Skip navigation

On a Sunday evening this past summer, an attacker (not going to get into the whole misuse of the word ‘hacker’ here) took over some of my accounts and attempted to take over others. I suspect this was related to my involvement in Bitcoin and cryptocurrencies (these are nice target to steal) but I can’t be totally sure. I’ve heard a number of similar stories and read a few articles about similar incidences so I decided I should write my experience up.

A few examples of similar attacks are here, here, and here.

I got off pretty lucky. I had a few hours of inconvenience but I didn’t actually lose anything. Some of that was due to luck and some was due to the way I have things setup (but more on that later). In light of that I decided it was worth it to write up what I did right, what I did wrong, and how I could improve my security.


Let’s start with a timeline of the incident since there are some interesting points about it. Some of this is not in the order I saw it, but it seems clearest this way.

11:00PM I finish giving my daughter a bottle and go to put it in the spreadsheet I have on my phone (you are supposed to keep track of how much infants eat and I like data, so don’t judge me). The phone says I’m logged out of my Google account. Seems odd but I’m not concerned yet. I put the baby to bed and go to my computer to see what is going on.

11:20PM I see password reset emails from bitstamp, dropbox, groupon, and gmail. Only the gmail one was successful. Since my gmail forwards to my normal mail, I have the email about the password reset.

11:27PM SMS sent from Google voice account to a 702 area code number.

11:28PM Call using Google voice to network solutions (changing my DNS).

11:33PM email setup for my personal domain.

11:39PM I changed my gmail password back to something I control.

11:45PM I set my DNS back to my server.

12:00AM I notice my phone has no service. Log on to Verizon account and I see my phone number is set to an Apple iPhone 5s (I use an android phone and have for many years) but no recent logins on my account.

12:30AM Finally find a Verizon number to call (their security hotline). The very nice person one the line tells me that that number is for police or government callers. I have to use the Fraud Hotline which is only open from 7AM to 11PM.

2:00AM I manage to get my phone number back by sending an SMS to another phone on my account (family plan).

7:30AM Called Verizon’s fraud number. They blacklisted the MEID and SIM card for me but otherwise couldn’t explain what happened.

8:00AM Called Network Solutions. They said it was impossible for someone to change DNS over the phone (despite that I know it happened and have personally done it in the past without the account password).

8:30AM Called zoho. The confirmed that an account was made for my domain but no email got to it (since I stopped it very quickly). I assumed they wanted control of my email and would just recreate my address there but instead they made a single email address with a very bad word that I won’t post here as the address (and anyone who knows me knows that there are very few bad words that I don’t use so the choices are pretty limited here). Zoho closed the account for me.

9:00AM Discovered that the same attack was done to a coworker of mine at more or less the same time frame (and a different mobile carrier). This makes it very suspicious that we were particularly targeted for our bitcoin work.

Failure Points

Verizon Wireless

Verizon should never have switched my number to a different phone. The attacker never signed in to my account and almost certainly only had partial information about me and yet Verizon basically gave away my cell phone number which is one of the most important keys to all sort of parts of a person’s digital (and financial) lives.


My gmail password was changed which was probably the initial goal until they discovered that I just forwarded that to my real email. This was due to my settings rather than a flaw in their systems or processes.

Network Solutions

Network solutions should not have changed my DNS over the phone. The attacked did use a number that may have been associated with me at one point (a Google Voice number) but still, changing that without my password wasn’t good.

What I Did Right

Probably the best thing I did was catch this quickly and started changing things back before any harm was done. Unfortunately, that isn’t really a strategy one can rely on.

While I didn’t have it turned on for all of my accounts, I did have two factor auth turned on for a number of accounts. That meant that the attackers couldn’t get in to everything.

The fact that I don’t use gmail as my primary email account (and don’t host my email with gmail) saved me a lot of trouble. It meant that when the attackers got my gmail account and started trying to reset passwords, they didn’t get the reset emails since they didn’t have access to that email address yet.

I don’t keep any Bitcoins or other cryptocurrencies on any exchanges which meant that there was nothing to steal without accessing computers of mine (which would be a much tougher thing to do).

Also very helpful was that I have an email client that keeps a local copy of the emails. This meant that I had access to the gmail password change email even though my email accounts were not accessible (making it much faster to recover). Webmail is the attackers friend in these cases.

What I Did Wrong

I got off very well in this, but there were still things I could have done better. Most importantly, I should have had Two Factor Authorization (2FA) turned on for my gmail account. I also should not have had a recovery phone number set for my account.

The second thing is I should not have had a domain (and an important one) registered with Network Solutions. They do not support 2FA (not even the terrible SMS version of it), and they can clearly be talked in to changing things over the phone (something I’ve seen in person even before this).

Things to Improve

There are some steps I took to prevent this from happening again. First I turned on 2FA using Google Authenticator, not SMS, for all of my google accounts and removed the recovery phone number. That part is very important since you phone number can be stolen.

Then I moved the last of my domains off of Network Solutions and on to a better Registrar that supports 2FA.

While I already used 2FA on many accounts, there were still some that I did not so I have now turned it on whereever possible.

Interesting Points

The most interesting thing about this to me was that the attack changed my Verizon number right before their fraud department closed. That made it much harder to recover. It is also worth noting that there was nothing technical about this. The first (Verizon) point and third (network solutions) in this attack was done entirely through social engineering. All of the other bits relied on using the password changes more or less as intended.

The seemingly target nature of this is also interesting. The only part that I find confusing was why they just made a bad email address on zoho rather trying to match my real address. That makes the whole thing seem much less careful than the rest of it. The only thing I can guess is that the attacker was annoyed that I was already getting things back at that point.

I’ve also considered that it might make sense to have a separate Google account just for use with Android (so just for the Android App backups, contacts, etc) and to not use that for anything else. I haven’t fully thought through if that helps enough to be worth it.

Another important point is that 2FA using SMS (when a website sends you a text message with a login code) is NOT secure.

Why Post This

I want to make a small note as to why I’m posting this. One could question posting details of an attack in case the bad guys can learn from it. While that is true, I think it is more important that everyone else can learn from it and protect themselves a bit more. I’ve already dealt with most of the ways in on my end so I’m not tremendously worried myself. The possibility of compromising a cell phone remains and until the carriers fix that, there isn’t much we can do there so it is vital to address all the issues that we can. Also, I’d posting this to shame the companies that let this happen (Verizon Wireless and Network Solutions).

Doug tagged me with this on Facebook, but it was too much text to do in the little facebook text box so I decided to post it here instead and link to it from facebook. This wasn’t easy and there were a bunch of albums that almost made it (Sonic Youth, Butthole Surfers, Neil Young, Pink Floyd, Dinosaur Jr., and probably others).  It was also very hard to pick one album in a few cases.  I tried to go with the one that had the most impact even if it wasn’t my favorite album by the group.

So, here are ten albums that had an impact on me (in no particular order).

1. The Juliana Hatfield Three – Become What You Are

I bought this CD used sometime in high school. I probably listened to more metal and other heavy music at the time than anything else, but for some reason I really loved this album. In the long run it isn’t even my favorite thing Juliana Hatfield has done, but it is what initially got me interested in her music. If anything I probably listen to her even more now than I did in those days. My feelings about Juliana Hatfield are pretty well know, but this is the album that really started it.


2. Bad Religion – Recipe For Hate

I’ve always thought this album was kind of underrated compared to other BR music. Good punk rock with intelligent and political lyrics. I clearly remember talking to Adrian after taking the SAT and there was some word in the verbal section that we both only knew because of its use in a Bad Religion song. I have no idea how many times I’ve seen them.


3. Faith No More – Introduce Yourself

Along with my general love for FNM, this album reminds me of the days when there was actually music that was hard to come by. The later (Mike Patton era) albums were easy to find, but this one actually took some looking for. We used to actually look at the sections for bands we liked for uncommon cds or imported singles at Tower Records and other long gone places (not to mention all the used record stores on St. Mark’s Place). I’m not saying things aren’t better now, but I do kind of miss that sometimes.


4. Andrew W.K. – I Get Wet

Unlike everything else here I don’t really know when I got this album or associate it with any particular time period. It is very hard not to feel happy listening to this or most of his music. I’ve seen him a few times, and every time it was very different. One time full band, normal rock concert. Another time piano and string quartet. No matter what, he seems to be happier on stage performing than anyone else I have seen. It looked like he was happier playing in a coffee shop in a Virginia strip mall than the bands playing at the Super Bowl look and that feeling really comes across in this album. Party Hard!


5. Metallica – Black Album

This was the first actual CD I actually purchased (or maybe it was GnR’s Use Your Illusion I, but either way it was close). This album really marked the end of Metallica as a great band and their descent into pathetic sellouts. At the time I loved it (until I heard their
earlier stuff and realized how much better they used to be). I also had to have some metal on here.


6. Rancid – …And Out Come the Wolves

Rancid is kind of an uneven band, but Out Come the Wolves is pretty much perfect. I’ve listened to this so many times that it seems weird to hear one song and not here the next one right after it. It also probably has the best punk bass playing anywhere.  I also have memories of listening to this on my walkman while working at the physics lab across from the laser lab (can’t remember the name) in college.


7. The Gaslight Anthem – The ’59 Sound

I bought this right around the time I went to SLAC for a Fermi meeting. I spent a lot of time listening to this while waiting on software to compile. I think this mattered since at the time I was pretty bored with a lot of music and hadn’t heard anything new that I really cared about in a while. This album, and Streetlight Manifesto (who didn’t make it since I couldn’t pick one album) changed that.


8. Nirvana – Unplugged in New York

This sort of feels like it is cheating since it is a live album, but since it deviates so much in terms of songs from their studio work I think it is okay. Not much I can say about this that hasn’t been said before. It is hard if not impossible to think of this album without thinking of Kurt Cobain’s death.


9. The Ramones – Rocket To Russia

It barely makes sense to pick one early Ramones album over the others so I just went with this since it has a few more favorites on it. Again, as someone who used to listen to a lot of metal, the simplicity of the Ramones always amazed me. They showed that punks (from Queens) can do pop music better than pop ‘musicians’. I’ve always been very happy that I managed to see the Ramones one their final tour (although seeing Andrew WK and Marky Ramone do a night of Ramones songs was pretty close). Ramones songs are also the most fun to play.  Kind of hard not to be happy when listening to the Ramones.


10. Reel Big Fish – Turn the Radio Off

Upbeat music, sarcastic, depressing lyrics, what more would I want towards the end of high school/beginning of college. I think I saw them at one of the early Warped Tours around when this came out. This album embodies the type of ska-punk I like. Music can have horns and be complicated while still having the feeling of punk.


Not much to say here, just a test posting after moving this site to a new webserver. I may try to write up some of the details needed to get WordPress and OpenBSD to play nicely together if I have time later.

I’ve been using git for version control for a few years now and at several different companies (although I still use subversion for personal projects).  I think I finally get it and understand the common workflow with it so I wanted to write it down.  This largely involves the rebase command (a command which I was initially weary of), hence the post title.

For starters, unlike many people these days, I don’t think git is absolutely superior to other version control systems.  As I said, I still use subversion for my personal stuff.  So let’s start with some negatives.

First, git doesn’t store directories or history about them.  So if you you want an empty directory, you need to add a hidden file (.gitignore is a good choice) to the “empty” directory.  As someone who moved from cvs to subversion, this feels like a step backwards.  At least in cvs, I understand that it is an unavoidable artifact of using rcs files, but with git I really don’t understand the decision.

Second, git is built very much around the idea of a single project per repository.  There are situations where this makes a lot of sense, but there are use cases where I would prefer to have multiple things in one repository and just check out the parts you want.

Finally, I miss cvs tags in files (which subversion supports just fine).

I’m in a good mood so I won’t count the documentation against git.

One of the things people always say is that git is great because it is decentralized and I’m not sure I buy that.  In every place I’ve worked (and every major project using it that I’ve looked at), there is always one master, central, blessed repository that everyone else clones and pushes to (sometimes indirectly if only limited people have access).  I think this makes sense, but it makes the decentralized talk seem a little funny.

The other part of it being decentralized is that you have a complete backup of the repo with every clone.  Except that git clone only clones some things.  You can fix this (more or less) with:
$ git fetch --all --tags

Now that I’m done with all that preliminary stuff, I can talk about what I actually wanted to: git rebase (and the associated workflow).

Initially, git rebase seemed like a bad thing to me.  It allows you to rewrite the history in a repository, frequently to squish commits together.  To someone raised on more traditional version control, that seems like a terrible idea.  After all, history is sacred.  If I didn’t care about history, why would I bother using version control?

It is only recently that I’ve come to understand the cases where this is okay (and actually very beneficial).  I still think that one should never mess with the main history (and if there is a change that someone else has used the branch you are changing, then it is a terrible idea to change history).  But what git rebase does it let one work on a local branch and make as many little commits as possible.  Then, when the feature or bugfix is done, one can rebase against the main branch and make all that work into a single commit.  In source code with multiple commiters working on different features, this is really the only way to end up with history that makes any sense.  For a good counter-eample, one need only look at the git history for android.

That’s really all I wanted to point out, that when used with branches, git rebase can be a good way to maintain a legible history on the main branch for code (but I still don’t think it should ever be used on the main branch).  This also lets you avoid all sorts of ugly merge commits that don’t really say anything.

I’ve made some changes on this blog and hope to make some more soon (and maybe even post occasionally).

I’ve decided to switch from Blogger to WordPress hosted on my webserver.  I generally prefer to host myself whenever I can and Beth is planning on switching her blog to WordPress so it seemed like a good time to do it too

I’ll probably change change the theme around a bunch, but I kind of like WordPress so far (except that it is a bunch of nasty PHP).

I want to talk about compilers a bit.  I haven’t really worried about compilers in a few years, but since it sounds like there may be some interesting things going on in that area, it seemed like there might be something to look into again.

There’s a lot of talk these days about clang and llvm as a replacement for gcc. This has gained some momentum since Apple’s switching over to llvm (which ended up causing trouble for people who use MacPorts and lots of UNIX tools on the Mac, but that’s another story).  The various BSDs seem to have shown some interest in this too.

Ignoring the non-technical issues that seem to drive some people in this direction (I don’t really understand the anti-GNU sentiment that seems to come up relatively frequently these days either), llvm is supposed to be better at optimizing output than gcc.  This is where I actually get interested.

Most of my work on optimizing code comes from doing simulations in FORTRAN 77 when I was in grad school.  So the first thing I looked for to test this was a FORTRAN frontend for llvm.  This may seem like an odd thing to want, but lots of technical and scientific work is still done in FORTRAN.  It is actually a great language for a certain set of problems.  Turns out clang is pretty much for C-like things (I guess the name should have been a hint there).

To support languages like FORTRAN, there is a project from llvm called Dragon Egg.  It isn’t really a compiler, it is just a plugin to allow you to use llvm to do optimization for gcc (and since they claim FORTRAN support, presumable gfortran).

So, I installed it, checked out a copy of ZEUS-MP from my svn repo, modified the makefile, and tried to compile it.  And nothing.  I got strange build errors right away.  Now Zeus is extremely portable at this point.  In the past it was known to run on UNICOS, Irix, and lots of other long gone systems.  I’ve personally made sure that it could compile with the Intel Compilers, Portland Group Compilers, G77, GFortran, and Sun Studio Fortran Compiler.  I actually found the best performance with the gcc based compilers (g77 and gfortran).  Seemed surprising considering that in toy examples, the Intel Compilers generally perform best.  I have a figure or two related to this in my dissertation.

I could probably fight and try to get zeus to compile this way, but I don’t do hydrodynamics or FORTRAN for a living any more, and this was just supposed to be a quick experiment, so I don’t think I’ll put the time into it.  Maybe they will eventually get FORTRAN support to work better and I’ll try this again.  But for now, I’ll stick with the GNU Compilers.

I already posted on this topic specifically related to Angry Birds, but I figured it’s worth putting a more general version of it up.

I’ve seen a few reasons why one might need to restore the saved states of a game on an Android device.  This could be necessary when moving to a new device, updating the OS on a device, or restoring after some sort of failure (I’ve seen Angry Birds data get corrupted as well as Temple Run).

In principle, Google provides a way for developers to store information with the user’s Google account so data gets restores just like calendar and contact data. This would be nice, but it depends on the developer actually updating their device to use this relatively new Android feature (and I have yet to encounter a non-google app that uses it).

The startup FTW is working on a similar solution only it is platform independent as well as device independent. Even better, unlike the Google solution, this one actually lets you see what data you have (along with other cool features). (And to be totally transparent, I’ve had some involvement with the FTW guys, so I’m not 100% objective here).  This is a really nice way to deal with game data, but it still has the same issue where if a developer doesn’t use it, you data is trapped on a device.

So, until more developers use one of those two solutions (hopefully FTW) for backing up game states on mobile devices, Android uses need to take matters into their own hands.

I’ve tested this on a Droid Incredible, Droid, Xoom, and Galaxy Nexus.  I’ve done it with Android 2.3 and 4.0.  There is no need for the device to be rooted although that make some things easier.

Apps on Android can save files to their own directory on the /data partition and possibly to a similar directory on the sdcard if present (/mnt/sdcard/).

The first thing you need is the Android SDK (you really just need the adb tool that comes with it).  It can be downloaded (along with instructions on how to make it work) from the Android development site.

Once you have that installed on your computer and can see your device when plugged in with the command:

john@yoshi ~ $ adb devices

(Note, all of this must be done from a command line of some kind.  My examples were done in an xterm on GNU/Linux, but any terminal, including the DOS command prompt on Windows should work with at most minor changes).

It is now necessary to put your device “USB Debug Mode”.  The option for that is either in the Applications part of the settings or the Developer Options.  This varies with different versions of Android.

You now need to figure out the directory where the game is storing the data.  This name will match the java package name of the application (which isn’t actually made readily available anywhere).

Open a shell on the device:

adb shell

This will connect you directly to the device. Then type the command:

ls /data/data/

This will show a list of directories. You need to figure out the directory for the app you are looking for. Usually it will be obvious, although if not, google can help.

The apps I know for sure are:

  • Angry Birds: com.rovio.angrybirds
  • Angry Birds Rio: com.rovio.angrybirdsrio
  • Angry Birds Space: com.rovio.angrybirdsseasons
  • Angry Birds Space (Free):
  • Cut The Rope: com.zeptolab.ctr.paid
  • Temple Run: com.imangi.templerun

Now check the sdcard in the same way:

ls /mnt/sdcard/Android/data

for a similar directory. Of the games I listed above, only Temple Run stores data on the sdcard.

Once you have come up with a list of files, for each one you must execute the command:


If you need to restore, the command is:
adb push LOCAL_PATH_TO_FILE /data/data/PATHTOFILE.

Generally, you need to start up the game (and in the case of Angry Birds) play a level so it will create its directories and save files before you put you backup copy back.

The files I know about are:

Angry Birds


(Only the directory changes for the different angry birds versions.)

Cut the Rope


Temple Run


For other games, you’ll have to figure out the files yourself, but the general idea will always be the same.

All of the above can just as easily be done for apps other than games, I just haven’t found the need for it myself.

I would love to write a program to automate this process on the Android device itself (and either save the files to the sdcard or mail them to the user).  Unfortunately, the security policy on Android prevents this.  Each application is assigned a user name and group when installed.  It is the only application (with the possible exception of some system processes I think although I haven’t experimented with that enough) that has permission to read or write to its own directories and files.  Another app by the same developer (with the same signing key) can get permission to them, but that really doesn’t help me.  So on devices that haven’t been rooted, it seems that this method where the computer is also used is necessary.

I’ve been a member of the W3C html working group for a couple of years now. I don’t really participate as much as I would like, but I still think the group’s work is important.

So, with that in mind, I figured it was time to finally convert my website to html5. While technically it is still just a draft proposal, the fairly basic features are set, so a simple site like mine should be easy to convert.  I figured it might be worth putting what I did up here, even if just so I can see it later.

Up until now, I’ve always used XHTML. This means I kept presentational elements to a minimum and didn’t have the mess of tag soup that many older html documents contain.

The first thing was to change the mime-type the page is served as. xhtml has to be served with the application/xml+xhtml type to be valid (even though the broken IE browser can’t handle that). The correct type for html5 is simple text/html This can be done in your .htaccess file with the line:

RewriteRule \.html$ – [T=text/html]

Then, I replaced the top of each file (up to the title tag) with:

< !doctype html>

Other than that, I only had a few minor issues to fix.  I used the tag in one place (replaced it with css font-size:300%;), put the align properties for the tables in css

table     {
    text-align: center;

And finally since the name element is deprecated, any time I used it, I just replaced it with an id in a nearby tag (usually a heading tag, but sometimes a paragraph).

I haven’t yet dealt with this blog (but due to blogger’s messy templates, I never even got it to be valid xhtml, so this may not be easy). I also have a bunch of pages that are generated by a perl script. I modified the perl script, but just don’t feel like testing it tonight. But otherwise, goodbye XHTML, it was fun.  All told, the html5 pages are definitely smaller since there is less junk on the top of each page and I can’t be lazy and put styling all over the place, it has to go in the css.

(Note: I realize this is very simple, but I wasn’t able to find it by searching and therefore had to figure it out myself. Hopefully by posting it somewhere, I can save someone else the time. And if not someone else, maybe I’ll save myself the trouble next time it comes up.)
Recently, after an update for Angry Birds Seasons on Beth’s Motorola Droid, the app refused to open. I know that if I were to just reinstall it, all progress would be lost. I looked around online and I see other people have had similar problems with the various Angry Birds versions on android phones. I filed a bug report with Rovio but never heard back.
A little while later, the SD card on my phone had some issues. This causes both Angry Birds and Angry Birds Rio to stop working on my Droid Incredible. I could just reinstall them, but that would also cause me to lose all my progress. Turns out it wasn’t too hard to solve both problems.
Angry Birds stores its save data and settings in files on the phone in:


If your phone is rooted, then you can just access these files directory from a terminal on the phone. Unfortunately, if your phone isn’t rooted, you don’t have access to these files (and rooting some phones requires wiping them which would defeat the whole purpose of this).
There is a way around this. If you download the Android SDK from google, you can access these files without root permission on the phone. Install the SDK following the instructions from google. When you connect your phone, make sure to turn USB debugging mode on (it can be found in Settings->Applications->Development).
Once you are connected, you can use the adb tool to copy the Angry Birds files off the phone for safe keeping. You should get both the file settings.lua and highscores.lua. Assuming you are doing this with bash on GNU/Linux (or a Mac)

john@yoshi ~ $ cd tmp/
john@yoshi tmp $ GAME=angrybirds
john@yoshi tmp $ mkdir $GAME
john@yoshi tmp $ adb pull /data/data/com.rovio.$GAME/files/settings.lua ~/tmp/$GAME/
john@yoshi tmp $ adb pull /data/data/com.rovio.$GAME/files/highscores.lua ~/tmp/$GAME/

(And the repeat with GAME=angrybirdsrio and GAME=angrybirdsseasons.)
After doing that on my phone, I reinstalled all three Angry Birds on my phone and then copied the files back with the command:

john@yoshi ~ $ GAME=angrybirds
john@yoshi ~ $ adb push ~/tmp/$GAME/settings.lua /data/data/com.rovio.$GAME/files/
john@yoshi ~ $ adb push ~/tmp/$GAME/highscores.lua /data/data/com.rovio.$GAME/files/

(Again, repeating for each game.)
For Beth’s phone, the pull command could not find the settings file for Seasons. It seems that the settings file was erased during the update. Just putting a blank file back was enough to fix it! All the settings were lost, but there aren’t many settings so that didn’t really matter since the level data was saved.
So, now I back up my Angry Birds data every once in a while. I haven’t had a chance to really examine the save files (.lua) but since I have copies, I’ll probably take a look at some point.

I found this while going through some computer parts.  Makes me think that perhaps I keep old computer stuff just a little too long.