Profile

Cover photo
Auke Kok
695 followers|257,924 views
AboutPostsPhotosVideos

Stream

Auke Kok

Shared publicly  - 
 
+Alexander Larsson Trying to package flatpak but I noticed Polkit is a hard stop requirement, any chance of making it optional? What is it needed for? Our distro doesn't have Polkit and "we really don't want to go there".
2
Alexander Larsson's profile photoAuke Kok's profile photo
2 comments
 
Ahhh, excellent, we'll focus on per-user apps for now, but the sudo method will work!
Add a comment...

Auke Kok

Shared publicly  - 
 
An Actual Attempt to Pwn me.

I just received an actual malicious e-mail that actually attempts to do bad stuff to my computer. I usually delete them quickly (as you should), but this one I'm going to dissect, so you can get an idea what criminals are doing nowadays technology wise.

First, the most important aspect of these e-mails is human gullibility: The email starts with "Notice to appear" and has the following text:

"This is to inform you to appear in the Court on the May 24 for your case hearing.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come."

Second: you are tricked to open an attachment. The attachment is malicious, I will go into this later.

At this point you should have deleted the e-mail already. If you wish to verify that it was bogus, you can easily check that (1) there is no police officer outside your door with a warrant, and (2) nothing else. So just go ahead and delete notices like these. The cops will send you a paper letter, not an e-mail.

Going another step further, we can look at the e-mail headers and see stuff in the headers like this:

From: "State Court" <tim.atkinson@shop.denioj.com>

I don't think the state court uses a .com address, do you? If you do think, perhaps you should look at what shop.denioj.com looks like (go ahead and open that in a browser, it's not malicious or bad). Ahhh, it's a Honk Kong rip off illegal football paraphenalia website. They just got "joe jobbed" and someone is relaying these e-mails illegally through their mail server, that's all.

So no, this isn't in any way legitimate, and they don't even try very hard to conceal it. They're not looking to break into my computer, but they are looking to break into gullible people who are not tech savvy. People who panic, click the attachment.

Alright, so what's in the attachment: "00560291.zip"?

Smart move by these guys: don't directly attach an executable file which surely would set off virus scanners. Ok so there's a zip file, you'd have to open it and extract it which takes you out of gmail potentially or outside of Outlook. It's meant to distract you and make you uncomfortable if you're not computer literate.

Now, most virus scanners actually look inside zip files and will scan the files in there, so a bad executable file in there will also be found. So criminals like these like to come up with alternate ways to "obfuscate" and "avoid" scanning software.

In this case, the zip file contains a file named "00560291.doc.js".

This is a javascript file, but since Windows is written from the perspective that users are dumb and should not be educated ...

(presumably to make sure they keep paying 20$ for PowerArchiver2000, and if my condescending tone is taking it too far, please stop reading, or pretend that this is narrated either by Morgan Freeman to soothe your experience, or Joe Pesci if you prefer a more absurdist colorization).

... it hides the extension from the user, so this files shows up for most computer users as "00560291.doc". And of course they want you to double click it, right? yes?

Obviously it's just evil Javascript. You'd execute a bad, bad script.

So what's in the script? Let's dig a step deeper:

q89='var';
var y81='.ba';
var n77='alse';
q89+=' id=';
var y68='sp';

A few thousand lines like these. It's called obfuscation, again, it's just probably simple code, but made really hard to read by humans. I'm not sure why, it's probably obfuscated because it's so easy to use obfuscation software, but I doubt these criminals are dumb enough to expose themselves, right?

Let's go and scan through this a bit deeper then:

var e90=eval;

ahh, they're stuffing a bunch of stuff in a variable, and then

e90(q89);

which ends up, thusly, calling `eval` on `q89`. Presumably the bad code is in `q89` and that is then executed. neat.

Now, I could try to un-obfuscate this all myself, or I can just execute the code and see what it does. But it would be kinda dumb to do this on my own PC. Fortunately, there's plenty of online sandbox tools around that you can use to execute code safely away from your system.

After taking away the eval, and just dumping the output of q89, we get:

http://pastebin.com/A4KsPCaE

(Am I a leet hacked for posting an exploit on pastebin, or what?)

Now, one can read the text there to get a good idea of what is going on, or just read my excellent summary:

If that code runs on your computer, and it has access to your data files (meaning, you executed it in your normal desktop), then it goes and downloads a little executable tool that encrypts all your files and sends the secret key to a bunch of servers on the internet that the attackers presumably control.

The attackers then wait for you to pay the bitcoin fee, and then send you the decryption code so that you can access your files again. The cost is about 230$, which isn't that much actually, apparently they make more money if the price isn't too high for people to pay it, but low enough that most people can get over it.

I'd like to stress the following parts of the exploit:

fp.WriteLine(" - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.");
fp.WriteLine(" - Nobody can help you except us.");
fp.WriteLine(" - It`s useless to reinstall Windows, update antivirus software, etc.");
fp.WriteLine(" - Your files can be decrypted only after you make payment.");
fp.WriteLine(" - You can find this manual on your desktop (DECRYPT.txt).");

This isn't necessarily true, actually, there are fortunately tools already out there that can decrypt these files (it depends on the encryption used, of course) in many variants of this exploit, but in general it's entirely correct - you're likely out of luck attempting to decrypt your stuff yourself.

I hope you enjoyed this deep dive in the terribly shallow web. This exploit isn't brilliant, not by far, it's actually one of the simplest I've seen in a long time.

Make sure you don't fall for them, and educate your friends and coworkers. If you are the person who regularly shares hoaxes and internet scares, you can repent by sharing this with your friends - I won't mind a bit.
18
1
Thiago Macieira's profile photoAuke Kok's profile photoIkey Doherty's profile photoAdrian M Negreanu's profile photo
9 comments
Add a comment...

Auke Kok

Shared publicly  - 
 
On respect versus merit.

I've recently seen a few typical Open Source Collisions happen and being involved in it partially as well. As I'm a fairly pragmatic person I tend to shrug it off and focus on the work at hand, but there are always a few people around that can't understand that respect and merit are orthogonal.

Any new person who starts out doing Open Source should be met with the utmost respect. They have absolutely no merit to begin with, and others should encourage them and show the beginner mistakes in their work. The new people should treat experienced people as you would treat any good teacher: without any significant more respect than anyone else(!). Poke them, ask them, prod them for answers and explanations, but certainly do not go easy on your mentors - they are there not to sit on a throne and rule, but to guide everyone to do better.

Any experienced person should treat new contributors with respect, but treat their code for what it's worth. No need to get salty if it's bad. Just say "It's terrible" and leave it at that.

But that's where things go wrong. If you, as an experienced developer, fail to explain why a submission is wrong or misinformed, you're not giving someone the education or knowledge that you have, and you're guilty of depriving them of a chance to learn.

Now what I've noticed is that there seem to be many capable, experienced OSS contributors who lavish in merit and destroy their own respect, by ignoring this advice. These aren't business critical projects, but nonetheless it matters to a lot of people, so things get heated pretty quickly.

I've now seen two out of control spirals of disrespect end in people leaving. For no good reason than that the involved senior people entirely confuse merit and respect, and think that they are interchangeable.

It starts with reviews ending up saltier and shorter, especially for reviews from newer contributors. It ends with someone giving up, and sadly it's usually the newer people that give up, even though the potential that they will contribute more and better code in the future is often far more likely than that the merit-soaker is coming back to do actual coding.

So, takeaways for those that recognize the situation? If you don't code anymore in a project, don't become the grumpy reviewer. Let others take over. Stay constructive and technical, and teach instead of criticize. Never attack a person, ever.

Yes, there are indeed plenty of public OSS figures out there that violate these guidelines, and it's inexcusable, really. And totally not needed, either. I've most certainly have been on the wrong side as well, for sure, in the past. I hope I've made up for it, though, and intend to improve where I can.
40
22
Eugene Crosser's profile photoMarc Herbert's profile photoDarren Hart's profile photo
7 comments
 
And a slightly different angle on that. I just reviewed a futex patch series from Thomas Gleixner. We're both senior kernel contributors, but he's certainly earned more merit points. I was providing the review, and I asked several clarifying questions. Had I done that in private, others might have had to ask the same questions. I should also note that private review can take place internal to a team or company and that should catch most of the embarrassing issues. That is harder for a new individual to benefit from. The only answer I have for that case, is mutual respect.
Add a comment...

Auke Kok

Shared publicly  - 
 
Where do you find an atx power supply at 6:30 PM? :/
1
Auke Kok's profile photowilliam douglas's profile photoRobert Nesius's profile photoSimon Peeters's profile photo
5 comments
 
On my "spare parts" shelf? (or am i the only one who has basically a complete desktop sitting there?)
Add a comment...

Auke Kok

Shared publicly  - 
 
And this is why college sports organizations that are just shims for professional sports exploitation need to be banned. The pressure of money from above is making these kids immune to corruption, and they don't have a chance.

And don't give the "this did so much nice things for so-and-so" nonsense. These kids are being taken advantage of, even if they are drafted. Of course the NCAA will just blame the coach and kids, perpetuating the cycle.
Head coach sent grad students all over the country to complete online coursework.
1
Robert Nesius's profile photoAuke Kok's profile photo
2 comments
 
Well that's surely a way to give a nice twist to it.
Add a comment...

Auke Kok

Shared publicly  - 
 
""We regret to hear of the issues you are experiencing with the online banking. This is a common issue which is easily resolved. Please go into your browser settings and allow third-party cookies, this should resolve the issue. We apologize for the inconvenience this is causing.""

Maybe time to switch banks again... sigh.
4
Max Eliaser's profile photoBernd Wachter's profile photo
2 comments
 
I have the opposite problem: My bank is doing stuff the right way, but vendors are stupid.

The credit card verification page refuses to work when loaded in an iframe. Usually that's a good sign to search for another vendor. Last year that happened when I was trying to renew the credit card data at one of my hosters, and as the hoster didn't understand the problem, and I didn't have enough time to migrate everything somewhere else before expiry date I was forced to call them and provide credit card data over phone.

Guess what, the only time I've ever done that -- and the guy at the hoster uses the data for a second, newly established hosting contract not belonging to me.
Add a comment...

Auke Kok

Shared publicly  - 
 
I've been contributing code and artwork to #minetest a lot in the last few months. It's a really fun project to keep me busy in the evenings, and I do anything from C++, LUA coding, to texture painting in #gimp, 3D modelling in #blender, editing audio in #audacity.

All for an entirely free game. Sorry, it's too much fun :).

The guys at www.category5.tv have made a great video review. Skip a few minutes in if you want to avoid the chat and want to see a decent review.

http://www.category5.tv/episodes/441.php
10
Add a comment...
Have him in circles
695 people
Zhiguang li's profile photo
Jon Steer's profile photo
Leroy Hudgins's profile photo
Amos Arocho's profile photo
Sebastian Kügler's profile photo
Marlene Savinkoff's profile photo
Krisi Tarpova's profile photo
Jacob Mehringer's profile photo
Deanne Janke's profile photo

Auke Kok

Shared publicly  - 
 
Hmmm, nope, still haven't made any progress to cutting down on CO2. I think this year's high is even going to exceed the trend predictions, and by a fair margin too.

http://www.esrl.noaa.gov/gmd/webdata/ccgg/trends/co2_trend_mlo.png
3
1
Add a comment...

Auke Kok

Shared publicly  - 
 
I spent the last day killing TIFF from +Clear Linux Project for Intel Architecture ... Given the amount of unfixed CVE's open against the unpatched latest release, and unlikelihood that a fixed release is ever coming out, I can only say that this is going to save everyone a lot of time.

https://lists.clearlinux.org/pipermail/dev/2016-April/000290.html
[Dev] retiring tiff. Arjan van de Ven arjan at linux.intel.com. Fri Apr 29 06:51:47 PDT 2016. Previous message (by thread): [Dev] coreutils libcap and size optimizations; Next message (by thread): [Dev] swupd verify intent to fix missing kernel 4.5.1-159 related files; Messages sorted by: [ date ] ...
5
1
Auke Kok's profile photoThiago Macieira's profile photo
6 comments
 
+Auke Kok thanks.
Add a comment...

Auke Kok

Shared publicly  - 
 
Whatcha reckon folks, is go ready for making cross-platform GUI applications? Any hints? Or stay away until it gets better?
1
william douglas's profile photoAuke Kok's profile photoThomas Andersen's profile photoSergio Schvezov's profile photo
4 comments
 
The Qt one seems like a good one. I cannot speak about cross platform though.
Add a comment...

Auke Kok

Shared publicly  - 
 
An excellent article by +OCS-Mag​​​​​​ 's Paul Brown. Not only good arguments why people need to stop thinking that Minecraft is an open world game (it's very much a walled garden for Microsoft!), but he also provides all the arguments for using Minetest, and shows you what it can do for education and fun.

http://www.ocsmag.com/2016/04/04/mining-for-education/

How would you feel if all the food in your child’s school canteen were provided by one manufacturer of packaged snacks and soft drinks? How would you feel if your child’s diet were limi…
8
Darren Hart's profile photoAuke Kok's profile photo
4 comments
Add a comment...

Auke Kok

Shared publicly  - 
 
Soapbox. I've wrestled now for a long time with one particular nasty company that is spoofing called ID and keeps calling my mobile phone. After filing a complaint with the +FCC a long time ago, I wondered if my provider (+AT&T) would actually be able to do something for me.

This has turned into a frustrating dance where the first operator informed me to e-mail abuse@att.com. Of course, that e-mail address is nonexistent.

Then I spent quite some time chatting through a webpage with a service person who made me believe that there's an NCC center at AT&T that can pursue these types of complaints. NCC standing for National Compliance Center. But, I'd have to call the actual appropriate customer care number instead of AT&T instead to talk to them.

So, with the right number, I called them and discussed the issue. Of course they're offering to modify my number (doesn't solve the problem, of course, just makes you complacent), and to block the numbers (HA, blocking spoofed numbers, ... not a clue!), they inform me that AT&T does not pursue nor can they not further assist in helping with this issue. They claimed they are technically incapable of actually tracing phone calls with spoofed caller IDs.

Are you listening, +fcc ?

I mean, they plainly either (1) admitted that anyone can place actually fully anonymous and untraceable phone calls, or (2) they're lying.

Of course, last time I checked, spoofing caller ID is actually in violation of federal communications laws. So then of course I started to ask if AT&T would be willing to assist their customers to pursue the issue further ("shut up and go away, sir!" - translated message), and pressed that AT&T was just complacent in the issue. Plus I told them that I didn't buy into their story that they can't do anything about it (I know I'm not talking to an engineer, but the lying, seriously), and that they're basically encouraging this behavior, since it racks them up their billable minutes.

I then asked if they record that customers had these issues. That was a solid yes answer, which HIGHLY surprised me. I would think they didn't want to admit that they actually track this type of abuse, since now they admit that their tracking it I can clearly establish that they know the scope of the problem and are not pursuing the issue further - complacent becomes only a problem if they're going to lose money over it, so they just want to see if people leave AT&T over it.

The message ended with an apology for my feelings. I asked them if they would instead like to apologize for their complacency. heh.

Looking back at all the 3 interactions I had, each, and every one, was meant to discourage me from pursuing the issue further. Just go and read back: the first response AT&T had was to give me an invalid e-mail address.

Damn you, AT&T.
7
Robert Nesius's profile photo
 
They're my carrier - and they are in the same category as cable tv providers - they are all bastards and we have no alternatives. The feds approved consolidation in the name of "better for the customer" when really it was better for the carrier (more $) and better for the government (lower overheads to surveil us).

Add a comment...
People
Have him in circles
695 people
Zhiguang li's profile photo
Jon Steer's profile photo
Leroy Hudgins's profile photo
Amos Arocho's profile photo
Sebastian Kügler's profile photo
Marlene Savinkoff's profile photo
Krisi Tarpova's profile photo
Jacob Mehringer's profile photo
Deanne Janke's profile photo
Links
YouTube
Basic Information
Gender
Male