Citigroup – URL hacked? Seriously?

Apparently the hackers who stole all kinds of personal information to Citigroup’s website did so by URL hacking.

This is just unconscionable.  Even before you get to cyber-security 101, SOMEONE should have figured out that putting the account number in plain text in the URL was a terrible idea.

I don’t care who you are, the first thing you need to know about dealing with a website is that your server cannot trust a user’s input.  This can be for any number of, even very innocent, reasons – but primarily as a way to be ward against potential problems.  It just sickens me that their website had what amounts to zero security.  URL hacking isn’t even really hacking at all, it’s just a matter of tweaking URL address inputs.  It’s essentially the equivalent of dialing a company’s phone number and changing the extension by one digit just to see if you can escape phone-tree-voice-mail-hell. 1 2

I mean, would you, as a bank, put deposit or balance information into the URL?  NO.  Otherwise in 5 seconds everyone would alter their links to include “&currentbalance=100000000000”. 3  Why, then, would you ever include plain text bank account numbers in the URL and not actually verify that information on the server side?!  I mean, this is the kind of security you get with WordPress for free just by installing it.

The Citigroup website is very Web2.0, rounded corners, social-media and blogging links.  It looks great.  Did they just have their web designer handle security?  How the hell did this happen?!

Okay, Sony, Facebook, Twitter – these things get hacked because of lame or re-used passwords.  Those guys got hacked because their attackers were smart.  Citigroup got hacked because they are too stupid to handle a basic website, let alone someone’s money.

  1. Or purgatory? []
  2. Definitely purgatory []
  3. Or, better yet, “&currentbalance=pony” []

Freecycle.org – why are you so terrible?

I’ve spent probably an hour today trying to give away an awesome sofa couch and matching stuffed chair.  I tried to list it on Craiglist, but they had this terrible system where you had to give a phone number and wait for an automated phone call or SMS.  It only allows you submit or try a phone number every five minutes.  When the automated phone call doesn’t come through, you’re stuck trying another number.  Oh, and you can only try up to three numbers in a 12 hour period.  I just want to GIVE AWAY some awesome furniture!  I’m not applying for a line of credit.  After futzing around for an hour or so, Craigslist apparently gave up and let me post anyhow.

In the meantime I tried out Freecycle.org.  What a fiasco.  It took me 60 seconds to figure out how to sign up.  To post anything you have to join a group – but joining a group was even less intuitive than the way to sign up.  Once you joined a group, you were punted to a Yahoo Groups page.  But, to do anything further you had to then sign up for a Yahoo! account – not that any of this was explicit.

I eventually just went old school – and wrote FREE on some cardboard and put them on the sofa and chair in the driveway.

Is a lasercutter for me?

After consideration, maybe not.  Following Maker Faire Bay Area 2011 I was again prompted to investigate the feasibility of a lasercutter.  Now, I don’t have any great big grand plans for one – I just think it would be awesome to have one and I would be able to think of some pretty sweet uses for it if I had one lying around.

In any case, from what I can see there are some small and very professional looking fully assembled models starting around $8000. 1  As a hobbyist with no actual plans for immediate use of a lasercutter, this is way way too much for random projects.

I’ve seen a few websites that purport to have models for around $2,500 or so with kit options starting around $1800.  The way I look at it, there’s not a lot that can go wrong with a 3D printer.  A laser on the other hand…  could blind, burn, and cut from an arbitrary distance.  Besides, if a company can’t put together a simple WordPress website, I’m hesitant to drop thousands of dollars on their product. 2

There’s also two DIY options – the open source BuildLog.net and the promised-to-be-open-source Lasersaur.  It’s not exactly fair to criticize them for incomplete documentation.  BuildLog.net appears to be a collection of people documenting their laser cutter builds and aren’t advertising themselves as a complete tutorial.  Lasersaur started off as a very popular Kickstarter project but their site was almost devoid of information or developments until they re-surfaced at Maker Faire Bay Area 2011.  Going through the Lasersaur’s bill of materials I stopped tallying the cost once it hit $4,000.00.  At that point, it probably doesn’t make sense for me to try building my own.

For the time being, I don’t think I’m going to invest in a lasercutter, DIY kit, or open source project.  Besides, there are plenty of places in the Bay Area nearby I could have something cut or rent time on a machine.  If there was a project for up to, say, $2500 and had really great documentation, I might reconsider – but I don’t see that happening soon.

 

  1. I was thinking of the lowest Epilog model and one referred to as a “Turnkey Laser Business.” []
  2. And, really guys, come on. []

Is your significant other a knitter?

While at Botacon I had the opportunity to chat with other ‘bot operators – and a surprising number of them had significant others who knit.  I think there may be an entire genre of knitting accessories that could be designed and 3D printed.  So, how about helping out with this quick poll to the right?

Surprising spam comment

There was this spam comment to a recent post referencing Doctor Who’s sixth season:

..As with the series of Doctor Who last year the final two episodes before the finale have been much more small scale and in some ways a little different. Last week we had a largely Doctor-less story Love and Monsters and this week we got Fear Her a which is set largely in one single.

The wildest thing about this comment is that it isn’t entirely off base.  The comment relates to the third season of Doctor Who with Martha Jones and the two episodes “Love and Monsters” and “Fear Her.” 1  Someone supposedly named “E. Keith Owens” using the e-mail address “timmy_b_dickerson_dzn57@hotmail.com” who posted that spam comment apparently stole it from this website.

I have to wonder – is this a crazy new form of spam?  Did they just type in a few keywords and then get two blogs – mine and that other one – then try to copy/paste our content as comments into each other, and try to get a link back to their crappy foreign exchange website? 2

What incredible nonsense.  As with stupid scareware, why don’t smart people just spend their time creating things that offer value in exchange for money?

  1. Incidentally, two of my least favorite episodes. []
  2. I deleted your link.  So there.  :P  []

Before I had robots…

My favorite open source project was WordPress.  Now, don’t get me wrong, I love me my WordPress, but I tend to usually spend my precious tinkering time with robots.

But sometimes, such as this very morning, I enjoy just a little bit of tinkering.  I’ve made a few very subtle changes to the blog.  You shouldn’t notice unless you do something very odd here.  If you do, you might notice a little extra wibbley wobbley in your timey wimey.

Congratulations Renosis!

Renosis and I had a friendly dispute.  We decided to settle it by challenge – a Maker challenge.

I have a feeling Maker disputes are different from other kinds of disputes.  Even though we were competing against each other, we still consulted each other, bounced ideas off one another, and, I like to think shared in each other’s successes.  But, at the end of the day, he got more Likes for his epic Gangsta Chess Set than I got for my Fez Pezsta.

Would you like to know what the dispute was?  Of course you would!

Renosis was sending me two of his extra bearings and a few extra hardware bits for the X-Axis Follower and wouldn’t accept any payment in exchange.  We were both being stubborn about that point – he didn’t want to accept the $11 and I was insisting on paying.

If I won he would accept the $11.  If he won, I would not pay him $11.  :)