A while back, I noticed a few spambots liked to make the rounds of all the FTP servers in our area, mindlessly trying to connect as ADMINISTRATOR with a few dozen passwords.  I’d just chuckle and murmur, “Good luck with that,” seeing as the FTP server at work doesn’t even HAVE an account for administrator.  (Well, yeah, it’s got an administrator account, but not named “Administrator,” and with a sufficiently byzantine password that a dictionary attack isn’t going to help.)

After a while, the bot would give up and go back to rattling the doorknobs down the street.  I use a homebrew FTP server I coded myself using an ActiveX control to provide FTP, SFTP and FTPS functionality, and I impishly added a “hack counter” to keep a running total of how many such attempts had been made.

About a month ago the FTP server started mysteriously falling over dead on a daily basis, so I took a peek into the logs, and found some crazy Chinese botnet was crawling all over it, trying more sophisticated attacks, some of which were running afoul of some weaknesses in my code.

That didn’t take long to fix, but a look at the logs informed me that my strategy of benign indifference wasn’t going to cut it anymore.  They weren’t just trying the administrator account, they were trying all kinds of fairly reasonable-sounding usernames, too.

Well, that’s no good.  That actually had a slight chance of working.  And there were the devil’s own lot of them too, thousands a day trying to break in. So I decided I had to get more proactive.

I added some code to ban the IP of anyone who failed login more than ten times, with an instant ban for anyone trying to log in as WEBADMIN, ADMINISTRATOR, or ROOT.

So now I look in the logs and see things like this:

11/28/08 10:45:22 >> 22 ROOT 113.11.200.17 Disconnected
11/28/08 10:45:21 >> *** 113.11.200.17 BANNED ***
11/28/08 10:45:22 >> *** 113.11.200.17 BLOCKED ***

That “BLOCKED” is them getting bounced on their next attempt to connect. I found that merely preventing authentication from succeeding wasn’t good enough… the bots just stubbornly keep plugging away hoping to hit paydirt… because what is time to a bot?

So when they’re banned, there’s code in the CONNECT event to bounce them right away. They go to connect after their ban and all they get is a boot to the head.

Now I get maybe two or three attempts a day, and they usually get banned right away. The FTP server stays up, and I learned a valuable lesson.

I’ve been experimenting with the jQuery Javascript library, and was looking for a little project to try it out on.  So I made a test page at http://yggdrasilradio.net/demo/ that polls my Shoutcast server data every 15 seconds using a PHP script, parses the XML that comes back, and displays it in a table using AJAX to update the page.

The book I’m reading to learn from is Learning jQuery, and it’s pretty good, although the way the book describes AJAX (”Make your website buzzword-compliant!”), while amusing, gives me the feeling the author really isn’t taking this particular subject all that seriously.

If you have a Shoutcast server and want to play with the code yourself, have at it:  demo.zip.  Unzip that and put the “demo” folder just off your webroot on a webserver, with all the files in it.  There’s a couple of parameters at the beginning of playing.php you’ll need to edit for your Shoutcast server.

Start out by loading playing.php from your webserver into your browser.  If you see a bunch of song titles, you’ll know all is well.  If your webserver doesn’t support PHP or the PHP Curl library used to access the Shoutcast XML data, then you’ll be out of luck.   Take a look at the source of the returned page to see what it really looks like, since your webbrowser will mush it all together.

Then load up the main page at http://yourserver.com/demo.  You should see a pretty display of your listeners, the currently playing song, and the five previously played songs.  I might make this into a nice plugin for Wordpress one of these days.

Let the page sit there for awhile, and you’ll notice that it updates itself automatically as new songs play, listeners join or leave the audio stream, etc.  That’s what AJAX is doing for you.  The PHP script even attempts to figure out where all your listeners are coming from, though it’s a bit simple-minded: it thinks anyone from a .com, .mil, .net or .org domain is from the USA.

Since each copy of the page that’s running anywhere in the world will hit the Shoutcast server for data every 15 seconds, this technique might not be good for Shoutcast streams with 300 listeners, but it works okay for my station.  You can find the full non-jQuery version of my streaming radio station at http://yggdrasilratio.net.

As a bit of election-year skullduggery, some clown registered what you might expect to be website names for DFL candidate for MN Attorney General Lori Swanson, “loriswanson.com” and “loriswanson.org,” and redirected them to http://www.johnsonforag.org/, the website of her Republican opponent.

An obvious dirty trick, said the Swanson campaign, demanding that the Johnson campaign immediately “block” those sites. The Johnson campaign immediately responded that since they don’t own or have any control over those website names, that would be impossible.

Ah, but that would be child’s play, countered numerous tech-savvy observers, including the proprietor of this blog, who said, “I don’t know why they couldn’t contact their ISP, Hosting Matters, and have them block all HTTP requests coming from the loriswanson sites.”

But it turns out it’s not that simple. When you are on site A and click on a link to site B, you don’t zoom through a tunnel from site A to site B… your computer disconnects from site A, and then your computer connects to site B.

If you follow a link, though, there IS one thing in your connection to site B that marks it as being “from” site A… a field in the request called HTTP_REFERER. However, in the case of a server redirect, which is the method being used to redirect the traffic for this little trick, this field does not appear. There is NOTHING in the request to distinguish it from a normal visit to the webserver by someone who legitimately wanted to visit the Johnson website.

I, too, thought it would be the work of a moment to block traffic from the bogus Lori Swanson sites, and confidently coded up a PHP script to do it, thinking to give it to the tech people at the Johnson campaign. Then I went to test it. After an hour of cursing and various experiments, I concluded it was impossible.

What is there in the request that would do the trick? REMOTE_ADDR? No, that’s the IP number of the computer coming to the Johnson website, either because they went to the correct website or one of the bogus ones.

If the prankster had simply pointed the DNS name to the Johnson website, you could filter on the HTTP_HOST field in the HTTP request. Alas, they didn’t do it that way… they actually bought web hosting, pointed the names there, and put up a page that does a redirect to the target website.

I have to remind myself that “Any sufficiently advanced stupidity is indistinguishable from malice” (my own conflation of Hanlon’s Razor and Clarke’s Law), but it does seem interesting that someone spent extra money to implement this trick in a way that would be impossible to block.

It’s also interesting that the blog referenced above alleges that one of the bogus Lori Swanson sites earlier linked to a DFL website instead of the Johnson campaign, as it does now. No, it doesn’t prove anything one way or the other, but it is intriguing.

About four months ago, we started getting telemarketing calls from a “Terrell,” who didn’t seem to understand that we were on the Do Not Call list, and wouldn’t take “no” for an answer.

At first he told us he was calling for my son Tim, alleging he had entered a contest online. Terrell was pleased to tell us that our son had won a Cadillac Escalade.

Well, Tim talked to the guy for awhile and figured it was a scam (for one thing, he couldn’t remember entering any such contest), so he told him he wasn’t interested. But still the calls continued.

Terrell seemed quite insistent. No matter how we tried to get it across to him that we wanted him to go away, he would call back.

And when I say “call back,” I mean that if you told him to stop calling and hung up the phone, he would call right back, repeatedly, each time getting madder and madder.

Eventually he would angrily demand that he be allowed to leave a message on the answering machine, after which he would go away for a few weeks, and then the cycle would be repeated.

I talked to the guy, and it sounded totally bogus to me. He would only identify himself as being from “The Awards and Claim Center,” and insisted that Tim had won one of five prizes, ranging from an Escalade to a flatscreen TV. All that was required was for Tim to attend an “awards ceremony.” This was not a telemarketing call, he said, and had nothing to do with timeshares.

This all sounded pretty dodgy. Telemarketers are supposed to identify what company they work for, and “The Awards and Claims Center” doesn’t cut it, among other things.

Eventually he gave up on Tim, and then turned his attention to me and my wife, saying that the prize had transferred to us. (Oh, lucky us!) And so the calls continued, for months. Nothing we could do would get this guy to stop calling.

One day he got my wife on the phone, insisting that she and I come to this “awards ceremony,” and in a weak moment she tentatively agreed, but added that I would have to approve it. Well, when she told me about it, I hit the roof. She had even given him my email address so they could send directions to the “award ceremony.”

She then called the guy’s voice mail and left a message saying we were cancelling.

At that point he got my daughter over the phone and demanded that she give him my wife’s cellphone number. When she resisted, he badgered her, saying “This is very important time-sensitive information, young lady!” She gave in and gave him the number.

So now we had him calling the home phone number and my wife’s cellphone. If she hung up on him, he would call back, again, and again, and again. The guy scared her to death, and she vowed she just wouldn’t answer her cell if it was him on the caller ID.

But then we got a break. They emailed me information on the upcoming meeting, which identified the company involved as “Global Escapes.” This is an outfit that tries to sell a website service for finding timeshare and other vacation opportunities, with a branch in nearby Eden Prairie.

Shortly after that, my wife and I had just driven home, and she was getting out of the car when the cellphone rang. Without thinking, she flipped her phone open, thinking it was our son Joel. Then… “Oh my God, it’s HIM!” she screamed, and flipped the phone closed, hanging up.

Immediately, the cellphone rang again, and I took it from her. “Terrell” began his spiel once again, and I cut in with “STOP CALLING US. STOP CALLING US.” I then hung up.

The cellphone rang again, and so I turned it off. This enabled him to leave a message on voice mail, which smugly ended with “…and have a GREAT day!”

That was the day I filed a complaint with the Minnesota Attorney General’s office.

He called a few more times, but eventually he stopped calling, and of course you can guess why. It turns out the AG’s office called up the CEO of Global Escapes, they had a friendly little chat, and Global Escapes agreed to stop calling me.

Global Escapes wrote a nice little letter, saying that oh, yes, they comply with all Do Not Call lists, they do not do telemarketing directly but contract it out, we have no idea how this happened, etc, etc.

Is the service Global Escapes is selling worthwhile? I am unqualified to have an opinion on that. However, I can tell you from experience that their telemarketing practices suck.

Spy Agency Removes Illegal Tracking Files

The National Security Agency’s Internet site has been placing files on visitors’ computers that can track their Web surfing activity despite strict federal rules banning most files of that type. — Associated Press

Those naughty scamps over at the NSA! What crazy hackery are they up to now? Spyware? A virus developed by some master hacker? A rogue ActiveX control?

No, just “cookies.”

“Cookie” files are small text files, usually used to store user preferences for specific websites. If your browser is set to allow it, they can be stored on your computer by a specific website… and read by that website… and that’s it.

Cookies set by one website can’t be read by any other website. They’re data files, not programs. Once you go away from the website that set them there, all they can do is just sit there.

In other words, there’s no way to “track web surfing” via cookies. This is complete nonsense. A website can track which pages you visit ON THAT SITE, but that information is available from the server logs without the use of cookies.

And of course, this is the NSA we’re talking about. If they have an interest in tracking your web surfing habits, they’re perfectly capable of intercepting and analyzing the Internet backbone traffic for that information. I guarantee you cookies won’t be involved.

What the NSA’s exact capabilities are, what they’re doing, and what they should be allowed to do certainly are reasonable subjects for debate. But this is ludicrous.

Take a look at the cookies left behind by the NSA’s website on the computer of one concerned blogger.

The specific cookies he found were CFID, CFGLOBALS and CFTOKEN. These happen to be typical cookies set to store session information by the Cold Fusion website hosting software.

Note that similar cookies from other websites are listed along with the NSA’s cookies, but since they aren’t from the NSA, he’s not worried about those.

On my computer, the exact same CFID and CFTOKEN cookies were set by the website for The American Library Association, which I doubt is a hotbed of covert intelligence activity.

But wait! Weren’t there “strict federal rules” against such things?

Well, yes and no. There’s policies in place prohibiting government websites from setting cookies, most probably simply to avoid the appearance of impropriety. But non-governmental websites you visit can set as many cookies as they want. And it’s most certainly not “illegal.”

This website sometimes sets a session cookie even though I don’t do anything with it. It’s HARD not to set a cookie; most software sets one by default. But sleep well… I mean you no harm.

You sure do get a different perspective when you read foreign magazines!

Oh, you don’t read Japanese? Here, maybe this will be better.

That’s… uh… wow. Just… wow.

Note: the second graphic is just the first one, photoshopped, with my translation of various interesting parts. Oh, and yes, the “scare quotes” really are in the original.

Originally found at Riding Sun.

Hm, you know, I’m kinda thinking these guys figure none of us can read Japanese.

This turns out not to be the case. This is fascinating reading, I must admit. Here’s an overview of the cover story:

And here’s a more detailed breakdown of what’s covered:

Well, although they may all hate us, it’s gratifying they still want to be able to talk to us. Fascinating.

Update: Even more!

Update: From the page where you can order back copies:

Oh yes, here it comes! I’m now reading on various forums that “Newsweek doesn’t even have a Japanese edition,” and the image of the Japanese cover is completely made-up.
Here’s a link to the made-up cover image on the actual web site of the Japanese edition Newsweek doesn’t publish. PUHLEEZE.

Yokohama Kadaishi Kikou

Quiet, atmospheric, philosophical story of Earth’s twilight days, and the humans and robots that remain. The end will come, not with a bang or a whimper, but with solemn, graceful dancing, as the lights of the abandoned cities flicker under the surface of the rising ocean.

How do you write a series about the End of the World that is cheery, rich with images of heart-rending beauty, and bright with hope? I can’t explain it. Just enjoy.

Midori no Hibi

Midori had this crush on local tough-guy-with-a-heart-of-gold Seiji, you see, but didn’t have the courage to confess to him. So one day they both wake up to discover that she’s been chibified and magically attached to his right arm.

Awkward but heartwarming hilarity ensues. Nuttiest premise EVER, but I love it.

Evangelion Girlfriend of Steel

Set in the cheery “alternate universe” that Shinji briefly visited before the Omedetou Hammer fell on episodes 25 and 26, this version of the Evangelion story (alternately nicknamed “Eva Lite,” or “Love Eva”) tends to exchange a bit of angst for school hijinx in later chapters, but I still enjoy it.

Azumanga Daioh

Chiyo ownz j00. Azumanga is wacky, charming, and has a huge, rabidly
devoted fanbase.

Gunslinger Girl

This manga (and the well-done corresponding anime currently airing) has Bad End written all over it, but it’s still good. Chise meets Kirika as orphaned girls are turned into lethal android assassins, amid political intrigue, girltalk, and oodles of pretty explosions and gunfire.

Ah, My Goddess

An oldie but a goodie. Watch the character design slowly evolve from eyebrow Belldandy to Soccer Mom Belldandy, as the the cast of characters expands.

As an added bonus, this is one of the rare “harem” stories where the male romantic lead is neither a lech, a wimp, or an idiot.

“Switch… ON!”

Lilim’s Kiss

She’s a cute demon who lives off human energy obtained by kissing, and after draining the batteries of an entire class, one guy in particular decides to give his classmates a break by becoming her sole source of energy. It’s a tough job but someone’s gotta do it, right?

I like Lilim’s personality, the art is really clean and well-done, and they manage to make the story way more interesting than that description might lead you to expect.

Kitty Kitty Fancia

My guilty pleasure… a sweet-enough-to-make-your-teeth-rot tale of a cute kitty girl, the human boy she adores, and all her cute little animal friends. Did I mention it was cute? I’m helpless before the power of cute.

Ph34r the 7,000 gigaDonbos of industrial-strength cuteness. Diabetics need not apply.