Friday, September 26, 2008

Hacked

Dammit, someone managed to hack into a couple of my accounts. On the plus side, I was watching them as they did it, so I was able to stem the problem very quickly (within a few minutes), but dang... they're fast. They managed to create ~$400 in fraudulent PayPal charges in the span of 5 minutes. (I was on the phone with PayPal as they did were still fumbling about, in fact.)

I'm still at a loss as to how they accomplished this. I do know that I received an e-mail which caused GMail to spaz out -- text was flowing outside of the places it was supposed to be (so they probably found yet another XSS vulnerability in GMail) and attempting to view this e-mail caused the page to spend a long time loading (i.e., it was phoning home, probably with my GMail login cookie).

However, this doesn't explain how they were able to get into my PayPal account. The only thing I can think of is a keystroke logger, but it's not like I typed any passwords in those 5 minutes. That, or they managed to get into my saved passwords in Firefox (though I don't think I saved my PayPal password in there for this very reason). I guess I'll find out on Monday when I bring my laptop in forensic analysis.

In the meantime, I had my work account locked down (which I highly doubt was accessed, but this is still the prudent measure to take) and managed to change all of my other passwords within 30 minutes, all without incident; this means they probably didn't get at anything else.

The attack itself was quite sophisticated. Not only was it generating PayPal charges as fast as possible, it would intercept and delete the PayPal confirmation e-mails which showed up. I got glimpses of the subject lines and actually managed to click on one (and confirm, to my horror, that it was draining money from my real bank account), but they were being deleted not long thereafter.

Google, incidentally, is of no help here (even though I'm paying $50/year for their "premier" edition of GMail). I called their emergency number only to be told that their offices are closed until Monday morning.

Anyway. PISSED OFF IS ME.

Friday, September 19, 2008

The ultimate in high maintenance

Ah, the laughs. I've found the dating profile of someone who is the ultimate in high maintenance. And it's a 53 year old guy.

He even has a section entitled, "Do NOT Fall in Love with Me until I say so!"

Monday, September 15, 2008

Need to take a week off.

Just got back from a three day kayak trip around the San Juans (mainly Cypress Island) with Tamara and Julie (a friend from Sacramento who came up with the crazy plan in the first place). It was quite fun and nicely relaxing. However, the kayaking, plus swimming and hiking each night, has left my body exhausted and my muscles sore. As I'm flying down to San Diego tomorrow and spending the rest of the week there, I think I'm going to take a bit of a break from swimming.

Work has been exceedingly stressful as of late. Too many last-minute critical projects being juggled and thrown my way. I seem to spend 80% of my time in front of Outlook delegating and explaining what needs to happen instead of doing it myself. I suppose this would be acceptable if I were a manager, but I'm not. I think I'd be happier if I didn't know that spending time on this would be held against me come performance review time. Ah, like Dilbert, I guess I have the curse of competence.

Anyway, time to pack.

Wednesday, September 3, 2008

Setting priorities; more Chrome nits

Due to various events circulating around and entrapping me, I'm thinking of requiring folks to prioritize the requests they send me. They can select from the following options:
  • Priority 1.15. My request is important, but not so important that anyone will actually notice before we or they change teams/companies. I'm mainly filing this to cover my ass and I can point to a document and say, "I told you so," should this blow up.
  • Priority 1.1. My request is important enough to require you to do this now, but not so important that I'm willing to devote any of my team's resources into understanding the problem.
  • Priority 1. My request is important enough that I'll make vague promises to understand the problem at some unspecified point in the future, but will hope that you don't follow up on this. Also, I'll hound you with meeting invites until you submit to my will.

On the Chrome front, I'm still generally happy with it, though I did experience slowdowns with some Flash stuff. My experience here mirrors someone's review (which I can't seem to find at the moment): better than Firefox on CPU usage, but worse than IE8.

However they don't support SPNEGO/Kerberos/NTLM authentication, at least not yet. This is the magic which lets me get away with typing my work password only once a day rather than once for each internal website I visit. I'll have to keep Firefox open in the meantime.

Tuesday, September 2, 2008

Quick update on Chrome

Sure enough, a site I browsed to caused Chrome to crash -- not unexpected, given this is the first release of an alpha product (yeah, I know that Google calls it beta; I'm doing my own take here). However, true to expectations, it only caused that tab to close and vanish; the rest of my browser was unaffected.

This pleases me.

Separate processes are the way things should have been done a long time ago. (Why won't anyone listen to me on this?) Threads are fine if you have short, asymmetric work loads (e.g., spinning up a separate thread to monitor a file handle); they're generally not the right solution if you have symmetric work to perform. The Java fanboys at work yell and scream that threads are perfect, processes don't scale on multicore systems (huh?), you can't share memory (uh, that's kind of the point), and going multiprocess is an admission that your code has bugs (well, duh).

Of course, Java has plenty of objects to handle threads but no fork() call. Going multiprocess is much harder in this kind of environment. Not impossible, as the Cygwin guys have demonstrated through their fork() emulation on Windows, but definitely harder.

Chrome...

I'm trying out the new browser that Google has tossed together. But my first impression: what the heck? It insists on installing itself for each and every user of a given computer? WTF?

That said, browsing my usual websites shows that it is quite zippy. It also imported all of my bookmarks, saved passwords, and browsing history from Firefox without a hitch (though I did have to shut down Firefox first -- I'm guessing Firefox doesn't leave files in a consistent state while it runs and doesn't provide APIs for other apps to access this information).

It does spawn a bunch of processes, as expected. Even show, with three tabs loaded, it's using less than 100 MB of memory; Firefox 3, by comparison, eats up around 300 MB just to start up.

Firefox: I'm not giving up on you just yet, but you're on notice.