Posted by & filed under Linux.

Everyone knows that script kiddies are constantly bombarding servers with login requests, attempting to get access to an account which you might have secured with a stupid password. I was curious to find out which accounts they were attempting to login as, and more importantly, if any of these accounts were actual accounts I knew of.

I couldn’t find anything on the internets, but I was able to cobble together the following (overly) complex command:

sudo cat /var/log/auth.log | grep -oEi "Invalid user ([a-zA-Z0-9]+)" | colrm 1 13 | sort | uniq -c | sort -h

If you’d like an explanation, check out the command breakdown on Explain Shell.

Here are some of the more popular accounts people attempt to login as:

 30 ftpuser
 33 astrid
 33 autumn
 33 bailey
 36 avalon
 36 testuser
 39 git
 42 bezhan
 42 test
 45 admin
 45 asuka
 45 auction
 45 bar
 45 bella
 48 bbs
 54 bandit
 57 bind
 57 oracle
 63 nagios
 69 au
 78 ben
 87 ftp
 93 bill
 864 ftptest

If you know of a better way to format this command (I have a feeling the length can be cut in half) leave a comment!

Posted by & filed under Reviews.

Today, my friend Daniel Elliott and I assembled our O2 Headphone Amplifier kit, which we ordered from Head ‘n’ Hifi (although, if you don’t want to assemble this yourself, you can buy it on Amazon preassembled). It took us about six hours to build the whole thing, however, if you’ve soldered things before you could easily have it completed in three hours (this was my first time soldering to a PCB).

While building this thing, we struggled in a few areas, and wish we had known some things in advance. In this article I’ll outline these things.

Part Identification

The most tedious and error prone part of the process was identifying which parts were which. The Bill of Materials tell you which generic parts go to which location on the PCB, however, there wasn’t an easy way to tell which parts we had were which generic parts. Unfortunately, if you order the kit from anywhere other than Head ‘n’ HiFi, the parts will likely be different, and this list will be useless.

  • R1, R2: Red Yellow Black Black Brown
  • R10, R11, R15, R18: Brown Silver Black Black Brown
  • R6, R12, R13: Brown Red Red Black Yellow
  • R3, R7, R19, R23: Red Brown Yellow Black Brown
  • R9: Orange Orange Black Red Brown
  • R14, R20: Brown Black Black Red Brown
  • R16, R22: Brown Brown Black Green Brown
  • R17, R21: Brown Brown Black Brown Brown
  • R4, R5, R8, R24: Red Brown Black Gold Brown
  • R25: Brown Yellow Black Green Brown
  • C10, C15, C17, C18: Blue Cubes
  • C16, C21: 223, 312, apparently it doesn’t matter
  • C11, C12, C19, C20: BC 221
  • C13, C14: Square White Things
  • C1: 105Z (single)
  • C6, C7: 105Z (pair)
  • C2, C3, C4, C5: 381GB
  • C8, C9: B1129
  • D1, D2, D5, D6: IN5818
  • U6: 7912ACT
  • U5: 7812ACT
  • Q1: 1C25AA (smalles one)
  • Q2: 1D33AA (black top one)

Solder Order

As a general rule, start by soldering smaller components first, then slowly add bigger ones. We did resistors, then small capacitors, IC risers, diodes, etc. If you do the big parts first, they may get in your way later.

Part Orientation

Whenever you’re dealing with a resistor, the direction you solder it to the board doesn’t matter. When dealing with the tiny capacitors, it doesn’t matter either (this I didn’t realize). The cylindrical capacitors and diodes need to be in a certain direction (the PCB has hints everywhere). The transistors need to be in a certain way, and on the PCB you’ll see a thick line where the back of the transistor needs to line up with. The IC chip risers have a cutout which align with the board, and the circles on the IC chip corresponds to the cutouts.

Transistor Oxidation

This was a real pain. The four transistors (U5, U6, Q1, Q2) had very oxidized leads when they arrived. If you look close, they almost look like a white dull aluminum color. Soldering them was an absolute pain and takes a long time. Unless, that is, you scratch the heck out of the surface. Take some sand paper if you’ve got it, otherwise just drag the edge of a blade against the leads, and you’ll see them become really shiny. Once you do that, they will be a LOT easier to work with.

Battery Connectors

Before you solder the battery connectors in, you should really attach a 9V battery to them first. By doing so, you can be sure that the leads will keep the battery flush against the board. My friend did this and I did not. At first I had two leads which were pointed in different directions, and I had to re-solder it. By the time I was done, both sets of batteries protrude from the board slightly, while my friends are flush against the board.

The Little Bag

When the parts arrive, you’ll find inside a smaller bag containing some resistors and riser connectors. Don’t open this bag; they are spare parts. Just throw it off to the side. If you do open the bag and mix it with your parts, it’ll be harder to tell what goes where.

Power Precautions

Don’t remove the batteries while the power is switched on. These are in the instructions. It may damage the circuit.

Don’t use a generic power source for the power jack. This thing is weird; it needs to use an AC -> AC power adapter. I didn’t even know such a thing existed! They are normally AC -> DC. Here’s a link to an inexpensive one that the author recommends: Power Supply on Amazon or Power Supply on Mouser.


Here’s a bunch of pictures of the board throughout the process, because hey, following pictures is much easier than diagrams ;)

O2 Headphone Amplifier - Part Bags

Part Bags

O2 Headphone Amplifier - Some Resistors

Some Resistors

O2 Headphone Amplifier - More Resistors

More Resistors

O2 Headphone Amplifier - Solderings

Some Solderings

O2 Headphone Amplifier - Some Capacitors

Some Capacitors

O2 Headphone Amplifier - Side View

Side View

O2 Headphone Amplifier - Mostly Complete

Mostly Complete

Posted by & filed under Security. is an online marketplace for selling digital goods. Back when I was highly active selling applications and music on the Envato network, I would occasionally list items for sale on TradeBit which Envato deemed wasn’t up to their standards. Overall I made less than $60 throughout the lifetime of my TradeBit account.

Since large websites seem to be backed every few weeks, with user accounts being leaked left and right, it seemed like a good idea to go through and delete any online accounts which I no longer used.  While attempting to delete my TradeBit account, I was unable to find any automated process for doing so on the website, so I went ahead and contacted customer support to ask them to do it for me.

The reply I received was a bit of a shocker:

TradeBit Email Conversation

TradeBit Email Conversation

The problem with TradeBit requiring the last three characters of a password to cancel an account is at least threefold. I mentioned them in the email, but I’ll reproduce them here.

The first, albeit smallest problem, with providing them with part of my password is that I’m sending this password via email, which is an unencrypted communication medium. Imagine an email not as a letter in a sealed envelope, but a postcard with the message written on the outside. Every set of hands this message passes through is fully capable of reading the email in its entirety (and if you’ve been keeping up with recent news, you’ll know that every email IS read and stored by a third party agency).

Another issue with sending TradeBit the last three digits of a password is that a human is reading this password and performing some action with it. If this were some automated system it wouldn’t be so bad, but who knows what this person could be doing with said information.

The biggest issue is as follows: TradeBit is storing user passwords using one of following insecure methods:

  1. TradeBit may be storing the password in a perfectly-valid, irreversible manner, as well as a separate hash of just the last three characters, which customer service then hashes the provided three characters and compares. This is most likely not the case; it would be a lot of work with very little benefit. It also wouldn’t be as secure as possible, as the hashes of all users last three characters could be brute forced quite easily, and information about a users password is leaked.
  2. TradeBit may be storing user passwords using a reversible form of encryption, such as AES. This would allow them to decrypt a password and compare the provided one with the known one. Again, the odds of this happening are pretty low, and even if this is what is done, a hacker need only get access to their database of user passwords as well as the AES password and they’ve now got a decrypted version of all user credentials. Even if this password is stored within application code, and credentials in the database, both systems could be compromised and the password and hashes taken.
  3. What is most likely happening is TradeBit is simply storing a plaintext version of user passwords in their database.

TradeBit COULD redeem themselves by performing two actions. The first would be to create an automated process for allowing accounts to be deleted. The second would be to switch to a decent password encryption system such as using bcrypt in PHP (TradeBit uses PHP; inspect the headers). This move would be invisible to their users as they could run a process to encrypt user passwords overnight. Since the deletion system would be automated, TradeBit would check to see if the user is currently authenticated before performing the deletion, and wouldn’t require an awkward out-of-bounds email containing a partial password.

Protect Yourself

What you can do to protect yourself from the shortcomings of online services like TradeBit is anonymize your account information as best as possible before making a request to have your account removed. If a service allows you to change your username or email address, go ahead and change them to something which can’t be traced to other accounts of yours BEFORE requesting an account deletion. Also, make sure you are not using a password which you use anywhere else (if you are, change that as well before making the request). This is also useful for deleting your account from ANY service. You’d be surprised how many services don’t actually delete user accounts, but simply add a flag to the database saying the user account is inactive, keeping a copy of your email address and password locked away forever.

If you take these precautions, and a web service with your credentials is hacked, hackers won’t be able to use this information to login to other services you use. These processes are automated, so once your information is leaked, the chances are extremely high that someone will find other services which your credentials work with.

Posted by & filed under Personal.

Like any employee, I’ve noticed working conditions where I thrive, conditions where I have no motivation, and everything in-between. I’ve worked at Fortune 50’s, Bay-Area Startups, companies with 30-year-old codebases, companies with no codebases. This list represents the ideologies of companies in which I’ve flourished in the past.

  • Doesn’t use a custom framework, especially one which is closed-source
  • Doesn’t have arbitrary, tight deadlines
  • Values work-life balance
  • Contributes to the open-source community
  • Allows developers to use their own development machine
    • Not being able to do so can be a sign of an overly coupled development environment
  • Doesn’t require proprietary communication protocols
    • Does your Microsoft Exchange server not work with OS X or Linux?
  • Has minimal spaghetti code
  • Prioritizes time to refactor and other things which don’t directly generate revenue
  • Isn’t a “marketing-driven” company
  • Throws away the Minimum Viable Product
    • Getting an idea to customers quickly is important, but once the idea is validated it’s time to architect
  • Considers feedback from developers before making large developer-affecting decisions
  • Gets feedback from developers before assigning tasks, e.g. point assignment

Posted by & filed under GIT.

With an installation of GIT on a new machine, the push/pull behavior I was used to has changed. I prefer that a push and pull only affects the current branch, not all of them.

To set this behavior, globally, run the following commands:

git config --global pull.default current
git config --global push.default current

Now you won’t have anymore surprise pushes of your not-quite-ready code from another branch.

Posted by & filed under Linux.

I recently purchased a Lenovo ThinkPad Carbon X1, which has been an absolutely stellar laptop so far, after immediately replacing Windows with Linux (specifically, Mint).

One of the unfortunate things about Linux Mint is that it chooses to fallback DNS resolution to OpenDNS, which in the world of DNS is a sort of spyware. If the user requests a domain which doesn’t exist, instead of getting an error back, OpenDNS will display one of their webpages. This has the benefit (for OpenDNS) of getting more eyes on their websites, and if I had to guess, Mint might make some sort of cut as well. The side effect is that this breaks the internet, and any scripts you may be running to check for nonexistent domains will fail.

The configuration for OpenDNS servers is stored in the following file:


You have two options. The first is to delete the file entirely, and no fallback DNS servers will be used. Another option is to replace the two IP addresses in the file with the DNS server of another service. I chose to do the latter, and use the Google DNS settings of and, and now I bask in the glory of an error screen when I mistype a domain name, instead of the shitty OpenDNS service.

Posted by & filed under Linux.

By running these commands, you will download the necessary fonts required to render Emoji on your Linux machine.

mkdir ~/.fonts && cd ~/.fonts
unzip && rm

Interestingly enough, I didn’t even have to restart my apps. Pidgin, for example, immediately displayed the new font. It seems the OS is smart enough to find the fonts, see that they display the missing symbols, and re-render the text.

Please note, these will not be the full-color bitmapped images like on OS X, but will instead be colored vectors like the rest of the font glyphs.

Emoji on Linux

Emoji on Linux

Posted by & filed under Personal.

I’ve been having a bad few days. Work just isn’t as fun as it used to be. I find myself throwing coworkers under the bus left and right; something I never used to do. Yesterday I sent an email to a third party that sounded a bit snarky (unintentional, but still). These are all classic signs of the burned out developer.

I’ve been on an exercise kick recently. Just a few days ago I ran a Half Marathon distance for fun. Today, I went ice skating with some coworkers (they talked me into buying a season pass). I stepped out onto the ice, made a few passes, and then realized everyone had switched directions, and so I attempted to do a 180 and go with the flow.

Well, my attempt seemed to fail. I ended up slamming my hand into the railing which surrounds the court. Apparently they intend only gloved-hockey-players to use this rink, because my pinky came into contact with a sharp corner of exposed aluminum, which runs around the entire perimeter of the rink. My finger instantly began bleeding all over the place.

Sliced Finger

Come to find out, the cut was very deep, slicing not only through flesh but also through fingernail. Judging from the depth of the cut and my amateur knowledge of human anatomy, I’d wager my finger stopped moving once the aluminum came into contact with bone.

I wrapped it up in a bandaid, and finished the open-skate session. But something magical happened once I sliced my finger open; I stopped giving a fuck.

About what you ask? Everything, I suppose. I knew at that point I really wasn’t going to be getting much done at work for the next day or two, so I sent out an email that I was taking the rest of the day off and probably the next as well. I talked with my friends/coworkers who were skating with me, and told them that I needed to just get away.

And here I am, blogging away at a coffee shop in Toronto, Ontario, Canada.

I’ve never done this before. I’ve never taken a road trip just for the hell of it. Truth be told, I was afrad of travel for many years. Especially when it came to traveling alone. This year, however, has involved a lot of progress for me. I took a trip out to California to visit family. I took a trip (flew alone!) to the TechCrunch Disrupt New York conference for work. I even flew to Ireland for a week with a friend (another coworker) just to see the country.

This time, I literally made my decision, and two hours later was on the road.

Unfortunately, this situation is not something the Border Patrol is used to hearing.

Being male, mid twenties, driving alone, to a part of another country you’ve never been to before, while not knowing anybody in said country, looks really suspicious to the border patrol. The conversation went down a lot like you’d expect.

“What are you here for?
Oh, just a mini vacation.
When’s the last time you were here?
About a year ago, just to Windsor though.
Why did you come here then?
Well, my ex had friends here, and we were visiting.
Are you visiting them today?
Where do you work?
I work at a networking company in Michigan.
Are you here for work?
I’m going to place this sheet of paper under your windshield wiper. Please pull ahead to customs.”

At this point, it becomes obvious that I’m going to be here a while. I pull up, get out of my vehicle, and wait for someone to come assist me. A border patrol worker comes and begins going through my car, making sure to check every nook and cranny of the center console, my laptop bag, my suitcase and dopp bags, you name it.

“What are you here for, sir?
Just visiting.
Whose car is this?
What is the license plate number?
Are you here visiting anyone?
Is this your laptop?
Are you here for work?
Why are you here, sir?
Just on a mini vacation.
I see you only have one nights worth of clothing. Why are you here for only one night?
Well, I just wanted to get away.
Why did you choose Canada?
Well, Toronto is a big town that isn’t too far, and I reallly didn’t like Chicago.
Can you give me your phone, sir?
Uhh… Sure.
Can you unlock your phone sir?”

It’s at this point I give the man a look of incredulousness.

“If you do not unlock your phone sir, I will have our IT guys unlock it for me.”

I punch in the code to the phone. He disappears around the back of the car, and him and another guy begin going through my phone. The sort of things they checked included call history, text messages, facebook chat history, and going through my photos. I knew this because the apps were now higher up in the run history, and were scrolled back a surprising distance. The last screen opened when I got the phone back was half way through my Ireland vacation photos (a couple thousand in).

“Sir, can you please help me out here. I’m just trying to put your story together. You came here, on a whim, just to spend a day, in a place you don’t know, with nobody you know, in the middle of the week when you should be at work?”

I did my best to explain. I doubt they believed a word of my story, but seeing as there was in fact no drugs in my car, and I kept telling them that I wasn’t here to work, and they didn’t have anything to pin on me, they finally checked off a box on the sheet of paper and allowed me to enter a nearby building.

In here, the woman behind the counter was a little bit nicer. She asked me the same sets of questions I had heard several times again. This time though, she asked me something I thought was pretty funny.

“Are you here to gamble online?
Uhh, no.
Are you sure?
I’m positive.
Everybody gambles online!
It’s just not for me.
Well, what is this laptop for then? Are you here to work? If so, we have forms you can fill out.
No, I just like to have my laptop.”

I’m not sure if that was an attempt at entrapment or what. I have no idea why someone would want to drive 5 hours into another country, just to whip out their laptop and gamble online. Surely, there are better ways to gamble, such as going to a casino, or playing cards in a basement with friends. Of course, this isn’t even mentioning the concept of using a server in another country as a proxy to get around the regional restrictions that online gambling websites undoubtedly have. (There’s no way I would have said that though; to these people, knowledge is an admittance of guilt).

Posted by & filed under JavaScript.

A friend linked to this game the other day:

Cookie Clicker

It’s really simple. You click something over and over, and you buy upgrades, and then some automated processes happen in the background.

Open your console, and paste in the following commands. They will allow you to play the game automatically. Notice the $$; this uses MooTools, not jQuery.

// Automatically purchase new products (e.g. Grandmas) each second as they become available
setInterval(function() { $$('.product.enabled')[0].click(); }, 1000);

// Automatically click the big cookie 10 times per second
setInterval(function() {$('#bigCookie').click();}, 100);

// Automatically purchase upgrades each second as they become available
setInterval(function() { $$('.upgrade.enabled')[0].click(); }, 1000);

These simple commands don’t play the game as efficiently as possible. One could graph out the best way to play the game, which would involve saving up for better options instead of always spending money.

For Cookie Clicker to prevent this easy way of cheating the game, they’d probably want to not load MooTools as a global object, and randomize the names of DOM elements each time the game is loaded. Those wouldn’t prevent these cheats 100%, but it would make them harder to perform.