Shattered Crystalline Matrix

If the light of a thousand suns
were to rise in the sky at once
it would be like the light
of that great spirit.
— भगवद् गीता

I remember when we were so young,
you embraced my fears and made me strong;
but never did you actually hold my hand,
your silence no one would understand.
— Dream Theater, Speak to Me

I discovered this weekend that Fravia+ passed away about two months ago; I had read about his illness some time ago, but somehow missed the announcement of his death until now.

For those of you unfamiliar with this character, Fravia was one of the old school reversers (as in reverse engineering); or "hacker", in the sense that I personally identify with. In those days, knowledge was handed down from the great wizards like +ORC and others, but it was Fravia that truly brought the message to the masses (you may find his old site archived in various places). This was not merely about "cracking" software copy protection; but about taking things apart, understanding the way they work — and not just software, either. Later, he turned his focus to the meta-art of searching; seeking out information, wherever it may be hidden. His eccentric tone, which some no doubt found to be pompous and patronising, was something that endeared me to him from the very beginning; and the communities that sprung up around the gardens he planted were true jewels gleaming in the darkness of cyberspace.

Unfortunately, as time moved on, I lost touch with these communities, as I have lost touch with so many others. I still feel a strong connection to them, but I ceased participating in the interactions for whatever reasons, as my focus moved on to other places; and this is really what this post is about. Somehow, despite my efforts to the contrary, I'm unable to cling to everything I hold dear; like trying to gather the sea into one's hands, it just flows through my fingertips, and I don't know what to do about it. In some ways, this is similar to another problem I have previously described; dealing with ideas that are too big to hold in mind all at once. Yet, this is not quite the same issue; this is more of a social issue, wrapped up with issues of time and concentration. I somehow need to become my future self, without losing that which comprises my past self; to gain new understanding and insight, without losing that which was previously important.

And so, I find myself conflicted and disquieted; and most of all, mourning the passing of a great man, someone I would have liked to number amongst my friends, even if it were not so. Sail well, dearest Fravia, you are someone who will not be forgotten quickly or easily; and to those who perchance remember an old stranger, fellow traveller, or friend, I miss you all somehow, somewhere…

tags:

• mithrandi

It seems that hell has frozen over. (If you don’t know what I’m talking about, then you’re probably better off.)

tags:

• hacking
• numetro
• defacement

It seems the Nu Metro website has been defaced by a Turkish group; a little research suggests that this is at least the second time this year.

In case the site has already been restored by the time you read this, I’ve uploaded a screencap of the defacement for posterity.

tags:

• security
• advisory
• hacking
• syrex

Dominic White drew my attention to this on a mailing list earlier today, so I decided to investigate. Syrex Intranets, an apparently small technology outfit, have a product they call SICS. It basically seems to be a customized Linux server installation that has all the bells and whistles that small business would want, with a web-based management system and so on. I’m guessing this product is responsible for the problem that I will now describe.

The first instance of this site I saw was KOSH Communications; their SICS management site is publically available. I’m only guessing this is provided by SICS, as there is no identification of this fact on the site itself. I ran across it with a google search that picked up publically available Squid logfiles, but didn’t take much notice of it. However, when someone else independently pointed out a separate site, the similarity in content, appearance, and domain name was evident.

So, over to Google; with a little effort, I was able to construct a Google query that will pick up all (or most) of these sites that are publically available. I’m not sure whether this is a configuration issue that can be fixed easily, or if it is a fundamental flaw in the “SICS” system; either way, at the time of this writing, that query returns 71 sites. You can view MRTG traffic graphs, Squid cache logs, mount/unmount the CD-ROM drive, and more from the internet, without entering a password or otherwise authenticating in any way. Syrex’s own site seems to be vulnerable, suggesting a fundamental flaw rather than a configuration issue.

It also has a copy of Unix Unleashed, including a copyright statement which they seem to be blatantly violating. In addition, many (all) of these sites seem to be hosted off ADSL lines with IP addresses located in the dynamic SAIX ADSL range, and as such may be violating the ISP’s AUP. I would strongly suggest that anyone using one of these systems take it offline, and contact Syrex right away to demand a fix.

UPDATE: Whoops, meant to link singe, so I’m now referencing him by name to make up for it.

UPDATE: Got a reply from someone at Syrex on 2005/08/18 saying that they’ve fixed the issue, and promising a more in-depth reply at a later stage. They also claim that “David wrote one of the articles in Unix Unleashed and is therefor not infringing on any copyright.” You can confirm for yourself that all of these sites now require HTTP Basic Authentication credentials to access anything except the front page, which seems adequate to me. I’ll continue to update this post as/when I received more information.