Please Don’t Use Comments To Alter Functionality

“Holy shit!” Your JoeDog exclaimed.

“Why do you swear so much?” an emailer emailed this blog. “Young readers don’t need to be exposed to that.” Listen, if your kid is reading this site, then maybe it’s time to buy him a football. By the time he’s old enough to care about these topics, he’s already heard a lot of vulgar language….

“Holy shit!” Your JoeDog exclaimed. “That’s a code salad!”

Our enterprise backup guy is just like your enterprise backup guy. He’s involved with every system, every project and every meeting yet all he does is put ones and zeros on tape. Generally he calls your attention to meaningless minutia but once a decade you learn of something important. Yesterday was once a decade. Backup informed Your JoeDog that the NetBackup client wasn’t installed on a new server.

“That seems unlikely,” Your JoeDog said. “Puppet puts it on every server.” Puppet is our configuration management server. It installs software and writes configurations to every server in the enterprise.

“That’s what I thought,” Backup said. “But it’s not there.”

To prove that Puppet puts it on every server, Your JoeDog showed him the code. We’ll examine that code after the jump

Continue reading “Please Don’t Use Comments To Alter Functionality” »

Posted in On The Job | 2 Comments



Baby Cow!

baby-cowMeet the newest member of the JoeDog family. This is Baby Cow — with her markings she looks like a little tiny baby cow.

She was abused by a Mennonite farmer who tried to breed her. When that failed he tied her to a pole along a highway with a sign that read “Free bulldog.” By chance, a member of the Long Island Bulldog Rescue happened to see her. She stopped and called the state agency which enforces puppy mill laws. The farmer was fined.

That night Your JoeDog had three beers at a local brewery. Mrs. JoeDog saw an announcement on the Long Island Bulldog Rescue’s Facebook page. They needed someone to foster this dog. Your JoeDog reluctantly agreed because … well, did he mention three beers?

When Baby Cow arrived she was in sorry shape. Her eyes were cloudy and her rear legs were both injured. At first the vet suspected glaucoma but it turns out they were irritated by her lashes. Baby Cow’s legs were another story. She had two torn ACLs, probably the result of standing long hours on top of chicken wire. Puppy Mill breeders frequently stack their dogs in chicken wire crates. You don’t want to be the bottom dog. That one gets peed and pooped on by the dogs above.

She’s already had one operation to fix her eyes. Aren’t they beautiful? She still needs two more to fix her rear legs. LIBR promised to pay for those operations in January. They are promised grant money from a large national pet store chain. (Your JoeDog is unsure if he can mention the name so he’ll keep it to himself for now.) If the grant falls through, he’ll try to raise it himself.

Your JoeDog may have reluctantly agreed to take her, but he’s not letting her go anywhere now. As Mrs JoeDog says, “That’s Your Baby Cow.”

Posted in Community | Leave a comment



Valgrind: Apology Edition

The things Your JoeDog will do for you….

A couple weeks ago he complained about Valgrind (and probably a whole bunch of other stuff but we’re talking about Valgrind now). His snippet was leaking memory and valgrind was unable to identify the leak. The leak was manually identified in this function:

ARRAY
array_destroy(ARRAY this) 
{
  int i;

  for (i = 0; i < this->length; i++) {
    xfree(this->data[i]);  
  } 
  xfree(this->data);
  this = NULL;
  return this; 
}

While we freed the elements of the array, we never freed the array itself. The leak is fixed like this:

ARRAY
array_destroy(ARRAY this) 
{
  int i;

  for (i = 0; i < this->length; i++) {
    xfree(this->data[i]);  
  } 
  xfree(this->data);
  xfree(this);
  this = NULL;
  return this; 
}

Today Your JoeDog was coding on the train again.  Before he boarded, he downloaded the above code onto his snazzy Linux laptop.  He was turning caffeine into code when wouldn’t you know it? Another stinkin’ memory leak. “What the hell,” he thought. “Let’s give valgrind another try.” Unfortunately it wasn’t installed on snazzy Linux laptop. For some reason, Amtrak’s proxy won’t allow downloads larger than 10MB. Stupid Amtrak.

That’s easy to bypass. Your JoeDog established an ssh tunnel from his laptop to this webserver and proxied to the Ubuntu repository.

 

--2014-10-25 10:15:13--http://us.archive.ubuntu.com/ubuntu/pool/main/v/valgrind/valgrind_3.10~20140411-0ubuntu1_amd64.deb
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:11111... connected.
Proxy request sent, awaiting response... 200 OK
Length: 15078790 (14M) [application/x-debian-package]
Saving to: ‘valgrind_3.10~20140411-0ubuntu1_amd64.deb’
100%[=============================================>] 15,078,790 290KB/s in 73s
2014-10-25 10:16:26 (202 KB/s) - ‘valgrind_3.10~20140411-0ubuntu1_amd64.deb’ saved [15078790/15078790]
 Funny thing. That copy of valgrind found the leak. Guess where it was? Give up?
ARRAY
array_destroy(ARRAY this) 
{
  int i;

  for (i = 0; i < this->length; i++) {
    xfree(this->data[i]);  
  } 
  xfree(this->data);
  //xfree(this);
  this = NULL;
  return this; 
}

In order to illustrate his first post on valgrind, Your JoeDog commented out the fix he told you about. Well, this second copy of valgrind found it. So what gives?

1. Valgrind works and I’m sorry I busted on it.

2. RedHat’s version doesn’t seem to work but Ubuntu’s does.

 

Posted in Uncategorized | Leave a comment



Check Your Inputs: SQL Injection Edition

Here’s a question which tends to make Your JoeDog cringe: “So, what do you do?”

It’s often asked when he has a drink in his hand. And when he has a drink in hand, he doesn’t want to talk about work. Sometimes the inquiring person hears the answer, parses “computers” and wants to know why their laptop is slow. Honestly, Your JoeDog has no idea. Occasionally, he meets another nerd who wants to talk shop.

Recently he met a web nerd, the kind of web nerd who suffers from illusory superiority because he lacks the skill to recognize his ineptitude. These guys often contain a conspiratorial streak. This guy was no exception. The conversation soon shifted to hacking and web security.

Web Nerd puked a word salad of vulnerabilities but his beloved PHP was exonerated. “You can’t inject SQL because the mysql libs don’t allow multiple statements,” he said.

Couple points. 1.) the PHP mysql_ functions are deprecated. Astute JoeDog readers use PDO or MySQLi. 2.) You can still do injection as long as you keep it in a single statement.

Let’s try that after the jump!

Continue reading “Check Your Inputs: SQL Injection Edition” »

Posted in Community, On The Job, PHP, Programming | 2 Comments



Gamergate

Your JoeDog hasn’t weighed in on Gamergate largely because he’s not a gamer. Unfortunately, it’s become too big to ignore. If you write about technology you’re almost required to have an opinion. So here’s an opinion: some guys are a bag of dicks.

Whoa, hold on.  First of all, what is Gamergate?

As far as I can tell, it began with an accusation. Well, first it began with a game, then an accusation.

Zoe Quinn released Depression Quest, an unusual game that caused a stir in the community. It’s a saga in which you follow the tribulations of a person going through depression. What makes it particularly unusual is this: nobody goes postal with an AR-15. Some liked it while others thought it wasn’t a game at all. To them it was some sort of interactive story. So Gamergate began as an esoteric argument about the nature of gaming. It might have stayed that way if not for that accusation.

In August Zoe Quinn’s boyfriend posted a lengthy indictment in which he claimed she cheated on him with several guys inside the gaming industry. She did this, Angry Ex-boyfriend said, in order to get ahead in the industry. He named a writer from Kotaku, which is part of the Gawker network. What makes this writer especially loathsome to Angry Ex-boyfriend is a penchant for red pants. (Full disclosure: Your JoeDog has a pair of red pants). Well if Zoe slept with Red Pants to get ahead,  then she failed in that regard. It doesn’t appear that Depression Quest was ever mentioned on that site.

It didn’t matter. After the charge was made, social media lit up in a shit storm. Under the guise of a debate on journalistic ethics, things turned nasty. Quinn’s personal information was published online. So were nude photos. She became the target of personal attacks. But it didn’t stop there. The war expanded and more women inside the industry were threatened. The FBI is taking the matter seriously. Gamergate became another front in the Culture War.

On one side we have traditional gamers who love blowing shit up while getting virtually blown. On the other we have newcomers who like the challenge of gaming but don’t care for the industry’s violence and misogynism. Breitbart added its voice in the beginning of September. Feminists, in their eyes, were wrecking the gaming industry. The nature of gaming had morphed into rightards vs. libtards on another front.

Your JoeDog is basically sick of this shit. Disagreements are one thing but threats are another. We can no longer face challenges because half the world is convinced the other half is evil. The women who’ve become the focus of gamer scorn have been forced into hiding due to personal threats. That’s not dialog, that’s terrorism. And if that’s your preferred tactic, then you’re pretty much a bag of dicks.

 

 

Posted in Community | Leave a comment



Memory Leaks

Your JoeDog loves C but he hates memory management. That’s why he writes objects in C. They make managing memory easier. Still, he’s been know to cause a memory leak or two … okay, maybe a few more than that.

Valgrind is supposed to help identify those fsckers. You run a program inside valgrind and it checks your memory utilization. Awesome! Except when it’s not.

Your JoeDog has had zero point zero luck with valgrind. He’s been working on a snippet that will be incorporated into Your Fido. Your JoeDog loves snippets. By reducing complexity they allow him to focus on the integrity of the new code. In this particular snippet, he placed the new functionality inside a loop to check its long-running performance. The damn thing leaked!

“How did you know it was leaking?”

“I watched its memory usage in top and it continued to expand.”

“Well that sucks.”

“Indeed.”

So Your JoeDog ran the program in valgrind like this:

valgrind -v --leak-check=full --tool=memcheck ./haha

After it completed its iterations, valgrind had this to say:

==21112== HEAP SUMMARY:
==21112== in use at exit: 0 bytes in 0 blocks
==21112== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==21112==
==21112== All heap blocks were freed -- no leaks are possible

What the hell? This thing was leaking all over the place. Now Your JoeDog may have done something stupid. Instead of memory leaks, he might have created memory hogs. “What are memory hogs?” They are allocated resources that are no longer used but with references that are still maintained. Valgrind won’t identify a memory hog as a memory leak. But this was a snippet and an audit was easy. There were no hogs; something was leaking.

After an extensive audit, Your JoeDog identified the leak. It wasn’t in the snippet. He was using a dynamic array from array.c Here’s the offending code:

ARRAY
array_destroy(ARRAY this) 
{
  int i;

  for (i = 0; i < this->length; i++) {
    xfree(this->data[i]);  
  } 
  xfree(this->data);
  this = NULL;
  return this; 
}

Your JoeDog freed everything but the array object itself. Here’s the fix:

ARRAY
array_destroy(ARRAY this) 
{
  int i;

  for (i = 0; i < this->length; i++) {
    xfree(this->data[i]);  
  } 
  xfree(this->data);
  xfree(this);
  this = NULL;
  return this; 
}

It’s not clear why valgrind didn’t identify that. Any thoughts?

 

Posted in C, Programming | Leave a comment



New Features For Fido

There’s rumors on the Internets. “Oh, really? What do they say?” They claim your posting frequency affects Google’s crawling frequency. The more you update, the more often it crawls.

Your JoeDog wanted to scrutinize this hypothesis. He wanted to monitor his logs and compare Google’s crawl rate against his web site updates.

So he added this rule to fido.conf

/var/log/httpd/joedog-access_log {
 rules = Googlebot
 action = /home/jeff/bin/googler
}

With that config he produced this document: google.txt

“J!!!!!!!!” Funk shouted in IRC. “You need to verify Googlebot”

“You mean a lot people forge that User-agent?”

“I’ll bet forty percent is forged.”

“D’oh!”

Fido can’t validate an IP address, nor do I want it to. Still, it needs a new feature, namely the ability to interact with its action script. Your JoeDog will add support for regex capture to his rules. This will allow you to capture part of the match and send that text to your action script.

“I have no idea what you just said.”

Okay, let’s modify the rule above with its intended implementation:

/var/log/httpd/joedog-access_log {
 rules = ([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+).*Googlebot
 action = /home/jeff/bin/googler
}

The parentheses are highlighted in red because they represent the proposed feature.

On a match, fido will capture everything inside the parentheses and send it as argument 1 to the googler script. In this case it will be an IP address which googler can then verify as one that belongs to Google. If you have multiple captures, fido will send them as space separated arguments, i.e.,  /home/jeff/bin/googler  173.240.11.11 GET /index.php

For a sh script, $1 = 173.240.11.11, $2 = GET and $3 = /index.php

If all I wanted to do was solve this problem, I’d just write a script that parses the logs. However, I think this will be a valuable feature that will allow fido more flexibility to solve all the world’s problems.

Posted in Uncategorized | Leave a comment



Bitcoin Bust

Your JoeDog hasn’t spent much time blogging about Bitcoin but it does interest him for two reasons: 1.) He studied economics in college and 2.) The rogue currency has a technology/Internets angle. From an economics perspective, a successful currency must provide a medium of exchange and serve as a reasonably stable store of value. Bitcoin certainly provided the former but the latter was always in doubt.

And doubt won. Since its peak, Bitcoin has lost two-thirds of its value. Its bust was obviously not without victims. From Izabella Kaminska, we hear the story of one of those victims. Redditor Whattodobtc appears to have impoverished himself with bad bets on Bitcoins.  Izabella claims, “Some extremely wealthy libertarians have a lot to answer for if these sorts of ppl lose all due to believing in them.” Your JoeDog is certainly no libertarian but he feels the burden of risks should be placed on those who take them.

Certainly there have been influential libertarians who’ve been pushing Bitcoin as a hedge against fiat money. And if people like Whattodobtc better understood currency, they’d be less inclined to go long on a Libertarian pipe dream. But is this any different than the hucksters who shilled gold as a hedge against non-existent hyper-inflation? If you believed Glenn Beck back in 2012 and sunk your savings in gold, you lost 36% of your investment. That’s not as depressing as Whattodobtc’s story but it’s equally devoid of a happy ending.

Whattodobtc posted to Reddit because he wanted advice. Should he sell or weather the storm? He should have posted a similar inquiry before he sunk his savings in Bitcoin. Personally, I’d sell now before all I had left were some worthless binary numbers.

Posted in Uncategorized | 1 Comment



Another WordPress Attack

Your JoeDog was viewing his usage stats this morning and … well, see if anything stands out:

daily_usage_201410

There was a 94% increase in traffic yesterday. Was your JoeDog slashdotted? There was no hint that slashdot or any other site sent additional viewers this way. The vast majority of traffic arrived by direct request. “What does that mean, a direct request?” It means somebody typed “www.joedog.org” in the URL field of their browser. “So eighty-one thousand people decided to type “www.joedog.org” in their browsers? That seems unlikely.” That’s what Your JoeDog thought.

The usage report revealed another interesting fact. Eighty-one thousand requests were made from a single IP address: 173.245.50.137. The next most active IP address made 97% fewer requests. That’s interesting. Let’s see was Mr. 173.245.50.137 was doing on this site, shall we?

$ egrep 173.245.50.137 joedog-access_log
173.245.50.137 - - [04/Oct/2014:17:59:48 -0400] "POST /wp-login.php HTTP/1.1" 403 214 "-" "-"
173.245.50.137 - - [04/Oct/2014:17:59:48 -0400] "POST /wp-login.php HTTP/1.1" 403 214 "-" "-"
173.245.50.137 - - [04/Oct/2014:17:59:48 -0400] "POST /wp-login.php HTTP/1.1" 403 214 "-" "-"

He — you know it was a he — was making POST requests to the WordPress login page.  In other words, he was running a dictionary attack against the site. This attack persisted for four hours. For each of those requests, apache responded with HTTP-403. “What does HTTP-403 mean?” It means “Forbidden.” Thanks to a dictionary attack defense Your JoeDog documented in June 2013, the attacker never reached the login page. He was thwarted by an apache rule.

Why did a futile attack persist so long?

It was probably launched by malware on a zombie computer. Given the expected number of failures, the program was probably designed to report successes, not denials. So even though its assault was futile, the zombie diligently ran through its entire list of credentials.

When this happens to you — and it will happen to you, don’t get too upset. It’s not personal. These guys are running these attacks on any site they can find. Your site just happened to be in IPv4 address space.

[JoeDog: How To Stop A WordPress Dictionary Attack]

 

 

Posted in Security | Leave a comment



The Cyberattack on JPMorgan Chase

From today’s New York Times:

“It was a huge surprise that they were able to compromise a huge bank like JPMorgan,” said Al Pascual, a security analyst with Javelin Strategy and Research. “It scared the pants off many people.”

Honestly, this is only surprising to people who don’t work in large organizations. Large companies are filled with aging hardware kept alive beyond lifecycle. These servers host applications that are too important to kill but not important enough to port to newer architecture. Your JoeDog has seen servers that nobody owns. “What’s that do?” I don’t know. The guy who administered it retired five years ago.

The easiest way to circumvent millions of dollars in network security devices is with malware. Let’s say — and why not? — there’s a 0.001 chance that somebody falls for malware click bait. If your company has 100 employees, chances are less that 1 you’ll be malwared. But in a company of 10,000 people, ten mother fsckers are going to click that link.

Large corporations have been instrumental in driving down programming costs. While they may have a few senior developers on staff, most of the grunt work takes place overseas. Now Your JoeDog is not disparaging overseas developers. There are many fine programmers the world over. And the good ones all cost the same: lots o’ money. Large corporations don’t want those guys. They can find them in the US. They want cheap ones.

True story: Your JoeDog was kept abreast of the details of an outsourcing operation. When the initial quotes came back from India, there was much surprise. “This isn’t going to work, you guys cost more than our own people.” Well, the Indians said, we have another team in Bumfsck, India. They cost one-fifth as much as the Bangalore team. “Really? We’ll take it.”

The breach at JPMorgan Chase came in through the web servers. We don’t know where that was coded but Your JoeDog has his hunch. At some point a decision maker at JPMorgan was quoted the cost of Bumfsck coders and said, “Really? We’ll take it.”

 

 

 

Posted in Security | Leave a comment



Recent Comments

  • Jeff Fulmer: I love that there’s an end bracket surround by a sea of comments. That really aids its...
  • Tim: The more I read that code – the more wtf it becomes. Its a work of beauty that you appreciate the longer...
  • Mike: I just now saw you know DK effect already. Whoops.
  • Mike: “he lacks the skill to recognize his ineptitude” I believe it’s recognized as the...
  • Mirko: Wow! This trick saved my day :) thanks a lot