Internet

Geoguessr sometimes drops you in sites of historical significance, which I'll always take time to wander around. I've gotten Tulum, but also some smaller but no less impressive sites in the middle of the Yucatan. Anyway, this one's from India:

Kumbhalgarh Fort

Sometimes I find nifty things in Geoguessr, so sometimes I'll post them.

Tonight I came upon Do-Mi-Ski in Dolbeau-Mistassini, Québec. It reminds me of Abenaki in Wolfeboro, with its one rope tow with $5 night skiing when I was a kid.

This is both a nice toy to have in a Big Brother Is Watching sense, and a glaring example of why one should never log in and use a Mac (or any other system obviously) as an Administrator. Just have a Regular Guy account, and escalate to Administrator/Root when needed. For example, this tool could be inserted by a script to cause all your browsing traffic to route through a proxy server of an attackers choosing. If you're not running as an Administrator, you can't write the file without escalating. (Example of the risk, though it wouldn't help here, since there is LCE to root...goddammit Apple...)

I had a use case recently where I wanted to have multiple copies of Chromium start in different profiles and with different proxy settings. I'm getting to the point at which I don't think that's really feasible, in that any new instance will assume the proxy settings of any already running instance.

BUT, I did get some cool location aware-ish proxying set up. Since one use case involves laptops, I'd like to see it use a local proxy when I'm home, and a remote proxy when I'm not at home (hosted VPS for instance).

I'm using ssh to set up a SOCKS5 proxy, and push all traffic including DNS through the tunnel, ssh'ing to different hosts based on different local system IPs. I have it checking en0 and en1 and if their IPs match my home subnet, it ssh's to a local system, if they are anything else, it will run against a publicly hosted system to which I can ssh.

Next step is to clean up after itself, so when you run Chromium (or Chrome), it will detect IPs, ssh to the appropriate host, and connect using that tunnel. When Chromium closes, it cleans up the SSH session so it's not just hanging around.

To use - Have a local and remote host you can ssh to using keys, and which allow you to forward. On the Mac, navigate to /Applications/Chromium.app/Contents/MacOS/. Rename Chromium to Chromium-bin. Drop this script in, chmod appropriately, and name it Chromium. Now when the Chromium app is run, it runs our script to set up proxies and launch the browser:


#! /bin/bash

ip0=`ifconfig en0 | grep -v inet6 | grep inet | awk '{print $2}' | awk -F "." '{print $1"."$2"."$3}'`
ip1=`ifconfig en1 | grep -v inet6 | grep inet | awk '{print $2}' | awk -F "." '{print $1"."$2"."$3}'`

if [ -z "$ip0"  ]
  then
   if [ "$ip1" = "192.168.30" ]
     then
       ssh -C2qTnN -D 8181 username@192.168.30.241 &

       proxypid=`jobs -p`
       /Applications/Chromium.app/Contents/MacOS/Chromium-bin --proxy-server="socks5://127.0.0.1:8181" --host-resolver-rules="MAP * ~NOTFOUND, EXCLUDE 127.0.0.1" --profile-directory=Tunnl 2>&1 /dev/null

       kill $proxypid

      else

        ssh -C2qTnN -D 8181 username@publichost.com &

        proxypid=`jobs -p`
        /Applications/Chromium.app/Contents/MacOS/Chromium-bin --proxy-server="socks5://127.0.0.1:8181" --host-resolver-rules="MAP * ~NOTFOUND, EXCLUDE 127.0.0.1" --profile-directory=Tunnl 2>&1 /dev/null

        kill $proxypid

      fi

  elif [ "$ip0" = "192.168.30" ]
    then
      ssh -C2qTnN -D 8181 username@192.168.30.241 &

      proxypid=`jobs -p`
      /Applications/Chromium.app/Contents/MacOS/Chromium-bin --proxy-server="socks5://127.0.0.1:8181" --host-resolver-rules="MAP * ~NOTFOUND, EXCLUDE 127.0.0.1" --profile-directory=Tunnl 2>&1 /dev/null

      kill $proxypid

  else

      ssh -C2qTnN -D 8181 username@publichost.com &

      proxypid=`jobs -p`
      /Applications/Chromium.app/Contents/MacOS/Chromium-bin --proxy-server="socks5://127.0.0.1:8181" --host-resolver-rules="MAP * ~NOTFOUND, EXCLUDE 127.0.0.1" --profile-directory=Tunnl 2>&1 /dev/null

      kill $proxypid

fi

This week David Lowery grumpled many of the Interbutts as he published a list of 50 "undesirable" (read: "un-licensed") music lyrics sites to target for legal action by the National Music Publishers Association (NMPA). With some major exceptions (RapGenius!), many of these sites do, in fact, suck. They're undesirable from an Internet user standpoint as well what with pop-unders and malware.

The fact is, they are worried about lost revenue from the licensing fees these guys should be paying, and the fact that lyrics sites have tons of ads, and that it follows that their owners are sitting on massive piles of cash in the Caymans. So let's go sue 'em all and get that Scrooge McDuck money silo each of them has to have. Here's a better idea, why doesn't the industry run its own goddamn lyrics sites? Well hell, I bet since we live in The Future and all, you could even track how many times someone searches for a song and give Dave Lowry his quarter of a cent per 100 impressions for Euro-Trash Girl lyrics.

The claim that it's "ripping us off as artists" is unconvincing though. If someone's reading the lyrics, you must assume they're listening or have just listened to that song, which they either own or they don't (Keep going after those pirates, I can at least see the point kind of, best of luck). Very very few songs have lyrics that merit reading on their own without music surrounding them. No one is reading the lyrics to Dr. Heckyll & Mr. Jive who isn't also listening to that song right now.

The Musician as modern Shelley is in all but the most exceptional cases disingenuous at best (Fun fact: Search for Percy Shelley on Google, and the #3 hit after Wikipedia and Poets.org is poemhunter.com, one of the NMPA's targeted sites of IP thieves). Off the top of my head, I can think of four musicians whose lyrics I could just sit and read, and even that is only a handful of songs per artist. Also off the top of my head, I can think of zero musicians whose lyrics I have just sat and read as art for its own sake.

It certainly didn't take Tennyson to write Take The Skinheads Bowling.

"Industry Sues Morons, film at eleven". Fine. "Fragile snowflake genius loses livelihood when someone can search for their lyrics for /free(!)/". Well you lost me there pal.

I'm no longer forwarding cookie thieves to Natalie's site. I had been fussing around trying to make IPTables block all the botnet machines, and when that didn't work, I was just using deny rules in Apache, which sucked, because my include file of blocked hosts was 100,000 or so. That's in addition to the default "Block all of China, India, Eastern Europe" rules I apply. It also sucked because I'm still serving pages and so there were tons of ESTABLISHED, FIN_WAIT1/2, etc. connections, most of which were holding open Apache processes, which was crushing my machine.

The reason IPTables wasn't working turned out to be because of the VPS solution used by 1and1. There is a hard limit of 400 rules on the host, and I can't work around that, so I can't use IPTables with huge blacklists, at least, not that I've figured out.

What I'm doing now though is to use the LimitExcept directive to only allow GET requests in the virtual host which does the rewrites for nataliecurtiss.com. So now those fuckers are all just getting 403's or, in some cases, 500's (don't know why that is).

So yeah that was fun. A case has been opened with SquareSpace, since this attack traffic was all really directed at them. And the only logical thing I can think of is that the attackers are trying to guess session cookies of site admins who aren't explicitly logged out of their site admin tools. This would let the attackers exploit any XSS inherent in code generated by SquareSpace, or use the targeted site to infect more end user machines for this botnet.

Still, it's an awful lot of trouble to go to just to get your hands on Natalie's what, 12 legitimate users per month?

Now I just have a zillion connections in TIME_WAIT, but at least my site seems quick, all my services seem to be working at full speed ahead, and I'm going to stop thinking about this shit for a while. I'm not going to bother figuring out why I can't set tcp_tw_reuse to clean up all those TIME_WAITs.

Update:
The 500's are because I didn't set an auth-type for the user to be able to POST. Well, fuck 'em, they get 500's, since I never want anyone to ever do anything but GET, everything else can DIAF.