Fun with terminals

Christmas bought me a little present -

It's a HOBS branded, Philips NMS 6302 viewdata terminal. Very dinky and sweet, and working perfectly! This is a pretty late model, built in 1990, compared to most of my other terminals. It says "Made in France" on the bottom, mentions Minitel, and therefore supports Teletel, Teletel Pad X3 and ASCII services too! Pity it's monochrome.. This would however be really cute to have on my desk, were I a high powered executive working in the 1990s...

As you might be able to tell, it's currently viewing the main Prestel Messaging index, page 7a. This is courtesy of my viewdata BBS, which it has given me a bit of incentive to try and get back online. (It's very very flakey at the moment but if you fancy tying it out, there's a single line sometimes-working on 03333 403311.. Key *Prestel# to jump out of the BBS and back in time, at least for a moment... ) I'm intending to re-work this in time, using the better modems and terminal servers to allow internet access too. It is, however, a wonderful trip down memory lane seeing these pages trickling down at 1200bps again!

DNS

Just a quick warning, due to a hardware failure primary DNS is down for viewdata.org.uk, irrelevant.com and most of my domains. Secondary should continue serving though for the time being. This will affect ALL services, so if you can't access any of my websites, that's why. I will fix in the morning. I hope.

Edit 8am 2011-09-22. Wake up to find that DNS is still holding out, but my webhost has suspended the account for going over usage on disk space (on an unlimited account, go figure..)

Why it had to happen at the exact same moment, I don't know. Sod's law I guess!!

Edit 3pm 2011-09-22. DNS was back up this morning on temporary hardware. Hosting back online at 12 noon. Everything seems OK now. Thank you for your patience.

Pirates Ahoy!

Yesterday was the annual pirates sports day for the nursery and reception classes at school.

Great fun was had by all, and we are the now proud owners of a lovely multicoloured beach ball as a prize!

Avast ye varmints!

Data Breach

A recent article on The Register, about somebody finding a database dump containing usernames and passwords simply by using google, sparked my interest.

The obvious google search for "filetype:sql" threw up rather a lot of results. So how to refine it? Adding "password" cut it down somewhat, but still many thousands of irrelevant results. Some of those results had the header "MySQL Dump", so let's add that too. Whee; now that looks interesting.

Many of the results are, of course, installation scripts for webapps, setting up default parameters, including default admin accounts, etc. However there are some interesting other files. Lots of plain text passwords but several have encrypted passwords too.

One of those caught my eye - the first few records all had a password of e10adc3949ba59abbe56e057f20f883e. Putting that into an online MD5 Decryptor brought up the plain-text equivalent: 123456. Duh! Every other example I tried was also decrypted successfully.

Now apparently 123456 is the worlds most common password. Let's see just how many database dumps exist that have plain old md5 hashes of passwords, have at least one user account with the password "123456", are available on public facing web servers, and are indxed by Google. Lots, as it turns out.

Now many of these are still install files, or very old, or from fairly inconsequential websites. I checked a few, and had a look at the front page of the websites that hosted them. One file stood out, though. The file Google had thrown up was fairly boring - default data for some application I didn't recognise with the obligatory 123456 admin password, but the front page of the host it was on turned out not to have an index file, and gave me a directory listing. One of the files listed was a ~7Mb compressed sql file with a filename that included the name of a rather large telecomms company..



Now that was interesting! I think it was a dump of some market research data..



Email address, first name, surname, telephone number... And later on, what looked like address records.

In excess of 28,000 users ... All UK individuals.

On a public facing web server...

I notified the company concerned, and they have removed the file, indeed they removed the entire subdomain from the internet. Google search results no longer include the file that led me there. Bar two screenshots which the above images are taken from, I have ensured all data has been removed from my system, including cache files. Oh, and the ICO have been notified. As the company were so quick to get back to me and to take action, I am not identifying them here.

Need I spell out the lessons to be learned however?

Writing a TiVo HDD

This is mainly a write up of my notes, for Alek, but thought they would be useful in public!

You will need a PC with a CD-ROM drive, a floppy drive and IDE hard drive connections.

Discs needed:

• Any bootable MS-DOS floppy with QUNLOCK program.


• MFSTools CD-ROM


• CD-ROM containing drive image


• Dylans Boot Floppy (optional)


• Floppy with network drivers on (optional)

Connect the CD-ROM as primary master.
Connect the new hard disc as secondary master.

Step 1 - unlock the drive

You only need to do this if when you boot up it the BIOS shows the drive as c. 9MB

Boot off the DOS floppy, F5 to skip autoexec etc.
A:>QUNLOCK 2

PHYSICALLY POWER OFF

Switch back on and check disk capacity is reported correctly.

Step 2 - Restore the image

Insert mfstools CDROM and reboot

Press CR as required to reach # prompt

Swap disc for CDROM containing your backup image

# mount /dev/hda /mnt/d
# mfstool restore -zi /mnt/d/tivo.bak /dev/hdc
(where tivo.bak is the filename of your backup image)

wait for it to complete.
# sync
and power off

Step 3 - Network drivers

Only if you need to install the drivers.
Remove any CDROMs and insert Dylans Boot Floppy
reboot
login: root
# mkdir /floppy
- insert tivonet setup disc
# mount /dev/fd0 /floppy
# /floppy/script
- wait
# sync
and power off

That should be it...

TiVo code injection

There may be one or two of you reading this that already know about TiVo. The quickest description for those that don't know about it is to say it's a PVR, like Sky+, but that's like saying Nescafé is good coffee. If you were about ten years ago, when it was last sold in the UK, you might remember the "it pauses live TV" adverts. But that's one of the most least useful features. A TiVo learns about what you watch, finds other things you might like, and remembers things from one year to the next. Most people never knew this, and the likes of Curreys, Comet, etc, seemed to have received little training on what it could do, so didn't try and sell the boxes they had. When Sky brought out Sky+, put all their marketing effort behind it, and all but gave the boxes away, it was the death toll for TiVo in the UK.

Thomson, the only people who licensed the TiVo software in the UK, only produced the one model, back around 2000, and had dropped it by 2002. At £399 for the box, and either a tenner a month subscription, or £200 for a lifetime sub, it was perceived as a little expensive for the feature being advertised!

Roll on to 2011. The old UK TiVo boxes still work, busy recording from Sky, Freeview, Freesat, Cable, or anything you feed into them. TiVo Inc finally strike a deal with Virgin Media to license the TiVo software on their cable boxes. Simultaneously, they announce that the EPG service they have provided for the last decade for the old boxes will cease on 1st June.

Cue much gnashing of teeth from us long-time users.

Long and short of it is that the "community" is going to set up a new server to supply the necessary EPG to the existing boxes out there. The trick will be telling the new boxes how to use it.

For boxes that have been modified with network cards, or for people who are happy pulling and upgrading discs, this is not an issue - upload and run a script, load up a new disc image, all are possible.

For unmodified boxes, where the only connection to the outside world is their daily call via the telephone line, it looked like being a problem. This is the task I took on addressing.

Stage 1 - the telephone call
Currently the TiVo dials an 0800 number to a standard ISP POP, logs in using it's service number, and connects to the TiVo servers on a specified IP address. It's safe to assume that the dial-up number will be withdrawn from service come June 1st.

Changing to another number is relatively easy - you can specify a dial-prefix in the TiVo GUI, and if you put an entire number in there, it will dial all of it. But where to connect to.

By setting up a simple dial-up server, using an obsolete modem rack and terminal server, I can now accept calls from TiVos, and connect them to the internet.

Stage 2 - redirecting to the new server
Once connected to the internet, the TiVo connects to a webserver on a specified IP address in order to check the service status, post it's logs, fetch software and guide updates, etc.

By passing the connection from the dial-up server to the internet through an old Firebrick firewall box, I can spot connections for one particular IP address, and redirect them to another!

This means we can accept calls from unmodified boxes and connect them to the new server, with only a simple change to the telephone number required, that can be done via the standard TV menus and remote control.

Stage 3 - updating the TiVo
One of the points that has been made is that the replacement server is using software that does not implement all the facilities that the original servers provide. This means that the softwre on the TiVo box still needs to be modified in order to use the new server. This looked to be an issue..

However, with full control of the server, it should be possible to send updates to the box. The standard way is to send a "runme" script, which the box will execute before loading the guide data updates, but this needs signing with a private key that only TiVo Inc hold in order to pass the security checks on the box.

My first thought was to brute force a signature for a simple file that could be used as a launcher for other scripts, but that looked like it would take an unreasonably long time.

However, some digging about in the client code and monitoring the transfers to see how the daily call mechanism works revealed a vulnerability that could be used to download and execute a script.

It was much simpler than I expected!

(Full details have been removed since this blog post was first published to prevent abuse outside the areas where service is not provided.)


Stage 4 - updating the TiVo
Now it's up to someone else who knows what changes need to be made!


PS: This is for the UK Tivo running software version 2.5.5 - I have no idea if this works on other versions.

php classes are go!

It's a bit of a mind set switch. Most of my time spent employed as a programmer was writing business applications in BOS/COBOL. This mostly involved leading the user through a series of options, with little chance of random things happening. The inclusion of SpeedBase added a little more OO style coding - it's basically a windows manager and relational database spliced on top, so you end up writing snippets of code for the different actions a user could do or buttons they could press within a window, but the options for them were still fairly limited, but that's probably what you need when dealing with Ledgers and Order Processing systems - make things too complicated and you have more chances to introduce errors or, god forbid, bugs!

Obviously this approach doesn't lend itself to programming for the internet, where as far as the server is concerned, pretty much any request could come at any time for any thing! And with forms, you don't get to prompt a user each item in turn, you basically get the whole set of answers dumped on you all at once. You also can't rely on the answers actually being within the range of values you specified when you displayed the form, necessitating a fair bit of validation being required to stop people trying to disrupt your systems. So it was fun getting used to such changes when I started coding up web backends.

Now, I'm working, finally, on converting my Viewdata Viewer code to a class based system. At present, it's a loose collection of individual programs that can each operate on a range of data formats, but each programme does different things, on different sorts of data, in different and sometimes contradictory ways. It started of as just a single bit of code that allowed me to refer to a saved viewdata page within an <img> tag, rather than have to convert it to an image manually, but it snowballed, especially with the inclusion of over 11 file formats!

The conversion is to try and create a defined API between the data files and the programs that need to access them. A lot of the code can obviously be re-used, but I'm trying to clean some bits up as well. Out goes the spaghetti of ifs and elses, and in come switches. Out go hard coded constants, and in come some defined labels. It should make accessing the files much easier, and will hopefully allow for such things as:

$vfile = new ViewdataViewer();
$vfile->LoadFile("./upload/1a");
echo $vfile->ReturnText();

Which is obviously much simpler than trying to figure out the file format, etc, in every app.

The main intended application at the moment is for a database for the Celebrating Viewdata site, into which all the pages found so far can be loaded, with an intent to create functionality similar to web.archive.org. Obviously items in the database need to be stored in a consistent format, and therefore I needed code to parse the source data files. Given I would have to replicate the majority of the functionality currently in place in vv.php, vl.php and vb.php, I thought it best if I bit the bullet and did it right!

Having all the file-format-dependant stuff in a single class file will also, of course, enable the addition of any new file formats to be achieved with the minimum of fuss, and no editing needed to existing applications. It should also make it much, much, easier for anybody else who wants to use the code to actually use it!


Of course, classes are a totally new way of thinking about items, again. It took a little playing and reading before I got the hang of them. It's a little more involved than just writing a library of subroutines, but much better. I wish I'd known about them before I started the viewer originally. But, well, it did start out as barely more than a hundred lines of code that achieved but a single task. It grew somewhat from there...


Anyway, watch out on the project website for the class code to appear. Hopefully I'll be able to post the first working code up within a week or two. Status as of today is that the recognition seems to work, and some of the support routines are coded up for some of the filetypes! I'm pleased with it, and enjoying the coding, which always makes it go faster. I just have to find the time to actually do it..