Tom Dalton :: Doer of Good

A comedy 3000 years in the making...

I cannot claim credit for this brilliant clip. This trailer has been around for a while on YouTube, but I edited this version slightly for content. We're a family-friendly blog, see.

From a UK think-tank, regarding climate change in the next thirty years:

"The drop in temperature might exceed that of the miniature ice age of the 17th and 18th centuries."

An ice age? Woolly mammoths and crazed, razor-tooth coelacanths with heat vision? That's what wiped out humanity in the 17th and 18th centuries! We can't survive yet another of Mother Nature's fierce attempts to kill her babies.

Do you remember what happened during the 17th and 18th centuries, during the last miniature ice age? Here's just a sampling of the horrors we might face:

The Franco-Dutch war breaks out over who gets to stand closest to the heater
The Salem witch trials, triggered by icy cold weather and resulting cabin fever
Isaac Newton is pummeled by vicious (frozen) apples as gravity kicks in
The Lisbon Earthquake of 1755 -- so cold!
The American Revolution marks the end of the mighty Ice Age

Clearly, another ice age will disrupt all of humanity. The scarred survivors, if there are any, will be unable to rebuild and civilization will be forever lost. Science has spoken.

The dilemma: I needed to log in to Omniture's SiteCatalyst as somebody else. For just a moment, just to verify something. I've got an admin account so I could lookup the username. But I couldn't look up the password.

The easy answer: In real life, I just called the client and asked him to send me his password. But while I was walking around waiting for my computer to reboot, I wondered what I could have done if for some reason I couldn't have just asked the client to send me his password. Like if I were... a hacker!

The fun answer: I could have reset the password, which would have gotten me in, but then the client would know the next time he tried to log in and his old password didn't work. I needed to actually find out what the current password was.

1. Find the original email -- back when the account was setup, somebody in my company must have created the login and sent the information to the client. They may have just done it over the phone, but more likely it was emailed. I figured out how to hack everybody's email accounts on the Exchange server long ago. Simple enough to go search everybody's old 'sent' mail for anything with the user name in it.

2. Call the client -- without directly asking for the password, tell him we're rebuilding all the accounts and he needs to tell me his old password if he wants to keep it the same.

3. Call the client (sneakier) -- I suppose if I needed to, I could reset the password and login, then call and tell him the password database was corrupted so they've all been reset to "password01." Insisting, of course, that he not tell me his old password for security reasons, I tell him he should go in and change it back to his old password. That doesn't get me the old password, but it covers my access to it.

4. Monitor the client's network -- visit their building and inject myself into his upstream so I can monitor all the traffic. Hm. Major drawback: the login page is SSL encrypted. Probably renders this approach infeasible.

5. Monitor the client's machine -- as long as I'm visiting their building, I could install a physical or software keylogger. I could pretend to be a janitor, except the janitors themselves would probably not be cool with that. But if I dressed in a shirt and tie and showed up just as they did, I could probably get in the building and pretend to work for that company. While the office door is open (if they're like most janitors, they open all the doors first then start working) install the thing. If there's no tight security on the computer, a software keylogger would be better so I didn't have to come back and get it. Otherwise, a physical plug would work and I'd just have to come back a few days later.

6. Check the client's machine -- Of course, let's not forget the easy things. If I'm in there with the client's machine and I've got a minute, I should check his email archive. It's probably still stored in there from when it was setup. And he may have written it on a piece of paper or something that would also have lots of other interesting passwords.

7. Monitor Omniture's network -- Again, the SSL on the login form probably precludes me from doing this. But I could hook into Omniture's side of the network by renting office space in the same building they use. Request my computer be co-located in the central area where their servers are also. Then just plug in one time while I'm down there working on it.

8. Spoof the client's network -- This would address the SSL problem. If I can get access to the client's computer, I can set his browser to use a proxy server. A proxy server that I have specially set up to pass everything through normally, unless he goes to the secure Omniture sign-in page. When he does that, my proxy server actually sends an insecure version of the page that looks the same. When he logs in, I grab the clear password, then transmit it along and continue the session normally. He would never notice. When was the last time you checked your proxy settings to make sure nothing had been changed? And I could change it in the browser, in the hosts file, or at the DNS, depending on what kind of security his computer has.

I think those are the most realistic options. Number seven is the biggest stretch. I really like number eight! And there's a lot more you could do with that.

I want a big, white van with no windows. I'll paint BLISP on the side, "Binary Logistics ISP: portable business and personal networking solutions." There's a truck that would look okay anywhere you go with it. No matter how many antennas and weird stuff it had. Fill it with a couple computers and my boxes of spare, magical parts.

I'm gonna' write a book about that. An Internet marketer turned network penetration tester who accidentally uncovers a terrorist plot and has to singlehandedly save the President. Woot!

I have to record this for posterity, from a brilliant thread at xkcd.com:

Robotkin: “Well, I guess such is the burden I bear being raised on at least semi-proper use of the English language.”

A language which lacks the following:

A suitable and disambiguated second person plural pronoun.

A contraction for the first person linking verb in the negative (”I am not”) to accompany similar contractions for the second and third person (”You aren’t”, “He isn’t”)

Given the gaping flaws in coverage in your “semi-proper” English, I tend to prefer the version of the language that includes “y’all” and “ain’t”.

Which must be followed up with this insight:

"English doesn't borrow from other languages - English follows other languages down dark alleys, knocks them over and goes through their pockets for loose grammar." -Unknown

What prompted all of this was a modern translation of George Washington's farewell speech. Fun reading. Now I have to go read the original.