A Cliff Stoll moment?

I like to think that I maintain a healthy level of paranoia when it comes to computer and online security. Come to think of it, just writing that sentence probably puts me out of “healthy” and fairly deep into “paranoid” territory.

The challenge is that odd things happen sometimes and it is hard to know whether it is just the normal random weirdness of everyday IT life, or malicious action. A large amount of time and brain cycles can be spent trying to figure this out.

This reminds me of one of the formative books of my youth, Cliff Stoll’s 1989 classic “The Cuckoo’s Egg” (which coincidentally I found has been reprinted recently). Cliff was an astronomer working as a sys admin who started looking into a 75 cent accounting discrepancy and ended up spending a couple of years tracking a group of German hackers (and no, lets not get wrapped up in the terminology here).

So every time I find myself thinking “That’s odd…” and firing up a terminal session, I wonder whether I am having a Cliff Stoll moment, or just being paranoid. So far I haven’t uncovered any worldwide hacker conspiracies, but every time I dive down the rabbit hole I learn something.

My most recent example was when I powered up my iMac and Safari popped up showing the following:

Now I don’t have my machine configured to restart open windows on launch, or start Safari on login so this was a bit of a surprise.

Somewhat worryingly the page title was “Test živého HTTP steamování”. Images of Eastern European hackers or organised crime types came to mind.

Google Translate helpfully identified the language as Lithuanian, but less helpfully translated it into English as “Test živého HTTP steamování”. It actually likes “živého” as “live” in Czech, but still likes “steamování” as Lithuanian for “steamování” in English. Nevertheless it does’t seem too much of stretch to assume it is something like “Test live HTTP streaming”.

Like any sensible person faced with a quandary my first course of action was to google it (OK, actually I Duck Duck Goed it. I’m not going to give the Evil Empire even more information about me. No, sorry that’s Bing isn’t it. I mean the Googleplex. Oops, my foil hat has slipped, just a sec …).

After all if anything unusual is happening in the world x thousand people will have asked about it already on stack exchange or the Apple support forums or Yahoo answers or wherever. And a nice distinctive string like “Test živého HTTP steamování” should cut through the cruft. But no, no sign of this being the calling card of the latest tsunami of Mac ransomware or similar. Unless of course I am the first person on the planet to fall victim …

A little investigation showed that the culprit was a login item opening an HTML page buried deep in the bowels of the iMovie app bundle. The final bits of the path were /cs.lproj/CreateLiveStreamingMovieIndex.html

Aha! “cs.lproj”! Of course, a localisation into Czech, cs being the ISO 639-1 language code for Czech, not to be confused with the ISO 3166-2 country code cs for Serbia and Montenegro, at least until 2006 when it was replaced by separate codes for Serbia and Montenegro … but I digress.

Looking at the en.lproj version of the file showed the title “HTTP Live Streaming Test”.

So I am sitting looking alternately at the words “Live streaming” and the doleful eye of my iMac webcam. Is this the time to break out the tape to cover my webcam? After all, if it’s good enough for FBI Director James Comey surely it’s good enough for me. If anybody noticed I could even use his “I saw somebody smarter than I am do it” defence.

Perhaps not quite yet. Time to look at the HTML. The only material line appears to be:

<video src=“$(MEDIA_HTML_ESCAPED)” controls autoplay></video>

Now I don’t claim any expertise at HTML or Unix scripting, but as far as I can see the video tag is purely for media playback. So it is some sort of test page for streaming video, which just displays the video from …

Here my lack of HTML knowledge becomes a problem. The src attribute is supposed to specify the source URL. At first look I assumed it was simply dereferencing an environment variable like in a Unix shell - $MEDIA_HTML_ESCAPED. But in a shell the brackets would make this a command substitution with the command being MEDIA_HTML_ESCAPED. If this were a variable containing a command it would need to be dereferenced again, as in $($MEDIA_HTML_ESCAPED). But this is HTML not a shell so … I don’t know.

Any amount of Googling (or DDGing) does’t make up for my lack of web development basic syntax knowledge here. And of course there is a world of difference between dereferencing a string variable and executing arbitrary code. After running this by a web savvy friend, I wonder whether this file is actually for use as a template to generate test pages. In the context of resources within an app bundle this could make sense.

Assuming for the moment that this is just a benign Czech video streaming test page (admittedly not a phrase I have frequent cause to use), the obvious question is how it ended up as a login item on my machine.

It is part of an Apple product called qmaster which appears to be an interface for submitting video editing tasks. This in turn seems to be part of iMovie. iMovie is not an application I use, but it is on my machine (in fact three versions are on my machine for some reason) and I did take the update to 10.1.1 just before this all started.

Presumably, somehow this update ended up putting this obscure little page in my login items list for some reason. This seems like an odd bug, but right now seems more likely than some grand conspiracy by Czech speaking video streaming trolls.

I will simply remove the login item and hope that that is that, and that my next post won’t be “How my streaming video went viral in Eastern Europe” or “My adventures with Ransomware”.

Of course if MEDIA_HTML_ESCAPED was https://www.youtube.com/watch?v=dQw4w9WgXcQ it would all have make perfect sense ;)

PS - Apologies to any readers who stuck it out this far hoping for some useful resolution or startling revelation. Sorry. Welcome to my world.