Tech stuff

For the second time in a week, I’ve heard of a websites user database being leaked. In the first case it was from a site I’ve never used. The second though was a site I signed up to a few months back.
One of the biggest problems with this leaked database is that the hashing function used isn’t that strong when the hacker has rainbow tables to use to crack the database.
The first side effect of this for me was to go and change some of my passwords as a precautionary measure. The second side effect, and the more annoying one, is that I used a private email address for this particular account instead of using one of my “junk” gmail addresses. So now my private email address is in the hands of every hacker who is trying to crack that database. And already we are receiving “spam” to those addresses in that database. Most of it so far is users ether letting you know the Mt Gox database has been hacked, or users/owners of other Bitcoin exchanges sending you “advertising” so you’ll come start using their exchange. I’ve email gotten an email advertising online storage from a company that accepts Bitcoins as payments. And they haven’t bothered to try and keep the email addresses slightly private, 1500 other people also have my address, and I have theirs, as no Bcc was used. (Of course, spam filtering will quickly filter that particular email out).
Interested to see how bad the compromise was, and if it’ll affect me, I’ve also downloaded the user database now. A quick look shows that my password is hashed with the less secure method and a quick bit of code later I can confirm the password I used to make that hash. Luckily for me, I use pwdhash to generate a unique password for each site I use. This means that an attacker who has cracked my hashed password in the Mt Gox password, still only has a password that can be used for one site, Mt Gox. If they had enough time and power, then maybe they could work backwards and eventually find the password I used to generate my pwdhash passwords, but by the time they did this, I’d have changed all those passwords anyway.
Having only been using pwdhashing for a little while now, it was good to discover that it has already protected me from an attack. A number of user who had simple passwords that have been cracked already, have also had other accounts attacked as they used the same password in multiple places.

An interesting side note is how much the Mt Gox Bitcoin exchange has grown in a very short space of time. A discussion taking place in a forum noted that your position in the database is related to when you signed up. Working from knowing when you signed up shows how many people signed up after you. It seems to have had exponential growth in the last few weeks, which is good for Bitcoin in general, but bad once you realise how this will look to all those new users. Looking at my position in the database, I can see I was a very early adopter.

After finally getting my IPv6 working nicely, it was time to prevent Transmission from using IPv6 as  I don’t want lots of torrent traffic going through the tunnel when it’s faster through IPv4 (until a time I can get Native IPv6). Apparently this is an “invalid” feature request according to some of the developers. (http://trac.transmissionbt.com/ticket/4197)

Had the developer actually stopped to consider it, maybe read some relevant parts of the source code, they would have quickly discovered that you can already disable it! They could document it as a feature without having to touch a line of code, and mark the feature request as completed!

It’s a rather simple fix. There are checks for the IPv6 address not being a link local address, or a 6to4, or Teredo tunnel[1]. So we just make Transmission bind to a link local address and hey presto, no IPv6 for Transmission!

Simply add the following line to the settings.json file.

"bind-address-ipv6": "fe80::"

[1] You’d think given that they already prevent Teredo tunnels from being used, that the feature request would actually make sense for those wishing to disable IPv6 due to TUNNEL’s!

Microsoft’s student “Its not stealing” campaign is supposed to make it easy for students to afford Microsoft products so they don’t need to pirate them (and steal them). That’s fine as long as it works and Microsoft don’t steal from us!

Twice I’ve now attempted to place an order with the online system, twice the order has been denied however the pre-authorisation on my credit card means I’m now $300 “out of pocket” until the transactions are reversed in the next 5 business days. I’ve called my bank (before trying to place the order the second time) to ensure that there wasn’t a problem with my account or the credit card. No problem from the banks end, it should have gone through.

Fittingly the email I got from them after complaining comes from “The Ultimate Steal AU”. We’ll it sure is the ultimate steal, lets take your money and give you nothing. And yes, I know I get the money back, but it’s my time and effort I’m wasting, and if I needed that money to pay a bill, it’s not there. Experiences like this sure make me want to buy from Micro$oft!! Oh, and if I was rich and had lots of money in my account, each time I hit submit to attempt again (like the text suggests) would be another $150 pre-authorisation without success. Not a great payment system if you ask me, no safety limits to prevent you from trying again and again. You could easily have a few thousand dollars in pre-auth as you keep checking the details, sure they are correct, you hit submit.

Hopefully they can fix it faster than the amount of time I spent on hold just to be told they can’t do anything!