Weddings and Funerals

Personal by on January 28, 2011 at 10:23 pm

As I’ve gotten older, the event that has consistently brought friends together has been weddings. As my friends have settled the weddings have grown less frequent.

With one exception. Every year for the last seven, a good friend has organized a trip to Park City. A dozen college friends made the trip each year. Not everyone came every year, but everyone came every few years.

This will be the first year that I haven’t made the trip.

I’ve just learned about the only other event that consistently gets old friends together - funerals. Scott Cook, a friend from I think fifth grade just passed away. I’ve only seen him sporadically since high school. Last time was a few years back at Sebastian’s wedding.

As my college friends have gotten older, the annual trip to Park City has gotten harder. I suppose it is fitting that the one-time I can’t make the trip I’ve never been so reminded of its value.

I’m excited about seeing my high school friends again, but I wish it was under better circumstances.

How my Facebook account was used to spam my friends with a CPA Offer

Personal by on December 13, 2010 at 10:26 pm

Last night around 11:30 I received an email from a friend that my Facebook account had spammed him.

On logging, I learned that my account had:
  • Created an event: ‘No Fees PS3 Slim for x-mas’
  • Invited all my friends to attend the event
  • Posted that I was attending the event to my Facebook status

Here is the screenshot of the ‘event’:


It looks like the email went out at 11:05 PM. My friend emailed me at 11:28 PM and I had the event down at 11:42 PM. But there is no pulling back the emails to my friends.

Figuring out how it happened

My first thoughts were that it was a CSRF attack or related to the Gawker hack (I had a barely used account there).

First step was to visit the link using a sandboxed browser. Here were the redirects (I’m skipping a few that were just internal to the sites in the path):

Nothing of much interest in the redirects. It was notable that I didn’t record any requests to Facebook. The nature of this attack was nearly identical to a recent Facebook worm (Sep 2010) that exploited a Cross-Site Request Forgery (CSRF - an attack that simulates requests to a third party site to create some action on that site). Facebook also seems to have consistent problems with CSRF attacks.

Still, the lack of a CSRF request in my one example doesn’t guarantee that it wasn’t a CSRF attack. All of my browsing at the time of the exploit was on very safe sites. CSRF continued to look unlikely.

Weak passwords are lame. Using duplicate passwords is lamer.
I use several low-security passwords on accounts that I generally don’t care about. Gawker’s system was one of them. Most of these accounts I use only a handful of times so I haven’t really been concerned about access to them.

Unfortunately, when I originally signed up for Facebook, I used the same low security password as well. While I quickly changed my facebook password, I found it very difficult verifying that the password was the source of the exploit.

Nothing else in the account had been changed (more indicative of the CSRF attack).

Gmail has this awesome feature that allows you to see which IPs have logged into your account. It is a great way to ensure the integrity of your account. Of course Facebook makes no such data available (and yes it is still uses unencrypted cookies and is vulnerable to Firesheep).

The password was a mostly random string of letters and numbers. However, the fundamental flaw was that it was only 6 characters. That leaves the password vulnerable to a brute force attack.

How vulnerable?
How Secure is My Password estimates it would take 3 minutes for a desktop PC to ‘crack’ a similar password.

This Slate tool tells you if your email was in the hacked Gawker database. It also tells you if your password has already been cracked. Here was the message it gave me:

Your password was released, and it’s been decrypted. You should change it ASAP.

How was my password cracked?

Gawker states that they store passwords in an encrypted form in their database. The method used by my sites is to store a hash of the password rather than the actual password. The hash is usually a one-way function, so to log you in the site has to generate a hash of the password you entered and then compare it to the stored value in the database.

For example, if my password was ‘davenaff’, the md5 hash would be: 7c074125deb947e96fc7bb8de60c6e17. For a hacker to reverse my password, they would need to generate all possible combinations until they found a hash that matched my password.

There are databases and websites that have pre-calculated a dictionary of md5 hashes to their original values. (These have a cool name - ‘Rainbow Tables’). To counter this approach, many websites use salted hashes. Now, to crack the hash you need to know the salt, but since Gawker source code was hacked the hackers also have the salt (if one were used).

The hackers reportedly obtained 500k emails and as of this morning had decrypted 185K of them. Presumably they (or others) will continue to decrypt more as they build an increasingly larger dictionary of hashes to test against the remaining 315k passwords.

I assume that they at least ran a ‘rainbow table’ attack against all dictionary words and 6-digit passwords. The computation complexity begins to increase substantially as you add characters (from the howsecureismypassword site):

6 chars3 mins
7 chars2 hrs
8 chars3 days
9 chars117 days
10 chars11 years
11 chars417 years

And those stats are just for a desktop PC. Purpose built hardware and algorithms would go much faster.

Anyway, since my password was outted, I’ve started seeing warnings (or messages that could be considered warnings) from people trying to access some of my accounts. For example I got this message from linkedin earlier this evening:

Dear Dave Naffziger,

In order to ensure that you continue to have the best experience using LinkedIn, we are constantly monitoring our site to make sure your account information is safe.

We have recently disabled your account for security reasons. To reset your password, follow these quick steps:

Go to the LinkedIn website
Click on “Sign In”
Click on “Forgot Password?” and follow the directions on the website

Thank you,
The LinkedIn Team

Sweet, I wonder how many of those messages I’ll get…

The thing is, I know better than this. But, I guess it was time to relearn a few lessons:

  • Regularly consider the password I’m using when I log into sites. Upgrade when necessary
  • In all cases, use a password with at least 9 characters. My high security passwords have many more, but I’m certainly willing to type a few extra keystrokes if it means avoiding spamming my friends
  • Respond quickly. The lamest thing about this is that I read about the Gawker hack before my facebook account was compromised. AND, I recognized that I probably had a Gawker account AND that the password was the same as my FB account. I literally had strung together all of these thoughts and didn’t take action until my account was compromised.

I think I’ve got all of the formerly ‘low security’ accounts I care about changed. Now, if I can just figure out how to change the password on evite…

Be careful with Google Sitelinks (How I screwed myself)

Personal,Search,travel by on January 7, 2010 at 10:07 pm

While I’m generally a big fan of Google Sitelinks, I recently screwed myself by carelessly relying on them.

A few months back I planned travel for Affiliate Summit West. I began my process with a search for “Affiliate Summit West”. The search results today are below (which look pretty similar to what I recall seeing originally).

affiliate summit west - Google Search_1262889895341

I was already registered for the show, knew which day I was speaking (Monday) and since the show was in the same location last year all I needed were the dates.

I clicked on the ‘About the Show’ sitelink and booked travel based on the dates on that page. A few weeks later, my wife booked a trip to Hawaii based on my calendar availability.


While all of the sitelinks were for the 2010 version of the conference, the ‘About the Show’ sitelink took me to the 2009 details. I carelessly booked my travel plans based on the wrong dates… which now collide with our trip to Hawaii…

Clearly, the error is mine and mine alone. If I had gone directly to the Affiliate Summit website and used their navigation, I would have not been in a position to make the error.

So, be careful deep navigating with sitelinks. Trust site owners more than Google (sounds obvious right?).

Chicago Marathon

Personal by on October 24, 2009 at 10:01 pm

A few weeks back I ran the Chicago marathon with my sister. My sister has been a Team in Training mentor for several years and has run more than a few Chicago marathons.

I’ve never run a full marathon with her and I wasn’t planning on running this one. I thought I’d run part of it with a camera and snap photos of her and her friends as they ran the race. I ended up running the entire run and had a blast.

It had been a long time since I’ve run a ‘major’ marathon. The Las Vegas and Phoenix marathongs each had a sizeable number of runners, but they do not compare to races like Chicago. The biggest difference was the city’s commitment to the event. In Chicago, the day revolved around the race. Fans lined the course, which went through the heart of downtown multiple times. I can’t say enough how much I enjoyed the run.

Start of the run
Start of Chicago Marathon
Outside the Lincoln Park Zoo - Probably around mile 5. My sister is stretching her IT band on the left - she ran the whole thing with a strained IT band - her doctors told her that she wouldn’t injure it; her knee would just hurt a lot.
Outside Lincoln Park Zoo
My sister and I around mile 23 or so.
Michelle and I on the course

Interesting Cool & Useful – Sep 09

Personal,Politics by on September 9, 2009 at 6:24 pm

It has been ages since I’ve put together one of these posts, but a number of things have been accumulating recently that didn’t warrant a whole post (and I didn’t want to compress into a tweet).


  • High-fat food affects memory and exercise (in rats). This NY Times article highlights a study that showed high-fat food made rats both dumber and reduced exercise capacity — in as little as 4 days.
  • Exercise and low-fat diets linked to 60% lower alzheimer’s risk. Few things scare me as much as Alzheimer’s. Recent research is revolutionizing how we think about the disease.
    … the risk of Alzheimer’s was reduced by a third in volunteers who were physically active, while those who ate a diet rich in fruit and vegetables lowered their risk by 40 per cent. Those doing both lowered their risk by a massive 60 per cent
  • Healthcare I don’t know enough to have a fully-formed opinion on healthcare, but this (long) article in the Atlantic resonated with my world view on the current state of health care and likely solutions. In particular, the author highlights the true tragedy of hospital-based infections:
    “roughly 100,000 Americans whose deaths are caused or influenced by infections picked up in hospitals. One hundred thousand deaths: more than double the number of people killed in car crashes, five times the number killed in homicides, 20 times the total number of our armed forces killed in Iraq and Afghanistan.”


  • A better (cheaper) educational model. The accreditation process provides an important certification step in education, but it also keeps costs artificially high. Straighter Line has developed an extremely interesting approach to introductory college education ($99 a month), that circumvents traditional accreditation requirements.
  • Self-assembling robots that might conduct internal surgeries. Seriously, a patient would swallow 15 pills, and the robot would self-assemble and then conduct internal surgeries. Granted, the technology is more conceptual at this stage…
  • Non-randomness in coin tosses Spun coins land tails up 80% of the time.


  • Picture Sharing for Groups. I’ve written before that group photo sharing has been an unsolved problem. I’ve been testing Picurio recently and have been quite impressed. Download zips of all uploaded photos.
  • Remote support. Zoho has a great free desktop sharing utility that makes remote support of your parents much easier than just using the phone alone. It gives you 5 free support sessions a month at 2 hrs each. Super, super useful.


How doctoring should be done – ePocrates

Personal,Products by on September 16, 2008 at 9:04 pm

I had a bug land in my eye while running yesterday. I thought I had taken it out, but I woke up in the middle of the night with my eye sealed shut by eye goo. I flushed out the bug, but by the end of the day, my eye was still irritable and very red.

My doctor looked at my eye and said that it looked infected and said she would prescribe a topical antibiotic. She then told me that they don’t see eye infections all that often and pulled out a PDA and confirmed the proper dilution of the antibiotic prescription.

I don’t think I’ve ever seen this, but it is such an obvious thing for caregivers to use. Maybe its because doctors are slightly technophobic or perhaps they don’t like admitting they are uncertain but this seems like a far superior model than prescribing drugs on memory. I’ve got to imagine that there are some compelling statistics to be found on lives saved or reduced prescription error rates, etc.

She used a database from epocrates. I love the concept. I of course want it networked, databased and analyzed but this is a great start.

Park City Marathon

Personal,Running by on August 24, 2008 at 9:03 pm

Jeff, Rahul and I ran the Park City Marathon on Saturday. This was another Saturday marathon, which cemented my view that Saturday marathons >> Sunday marathons because you can enjoy the trip far more when you get the hard part done up front. Plus I hate going to the airport hours after completing the marathon.

Park City Marathon Finish

The marathon elevation was between 6400 and 7200 feet, which definitely impacted our times (4:12:46). There was apparently a 2% grade the first 18 miles, but we hardly noticed it.

The course was gorgeous - rolling hills and mountains surrounded us and a gorgeous altitude sunrise started the run. Nearly all of the running was on trails and paved bike paths and the organizers did an excellent job supporting the course. Aid stations were appropriately placed and every station after mile 10 had some nourishment in addition to the drinks.

Park City Marathon Photo

After the race we had the ‘Chubby’ (pictured below) at the Copper Creek Pub & Grub. The Chubby is a 1/2 pound burger between two grilled cheese sandwiches and 100% pure genius.

The \'Chubby Melt\'

The Newpark hotel was literally 50 yds from the start and finish line.

Running for a day

Personal,Running by on July 28, 2008 at 11:08 am

Ever wonder what its like to run 100 miles? Jeff completed the Vermont 100 in just under 24 hours. He posted an awesome writeup about his journey.

Next Page »
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License. | Dave Naffziger's BlogDave & Iva Naffziger