AltSci Blog

Aug 10, 2010

Sudo and Su Bruteforce 0.1 [sig]

Two years ago I noticed that su and sudo both contain a fatal flaw: administrator passwords. Administrator passwords have found themselves at the core of our security. OpenSSH does not allow root to login by default because on rare occasion administrator passwords can be bruteforced. Nearly all Linux and BSD systems recognize this. Some system administrators still don't recognize this due to business constraints. Users that have insecure passwords can be bruteforced if an attacker knows their name. The common system of first letter and last name or handle as the username gives an attacker a good list of users to bruteforce. How many administrators use the username jsmith? How many administrators use the username admin? Su and sudo may be considered harmful if we consider that usernames can be learned and that passwords can be bruteforced.

Removing the password component, we can compare sudo and su to the Windows Vista and Windows 7 administrator access security model: give a user administrator access when they ask for it. This person must be designated as an administrator by the original owner of the system. This seems obvious and tautological but we have yet to introduce an attacker with two different methods of attack.

July 18, 2010

Xor is a binary operation that is versatile and not easily replaced. It represents a logical truth that is effective and seductive. Today I will give sixteen good reasons to love xor. If you are a computer scientist, programmer, or hacker and you don't use xor from time to time, you are doing something wrong.

July 17, 2010

A long time ago I described a method of creating realistic anime hair with The GIMP. Today I reproduce that method with a small limit: 30 minutes or less. Most people want hair done in less than 30 minutes. Anime or manga artists want it done in seconds. But once you've done this style once, you'll have good reason to put in a few minutes. Shojo comics and ren-ai games use this realistic style on very rare occasion to portray texture, depth, emotion, or something else. The reason why I find myself using it instead of my normal style of outlining sharp tufts of hair is for dramatic effect, showing people not a green haired mahou tsukai (魔法使い) but a living breathing shaded person. Even if they are fictional I like my characters to have some sort of reality because it improves my ability to tell a story.

Minutes 1-3
Enough with the art, let's get down to the tech. The first thing to do is to draw the shape of the hair with large or medium size brush as seen below. This should only take you a moment because you should know what shape the hair will look. It's important that you draw this on a separate layer and never draw on it because you'll need it later. Trust me.

June 10, 2009
Update July 23, 2009

Digg Diversity is a new project by AltSci Concepts. It uses the Digg API to calculate a more fair score for articles on Digg. Why is this algorithm necessary or preferable? Digg has an algorithm that is based entirely on profit, which is acceptable for a company like Digg. The more diggs that occur, the more profit that Digg makes, which means that they will accept, even encourage their users to game the system. The Digg front page algorithm which promotes articles to the front page with as few as 100 diggs means that a small number of people can control the front page of Digg by simply getting 100 like- minded people to digg their articles (and visa-versa). The company Digg benefits when corrupt users promote the same content repeatedly, but the overall community is diminished (especially those users who wish to see important non-repetitive content). This topic is extremely deep and deserves an essay but definitely not tonight on the night of the beta release of Digg Diversity. Many digg comments, blogs, and even a mashup that is currently offline have been written about this issue, but I hope to write the solution.

Digg Diversity is a entirely javascript mashup using the Digg API to retrieve important information about what data is found on Digg. The first set of results may be rather surprising. You will see a list of results quite similar to the front page of Digg. However, the order is by "divvs" which are a new calculated value based on timing and repetitiveness of the digger. The raw data can be found at the bottom of the page (there is a link that displays the data).