)’, says (no permalink available) that Firefox “continues to sway users away from Microsoft’s Internet Explorer”.

Firefox reached 8% during the month of May up from 7.38% in April. Firefox’s gain is Microsoft’s loss whose base dipped to 87.23% in May down .77% from April of 2005. Safari also gained a modest tenth of a percentage posting 1.91% in May 2005. Most other browsers experienced little change during the same time period.

NetApplications says IE is losing “an average of .5 to 1% loss of users each month.”  Notes Dan Shapero, Chief Operating Officer of NetApplications: “FireFox is gaining traction with early adopters and its popularity and adoption rate are starting to tap into mass-market acceptance as buzz continues to build.”

May 2005 Browser/Market Share:

  • Microsoft Internet Explorer – 87.23%
  • Firefox – 8.06%
  • Netscape – 1.64%
  • Safari – 1.91%
  • Mozilla – 0.58%
  • Opera – 0.51%
  • Other – 0.07%

The data was collected from over 40,000 Hitslink.com-monitored global Web sites.

The Slashdot Report Part II: Where Does The / And The . Come From?

 This week’s column is about The Slashdot Effect, (subscription only, I’m afraid) and I’ve already started receiving mail telling me my explanation of the term Slashdot is wrong. Here’s what I wrote:

Slashdot (slashdot.org, named after the slashes and dots in a Web site address)

One reader commented:

Hi Jeremy, The slash and dot in Slashdot do NOT refer to “the slashes and dots in a Web site address.” They refer to having “root access” on a Linux (or Unix) computer, meaning godlike power to do whatever you want to do with the machine, like being an Administrator on Windows XP. Getting root access to a remote machine is the holy grail of hacking, because it means you “own” that machine. The slash and dot refer to how you would change what directory you are in when using a command-line interface.

In MS-DOS, or the command prompt in Windows XP, you might do: C:>cd c:windows

But in Unix you would do: cd /.

Hence, Slashdot.

while another slight variation:

Actually Mr Wagstaff,

slash dot is from “Unix”. The “bourne shell” command “ls” (for list) will report the contents of the Root Directory when you type “ls /.” The inverse “ls ./” reports the contents of “Here” (your current working directory).

        /. “News from the Root”

and 

        ./ “Here be News for Nerds”

Don’t worry that you didn’t get the “hidden in plain sight” meaning. Non-Nerds never do.

(I really appreciate the ‘Mr Wagstaff’ bit. Thanks). Both are interesting definitions, but are they correct? I based my definition on Slashdot’s own FAQ, which says:

 What does the name “Slashdot” mean?

“Slashdot” is a sort of obnoxious parody of a URL. When I originally registered the domain, I wanted to make the URL silly, and unpronounceable. Try reading out the full URL to http://slashdot.org and you’ll see what I mean. Of course my cocky little joke has turned around and bit me in the butt because now I am called upon constantly to tell people my URL or email address. I can’t tell you how many people respond confused “So do I spell out the ‘dot’ or is that just a period?” 

Of course, this doesn’t necessarily make the other explanations wrong: Slash and dot could still refer to the Unix command, making the website name both a parody and an in joke.

Firefox And The Greasemonkey On Its Back

Good piece by ZDNET on a Firefox add that -on lets surfers tweak sites, but is it safe?

A new Firefox extension that lets people customize their experience of the sites they visit is stirring excitement among Web surfers and consternation among security experts.

The extension, dubbed Greasemonkey, lets people run what’s known as a “user script,” which alters a Web page as it’s downloaded.

That capability has gained the extension an avid following of Web surfers who want to customize the sites they visit, removing design glitches and stripping sites of ads. But the extension comes with substantial security risks, and could stir trouble among site owners who object to individual, custom redesigns of their pages.

Have to admit I haven’t looked at greasemonkey, but it’s an interesting conundrum. Makes me wonder, too, about all the other extensions I’ve loaded into Firefox. It would be real easy, wouldn’t it, to put some sneaky stuff in there too? Why are we so afraid of any IE toolbar, or free browser add-on, but so happy to download extensions to Firefox from folk we don’t know, and who haven’t had to pass any tests?

Firefox Resources

Further to this week’s column on browsers in the Asian Wall Street Journal/WSJ.com (subscription only) on Firefox and other browsers, check out my directory of browsers for a (by no means complete) list of what’s out there.

Here’s the beginnings of a Directory of Firefox related sites:

More to come as I come across them. Please feel free to let me know of your favourites. I’m particularly interested in good extensions.

Yahoo! Goes Outside For Searches

Maybe it’s just Yahoo! trying out the competition, but a press release from Tucson, AZ-based Webglimpse.net, maintainers of the Glimpse search engine, say that Yahoo! has “purchased several licenses” of its software for internal use. Glimpse is a C program for fast searching of large numbers of text files on Unix systems. It is at the core of Webglimpse, a website search engine.

WebGlimpse’s Golda Velez says: “As I understand it this will be used by Yahoo! and Overture developers as a tool to search local datasets, possibly a large code base.” Why isn’t Yahoo using its own software for this kind of thing?