Time

I found this bit of prose recorded in a bedside notebook of mine.

Time is not a tick-tock.
It is like a river -
      gentle or rapid it's pace is a whoosh
      or a rumble. a burble or a roar,
      a hum...

        time is taught from birth as nothing more than a tick-tock,
 a blink-blink, a tap-tap at a constant rate, impulsive, consistent.
Time passes in silence with mind shattering crash after crash - as the
clockwork interrups nature's flow with omnidirectional shockwaves of
sructure.
  Stop
  Go
  Stop
  Go      intermittant tasks are measured in the turning of a gear.

Time has been bottled up, refined, forified and sold to humanity
to be used one drop at a time -- the river tamed by the superiority of mankind.
The roar, the rush, the trickle  nothing but a Drip, Drip, Drip...

Security phrase and image

A lot of banks have started adding a security image and / or phrase to the login process in order to help prevent phishing.

It works like this. When you set up your account, you chose a picture from a list (usually things like puppies, kittens, bicycles, cars, etc), and you enter a phrase that will be displayed with this picture. This is stored with your account.

Later, when you login you first enter your username. You are presented with the picture and phrase to prove that you are at the bank’s true website and not a phishing site that just looks like your bank’s site. On this second page, you verify that the image and phrase are correct, then enter your password with confidence.

Sounds like a great idea, right? I thought so to at first, and a lot of people think that it is a very good security measure.

Unfortunately as currently implemented there is a serious flaw in the logic. What is to stop a phishing site from programmatically requesting this image and phrase on your behalf?
A Captcha would not help either. The phishing site could simply pass the captcha to the user, and the result back to the bank site.

No, this creates a false sense of security. By telling people that these features ensure the site is genuine, they will more readily believe it when a phishing site provides the same “security”.

I believe I could make a proof of concept, but with the current state of freedom in the US, I’d probably go to jail for it.

Programatically modify firefox settings

I refuse to believe that nobody has needed to silently push firefox setting / configuration in an unattended manner, but I was unable to find any directions on how to do so. In particular, I need to automatically, using a script, modify the no-proxy exclusion list.

Here is the way I eventually ended up doing it.

Firefox stores it’s configuration in prefs.js in the Profile folder for the user.
That is (on XP anyway) C:\Documents and Settings\[user]\Application Data\Mozilla\Firefox\Profiles\[randomtext].default\prefs.js
Which can be specified as %APPDATA%\Mozilla\Firefox\Profiles\[randomtext].default\prefs.js

Since it contains a random string, how the heck do you find it??
Well, you can parse the profiles.ini file in %APPDATA\Mozilla\Firefox. It looks like this:

[General]
StartWithLastProfile=1

[Profile0]
Name=default
IsRelative=1
Path=Profiles/cutfy0h4.default

Luckily, you can use a FOR loop within a winxp/2k batch file to grab the profile name(s).

FOR /F "delims==/ tokens=3 usebackq" %%i IN ("%APPDATA%\Mozilla\Firefox\profiles.ini") DO (
 echo %%i
)

This will echo just the “cutfy0h4.default”, and it will only return for lines of the file that contain 3 fields.
(For more information about the FOR loop, see here: http://www.robvanderwoude.com/ntfor.html.)

Now that we can locate the profile, how the heck do we modify the setting?

Turns out, firefox looks for a file called user.js, and applies those settings AFTER applying prefs.js. Any settings in user.js will be applied to prefs.js.
So you put your settings in user.js, copy it into the profile folder, start and stop firefox, then delete user.js. (If you don’t delete user.js, the user will be unable to modify the setting).

Warnings:
1. I am not responsible if this breaks anything. USE AT YOUR OWN RISK!!
2. If there are multiple profiles, it will not work right. In most cases there should only be one.
3. If firefox adds more stuff to profiles.ini, or fixes the direction of the slash in the profile path, this script will break.
4. This was developed with Firefox 2.0.0.13

Here is my final script:

You will need a file called “user.js.install” in the same folder as the batch file containing whatever settings you want to change. (Use prefs.js as your guide) Like this one:

user_pref("network.proxy.no_proxies_on", "localhost, 127.0.0.1, superserver, 192.168.0.1");

Here is the batch script:

taskkill /IM firefox.exe > javainst.log 2>&1
FOR /F "delims==/ tokens=3 usebackq" %%i IN ("%APPDATA%\Mozilla\Firefox\profiles.ini") DO (
  echo "%APPDATA%\Mozilla\Firefox\Profiles\%%i\prefs.js"  >> proclog.log 2>&1
  IF EXIST "%APPDATA%\Mozilla\Firefox\Profiles\%%i\prefs.js" (
    copy /Y user.js.install "%APPDATA%\Mozilla\Firefox\Profiles\%%i\user.js"  >> proclog.log 2>&1
    start firefox.exe
    rem wait 7 seconds for firefox to start
    ping 1.1.1.1 -n 1 -w 7000
    taskkill /IM firefox.exe  >> proclog.log 2>&1
    del "%APPDATA%\Mozilla\Firefox\Profiles\%%i\user.js"  >> proclog.log 2>&1
  )
)