Kev’s Blog – Page 200 – Kev's Development Toolbox

February 4, 2013

‘Security by obscurity’ is not an effective security approach

This is a true story. I just came across a website, which I will not name (yes, I have emailed them to let them know of their issue), that provides a number of tutorials for download for a fee. They also have some free samples that you can download for free that are excerpts from the main materials.

I found the website from a Google search, and one of the search results was a pdf from their site on the topic I was looking for. Once I started browsing the tutorial contents however, I noticed that the file I’d found from my Google search appeared to cover far more pages in one chapter than should have been covered by one of the listed sample downloads, it was a complete chapter.

Thinking this was odd, I noticed that each sample download pdf listed in the tutorial table of contents had a range of pages in the file name, for example chapter1_1-2.pdf, but the file I had come across was chapter2_10-20.pdf

Out of curiosity it didn’t take too much guess work to change my url to point to chapter1_1-9.pdf and I’d downloaded a whole another chapter of material that should have only been accessible as paid materials. Looking at the other file names for the other chapter samples, it was easy to guess all the other filenames for all the other chapters too.

This wasn’t an isolated case. This particular website has a number of tutorials online following the same pattern. Given the example filenames from the free samples, it’s possible to guess all the full download files for all of their tutorials.

What the website owners and/or developers of their site had done was rely on ‘security through obscurity’ – the direct links to the paid materials were not listed on the website, but there was no security to prevent anyone from downloading the paid materials for free, even if they hadn’t paid to access the paid content. They had in effect hidden the paid materials in plain view.

The second mistake was to use an obvious pattern in the file names so that it was easy to guess the file names for the paid content. The table of contents which included links to a small number of sample pages made this easier, because it illustrated that the chapter files were numbered sequentially, and since there was a sample download for the first couple of pages for each chapter, it was easy to deduce that the files names were for all the other pages for the paid content.

If there was another authentication mechanism in place for paying customers to logon on to the site first before they could download content then the sequential nature of the file names wouldn’t be as much of an issue. The fact that there was no other security on the site however, meant that the table of contents with it’s sample links pretty much gave away the names of all the paid content.

‘Security by Obscurity’ is a very ineffective security mechanism. You can assume that ‘no-one will be able to find these files, right?’ but that’s a pretty bad assumption. If you think there’s a chance that no-one will find the files, it also means there’s a chance that someone will find the files. If your business is to make money from selling access to these paid materials, then this is a risk you cannot afford to take.

December 31, 2012

Iomega ix2-200: High disk activity and low throughput from clients

My ix2-200 box has been doing a lot of thrashing for a while, each time that I turn it on. I though for a while that this was just some disk indexing going on, but it seemed more recently that it was everytime I powered it on.

SSH’ing into the box and taking a look in some log files I found these messages repeating every couple of minutes, in the /var/log/soho.log file:

2012/12/31 12:48:02.764433: executord[892.40d6e2a0]: (1324) WARNING: Restarting 'mt-daapd' due to excess memory usage (198598656 used, 67108864 allowed)
2012/12/31 12:48:02.962593: executord[892.40d6e2a0]: (1245) DIAGNOSTIC: restarting process 'mt-daapd'.
2012/12/31 12:48:58.426400: executord[892.40d6e2a0]: (1528) DIAGNOSTIC: Started mt-daapd[14707]
2012/12/31 12:48:58.538179: executord[892.40d6e2a0]: (1371) DIAGNOSTIC: Signal received with no commands

Searching for mt-daapd I found this post that described similar behavior. I followed the steps to edit the daap.conf file (mine was located in a different location, here: /mnt/soho_storage/media) and removed all the filetypes for the extensions setting except .mp3, .m4a and .m4p.

That seems to have done it. Once the service restarted again, it hasn’t since turned up in the log file for the last hour or so that I’ve been watching. This makes sense if that indexer has issues with large files, since I primarily use this box to keep copies of our home movies, all of which as in .mp4 format, and most of the files are large, ~ 1 GB each.

The good news it that also seems to have given back some performance – file transfers are now pretty snappy, whereas before it seemed they were dragging unnecessarily slowly.

December 8, 2012

Installing XBMC media center on a HP Mini netbook

I’ve been setting up XBMC media center on an old HP Mini netbook as an experiment to listen to streaming radio via my home theatre setup. I started initially with the XBMCbuntu iso since it was the easiest to setup, but the Ubuntu side of this distro was too slimmed down for my liking. It didn’t come with drivers for the wifi card out of the box, so while I was planning on connecting via ethernet close to my home theatre setup, I still wanted to pickup the netbook and use wifi while working on setting it up.

So my next attempt I went for a full Ubuntu 12.10 desktop install (wifi drivers included), and then followed the manual steps to install XMBC next.

My main interest in XMBC is the Radio Add-on that has a menu of selectable streaming radio stations. My next interest is being able to control the radio selection remotely, either via a web interface or via an Android app. All the web interfaces, including the default interface, don’t seem to let you browse the Radio add-on. I’ve found one Android XMBC remote that does, so this one does what I need:

https://play.google.com/store/apps/details?id=ch.berard.xbmcremotebeta

My next interest is running Spotify on the netbook and also controlling it remotely. Two choices here, either

Use a Spotify Add on for XBMC, like Spotimc
Or install the Spotify for Linux client, and then use one of the many Spotify remote apps to control it directly

Given that I haven’t had much luck with XBMC remotes controlling XBMC add-ons, I’m going to try a separate Spotify install and then try out one of the remote apps, like this one: Spotcommander. I’ll post an update once I’ve got these installed and configured.