Tag: Computing

I upgraded to IE10 recently, but have been driven crazy by one ‘feature’.  When I type in the address box a few letters of one of my regular sites, it shows me a whole list of url’s which I have never visited and in which I have no interest.  This infuriating trick must be commercially driven — “pay to join our spam list!” — and will drive a lot of people to Chrome.

Anyway it did it once too often today.  I’ve found a link that tells you how to turn it off.  Basically it’s Tools | Internet Options | Content | Auto-complete, and turn off “suggestions”.

I thought I’d add this, as it is such a nuisance.

It’s things like this that remind us how little power we have.  Still, ’twas ever thus.  The desire for money is the root of all sorts of trouble.  As has been said before.

When I wrote the PHP scripts that support my Roman cult of Mithras site, I incorporated some code to tell me if anyone was looking at the pages.  Specifically it tells me which pages are popular; information that is useful to me when deciding what to work on.

Each page is accessed using an address like this:

http://www.tertullian.org/rpearse/mithras/display.php?page=XXXX

where XXXX is the name of one of the pages.  So I display the page names and counts like this:

As you may imagine, I was somewhat surprised to find entries appearing that were most certainly not pages on my site.  No link anywhere will produce these.

Here is one example:

Any database programmer will recognise that these are fragments of the database language, SQL.  What’s going on here?

This is — can only be — an attempt to hack my website.  The hacker has theorised that the pages, as in Wikipedia, are actually stored in a database.  He is trying to guess how my site works.

What if, he thinks, the “display.php” script, in the address above, takes the page name, creates an SQL query, and retrieves the page data from this hypothetical database?  Then perhaps the SQL is this:

select * from database_table where pagename = 'PAGE'

where PAGE is the text in “display.php?page=PAGE“?  If so, he thinks, let’s stick a quote in the address box, and add extra code!  Let’s see, he thinks, if we can get somewhere with this!  It failed, however.

A few days ago he must have realised that he wasn’t getting anywhere with the SQL injection attack (as it is called).  Here’s what he did next:

The hacker has tried again.  He’s now guessing that perhaps the website uses files on the disk, rather than a database.  He thinks that it is perhaps running on the Linux operating system, as most commercial websites do.  And he is guessing that my code perhaps does something like this:

File Open("PAGE");
File Read;
Display file to screen;

So he thought that perhaps he could get the display.php to display the password file from the Linux machine.  Indeed he tried various permutations of the same idea:

The %2F is an HTML encoding for a slash character; so he is still trying to get at the passwd file.  None of it worked, thankfully.

Now there is one obvious conclusion here.  This is not an automatic attack, run by machine.  This sort of tinkering requires human input.  No doubt there are hacking engines, built and sold to attack common software packages used to write websites.  But my site doesn’t use these; it’s all hand-made code.

So, somewhere out there, there is a human being, who is trying to gain control of my website.

Who is this person?  Well, I do know a little about him.  Back in 2006, when I last created a website using PHP scripting, such people didn’t exist.  So when I started the site, in December 2012, I didn’t bother with security.  The first version of the new site was promptly hacked.  And what did he do, once he could edit the content?  Well, he deleted it.  The page content was replaced with spam and links to spam sites.  It’s undoubtedly the same person, since he has kept up various attacks ever since.

The only person who could find advantage in that is someone who works for a spammer.  He’s out there, with some knowledge of programming, trying — for money, I presume — to break my site in order to delete it and replace it with rubbish, because someone else pays him to do it.

Nor is he giving up.  The attempts to hack me, using the attack that worked initially, have gone on unceasingly for months.  Indeed he tried the same hack again, two days ago at 22:42 hours.  It’s usually in the middle of the night that the attacks come.  Is he an Australian, perhaps?  Or some low-paid oriental?

It is sobering to see such determination to do harm.  He has put in months and months of effort – far more effort than I have spent to create the site in the first place.  And he keeps right on going.

Possibly all of our websites are under such daily attack.  The quantities of spam “comments” to this blog run into thousands every day; which, thankfully, WordPress deal with.  Most of the time we just don’t even know it is happening.

How many website authors check their logs regularly?  How many of us would recognise an attack if we saw one?  It is pure coincidence that I chose a format for this site, and a reporting method for it, that highlight the attacks very clearly.

I hope, therefore, that this post may assist my fellow web-authors.  It goes to show that these attacks are real.

Yes, it is sobering, and also rather sad.  For this was not how things were in 2006.  I ran the translation project for Jerome’s Chronicle without any security at all.  And I had no trouble.

But now the criminal classes are on the web.  The criminal is he who will wreck anything for any shred of personal convenience, regardless of the harm to others.

Sadly we may have to accept a police force for the web also, in response.

I’ve spent each weekend for a couple of weeks now trying to get my new Samsung RF711 laptop set up to use a solid-state drive (SSD).  It has been an experience of unmitigated pain.  Today is gone, and nothing to show for it.

Not that this is the fault of Samsung.  Their kit works well, and the easily accessible hard disk bays are wonderful.  It’s quite simply that setting up any hard disk to work with Windows and boot the Samsung Recovery Solution from the F4 menu is strictly for people with plenty of time.  Which is not me.  It’s strictly for people with day after day on their hands.

I’ve found a link here and here which helped.  The problem is getting the wretched Samsung recovery partition created correctly. 

My current approach has required a lot of disk swapping.  You also need to create an admin USB  key drive.  Unless yours is 32GB, tho, it won’t be big enough.

The best way to do this is to start with the original hard disk in its original bay, and the SSD in the spare bay.  If Paragon will create your recovery partition (it did the first time I used it, not today) then all you need to do is to remove the hard disk, restart with a USB stick and use it to fix the MBR on the SSD so that the recovery solution will run from your new recovery partition.  Restart and you are done.

What I had to do was create a partition at the end of the drive using normal tools, and format it and assign it a letter (G:).  Then boot from the stick, and copy the Z: drive using robocopy to the G: drive in the DOS box under the hidden menu.  Then reboot from the stick, and use the new menu to fix the MBR.  Then boot and check F4 takes you into the recovery; and then you can delete the other partitions (not your G: drive!) and do a complete restore, and reboot, and … you’re done.  Phew.

It’s brain-teasing stuff the first time you see it, really it is.

What I have decided to do is keep the original HDD in a bag somewhere, and instead just fit a new HDD as my data store.  So I can always go back to factory settings that way.

Mind you, having Windows on an SSD does mean that it boots incredibly fast.  Booting from the HDD was utterly turgid.

Manufacturers need to stop supplying HDD for Windows, and supply an SSD main drive with ancillary hard drive.