2011-07-21 00:14duskwuff — [K]
normal
A few quick notes, mostly for myself, regarding making modifications to Mac applications:

Stripping

  mv Binary Binary~
  lipo -thin {arch} Binary~ -output Binary

Patching

   31 C0     xor eax, eax
   40        inc eax       (i386)
   FF C0     inc eax       (x86_64)
   C3        ret
   90        nop
   
   74xx      je
   75xx      jne
   EBxx      jmp

Resigning

  codesign -s {signing key name} -f MacOS/Binary

Echofon

-[AppController checkLicense] → ret
+[Registration validate] → ret
[ 10 comments ]
2011-01-17 23:26duskwuff — I'm a developer. I break things.
normal
I'm mainly posting this to point out what's just happened to my userhead (duskwuff).

I should probably post more often. I just don't!

[ 16 comments ]
2010-05-11 20:42duskwuff — Caught in the net
normal
One of many (many!) signup failures from that forum I mentioned before:
Signup failure: invalid timezone
User agent: Mozilla/3.0 (x86 [en] Windows NT 5.1; Sun)
IP: [omitted here - dusk]

Name: jonnylasanta
Email: johnnsantoro@gmail.com
ICQ: 541976432
AIM: 
MSN: 
YIM: 
Skype: 
Website: 
Location: USA
Occupation: student
Interests: music, internet
Custom title: Where to point to frippery goods
Signature: hi my name is slim shaddy
2010-03-20 00:44duskwuff — reCAPTCHA is broken
normal
For some time, I've had three layers of security on the registration page for a phpBB forum I co-admin:
  1. First, the registration flow runs differently than most forums, and doesn't show up without an extra URL parameter set.
  2. Second, the registration form has a reCAPTCHA on it.
  3. Finally, my secret weapon: after noticing that many spam registrations had their time zone set to GMT-12, and no legitimate registrations did, I set up the registration system to reject any registration with that value. It turns out that nobody actually lives in GMT-12, so I'm not sure why phpBB offers it as an option at all.
Together, these measures have succeeded in blocking well over 99.9% of bot registrations. But let's break down the statistics from the last year or so of registrations:
  • Humans registered: around 250
  • reCAPTCHA failures: maybe 15 (most of them humans who subsequently registered)
  • Bots passing reCAPTCHA, but blocked by time zone check: over 1500
  • Bots successfully registering: 5 or so

So why so few reCAPTCHA failures? I've tested the registration flow myself and confirmed that the form does fail if you leave the CAPTCHA blank or enter it wrong, so the only possible conclusion is that reCAPTCHA is broken. Maybe not in the technical sense, as I've so far seen no evidence that it's being OCRed (in fact, if it were I'd expect to see more failures), but definitely in the practical sense! Chances are that there's a sweatshop of Chinese workers somewhere punching in random distorted words.

So what's the solution? I'm not sure. Solutions like the one I've come up with (identifying anomalies in bot-driven registrations) work in some cases, but they don't scale — the only reason this works at all is because most phpBB installations are easier targets than ours. If this solution was deployed on a wider scale, the bots would implement workarounds. A few do already, actually; it just looks like the ones that do are less widespread.

Fucking spammers.

2010-02-03 12:49duskwuff — Compare and Contrast, III
normal

Exhibit 1: "Supreme Court Allows Corporations To Run For Political Office" (The Onion)

Exhibit 2: "Corporation Says It Will Run for Congress" (New York Times)

(previously, previously)

2009-12-12 23:18duskwuff — Compare and Contrast, II
2009-03-19 22:30duskwuff — Compare and contrast
normal

Exhibit the First: Looks Real Good, Hurts Real Bad.

Exhibit the Second: Cruel Shoes.

Also, I have a job.

2008-10-21 18:22duskwuff — $X on $Y
normal
Any more ideas?
2007-12-18 15:25duskwuff — Revenge of the Five Fifties
normal
Almost exactly a year ago, I posted an entry about a phenomenon I referred to as the "five fifties", in which I noted that, given the population of the United States, publicizing five pieces of information about yourself, each with a specificity of 1/50, could uniquely identify you. More recently, Bruce Schneier wrote an essay for Wired in which he referenced a 2000 study, Uniqueness of Simple Demographics in the U.S. Population, which showed - among other things - that simply knowing someone's birthdate, ZIP code, and gender is enough to uniquely identify them 87% of the time. (A follow-up paper published by the ACM, Revisiting the uniqueness of simple demographics in the US population, suggests that this may be an overestimate of the specificity of these data, but that the same general principle applies.)

Scary stuff.

2007-10-22 15:56duskwuff — ljsh.py
normal
I've decided to finally bundle up some code I'd had sitting around for a while. Say hello to lj.py and the related ljsh.py, a set of Python tools for examining the LiveJournal social web. An example of what it can do:
sh% python ljsh.py
LJsh started
lj >> zetawoof.friends.intersection(tugrik.friendsof)
2_gryphon, altivo, animakitty, cargoweasel, chipuni, goldenrod, kakoukorakos, kitelessd, revar, snowwolf42, thewerewolf, tilton, tugrik, zetawoof
lj >>

Also included are cliques.py and closeness.py. The former finds cliques containing a specified user (or set of users); the latter finds users who are popular among your friends using a PageRank-like algorithm.

Python is (obviously) required, as is the sqlite3 module, which is available with Python 2.5. Assuming you've got that all set up, you can go ahead and download ljsh.