The Key Is Under The Mat

cluelessHere’s a nice find by Ars Technica.

TV5Monde is a French teevee station whose signals were recently hijacked by Islamic militants. ISIS!! David Delos is a reporter for that station. He was interviewed about the incident by an investigative news program. During the interview, Delos was filmed in front of a staffer’s desk. The staffer’s cube was covered with sticky notes which could be read by the television audience. And what was on those sticky notes you might ask? Um, usernames and passwords.

French authorities are still trying to determine how the station was hacked….



Easter Not-so-nice-time

Is Big Software cracking down on programmers who insert Easter Eggs into their code?

“Are they going away? Indeed they are,” says Dr Diomidis Spinellis, a Greek computer science academic and author of The Elements of Computing Style.

“As programming becomes more corporate, more official, one cannot appear to have code that is not officially sanctioned,” he says.

Easter eggs have not undergone the same levels of scrutiny of the rest of the code, he says, and there may be vulnerabilities attached to them.

“They still happen, but they’re less likely to be little bits of code, more likely to be hidden in documentation or code comments,” adds Brendan Quinn, a software architect in London.

“Actual executable stuff hidden in code is something that people are trying to eliminate. With varied success around the industry.”

The argument goes if a manufacturer can’t stop developers from sneaking in benign undocumented features in, how can you be sure they’ve not inserted a backdoor, too.

Your JoeDog doesn’t hide Easter Eggs inside his code. It’s open source. To find them, all you’d have to do is read….

[Business Insider: Twenty-two Easter Eggs]

[BBC News: The End of the Easter Egg?]



CENTCOM Gets PWND

baseYour JoeDog followed the events in France pretty closely. After reading two days of reports from the US and Europe, he had no fscking clue what was going on. The killers were captured and one was dead! Um, the killers are in the woods with helicopters overhead! Um, no, they’re inside a Jewish deli back in Paris. In a rush to publish, the only thing they did was add to our confusion.

And so it goes with the CENTCOM hack. Your JoeDog heard ISIS was inside Pentagon computers!!1!1!!! After sifting through news reports, it appears that ISIS simply defaced their Twitter and YouTube accounts. Wait a second — CENTCOM has a twitter account? What do they post besides “blew up some shit today!”

Is this a Big Deal? It depends on your perspective. From a security standpoint, it’s not. Imagine if you shared your GMail password with a friend and he started sending dick pics to everyone in your address book. That’s pretty much what happened. ISIS gained access to the accounts and pranked the military.

From a public relations perspective, it’s embarrassing. Unless they’re absolute morans, no sensitive data was compromised.  You wouldn’t link your bank account to your twitter feed, there’s no reason to believe CENTCOM would do the same with its operational servers. But at the same time, it paints US military as a careless organization. It didn’t use two-factor authentication, its credentials were easy to crack and/or it fell for a phishing expedition.

It does make you wonder what else they’re “protecting” with ‘password123′ or to what extent the people inside Central Command are click-happy. Those are speculative musings which may have no basis in fact. Still, you can imagine a military ass-chewing that began with the Commander-in-Chief and worked its way down to the lowliest private. Your JoeDog is glad he doesn’t work in CENTCOM today.

 

 



Nobody Ever Typed ‘-1966631820′ Into The Internet

Your JoeDog was debugging C code. Not just any C code, but C code that was last updated in 2001 by a man who’s now retired. Or maybe he’s dead — the point is he can’t be consulted.

Well, sir, this code was inserting 4 billion and change into a field that expected 1 or 0. The insert was based on a result from a previous query. Your JoeDog debugged that variable and determined it was -1966631820. Hoping that number would shed light on his problem, he plugged it into the Internets.

As of 13:22:05 EST, no human has ever typed that into the Internets. Sensing an opportunity to monopolize a keyword, Your JoeDog typey-typed and added this: -1966631820

UPDATE: Couple things. 1.) A JoeDogger says that Google excludes from its results parameters that are prefaced with a minus sign. 2.) Your JoeDog removed the minus and tried again. A minute after publication, he had captured the number one spot on Google for the keyword ‘1966631820’

 



Programmers….

A physicist, engineer and a programmer were driving down a mountain pass when the brakes failed. The car started to accelerate and they were soon screaming into the valley. Hanging on for dear life, they smacked the guard rails several times. Fortunately, they came across and escape lane and they were able to navigate up the hill to a stop.

The physicist said, “We need to model temperatures resulting from friction to determine why the brakes failed.”

The engineer said, “I have a case of temperature sensors in the trunk.”

The programmer said, “Let’s not get ahead of ourselves. We need to get the car back up the mountain and see if the failure is reproducible.”

 

 



My Dilbert Moment

This morning Your JoeDog received a form. Exciting! … wait a second. That’s not exciting. That’s more work!

Indeed.

He had to fill it out and deliver it within Large Corporate Bureaucracy. There were two different delivery options:

  1. Interoffice messenger
  2. Fax machine (they still exist for some reason)

The fax option contained these special instructions:

If sending via fax, do not send original. Retain a copy of the completed form for your records.

dilbert



Please Don’t Use Comments To Alter Functionality

“Holy shit!” Your JoeDog exclaimed.

“Why do you swear so much?” an emailer emailed this blog. “Young readers don’t need to be exposed to that.” Listen, if your kid is reading this site, then maybe it’s time to buy him a football. By the time he’s old enough to care about these topics, he’s already heard a lot of vulgar language….

“Holy shit!” Your JoeDog exclaimed. “That’s a code salad!”

Our enterprise backup guy is just like your enterprise backup guy. He’s involved with every system, every project and every meeting yet all he does is put ones and zeros on tape. Generally he calls your attention to meaningless minutia but once a decade you learn of something important. Yesterday was once a decade. Backup informed Your JoeDog that the NetBackup client wasn’t installed on a new server.

“That seems unlikely,” Your JoeDog said. “Puppet puts it on every server.” Puppet is our configuration management server. It installs software and writes configurations to every server in the enterprise.

“That’s what I thought,” Backup said. “But it’s not there.”

To prove that Puppet puts it on every server, Your JoeDog showed him the code. We’ll examine that code after the jump

Continue reading Please Don’t Use Comments To Alter Functionality



Check Your Inputs: SQL Injection Edition

Here’s a question which tends to make Your JoeDog cringe: “So, what do you do?”

It’s often asked when he has a drink in his hand. And when he has a drink in hand, he doesn’t want to talk about work. Sometimes the inquiring person hears the answer, parses “computers” and wants to know why their laptop is slow. Honestly, Your JoeDog has no idea. Occasionally, he meets another nerd who wants to talk shop.

Recently he met a web nerd, the kind of web nerd who suffers from illusory superiority because he lacks the skill to recognize his ineptitude. These guys often contain a conspiratorial streak. This guy was no exception. The conversation soon shifted to hacking and web security.

Web Nerd puked a word salad of vulnerabilities but his beloved PHP was exonerated. “You can’t inject SQL because the mysql libs don’t allow multiple statements,” he said.

Couple points. 1.) the PHP mysql_ functions are deprecated. Astute JoeDog readers use PDO or MySQLi. 2.) You can still do injection as long as you keep it in a single statement.

Let’s try that after the jump!

Continue reading Check Your Inputs: SQL Injection Edition



Dunning–Kruger Effect

the dumbest man on the internetsYour JoeDog once worked with a programmer who couldn’t program. Now you’re probably thinking, isn’t programming an important qualification for that position? Not in a large corporation. To succeed in that environment, you need buzzwords and cliches. If you have them, managers just  assume you know what you’re talking about.

This particular non-programmer — or Ouch! as we liked to call him — was hired to build a Intranet site. It took him a year and a half to construct something that looked like your eight-year old nephew slapped together in a weekend. It was slow, poorly marked-up but at least it had a confusing layout and design.  Ouch had a parry for its shortcomings: Microsoft. “IE is a horrible web browser. It violates standards and ActiveX has a mind of its own.”

An appropriate response would have been, “If that’s true, how come all these non-Ouch sites look fine and work well in IE?” Instead, he received an award.

Because Ouch could steal someone else’s files and alter their markup to render the company’s text and images, we concede that he had some skill.  Armed with a comprehensive understanding of his craft, Ouch would have also known: 1.) How to work around a browser’s weaknesses by 2.) Stealing  the javascript, too, as it probably fixed those weaknesses but then he would have known too much and realized 3.) He was in the wrong profession.

While Ouch was laboring over his Intranet and ankle-deep in Cold Fusion, we were building an enterprise site with J2EE. And while Ouch didn’t know much, he did know this: in nerd hierarchy, Cold Fusion falls way below java.

So Ouch told everyone — and I mean everyone, his peers, his managers, the cleaning crew that he should be programming in java. To prove his point, he got the java logo tattooed on his bicep … which he showed to everyone.

Here’s the thing: Ouch wasn’t smart enough to know he couldn’t program in java. And management wasn’t smart enough to know he couldn’t program in java. The next thing you know, Ouch was stealing O’Reilly code — including the copyright notice — and attempting to implement the usecase. As far as I can tell, in one year in that position he didn’t release a thing that wasn’t immediately rewritten by somebody else.

Eventually Ouch was sacked but not for incompetence, he called his immediate supervisor the c-word. Management never considered him anything but a fine programmer. The buzzwords he used matched the ones they read in trade rags. How could he be anything but brilliant?

I didn’t realize it at the time but Ouch and the managers who considered him competent all suffered from the Dunning–Kruger Effect.

 



Gub’mint (IT) Mule

bureaucratsSean Gallagher has an interesting piece on (ars)technica. He asks, “Why do government IT projects fail so hard and so often?” Gallagher provides several reasons, most of which are symptoms of a large organization. Let’s examine that list.

1. The government uses antiquated technologies. Its bureaucracy is slow to move and slow to adapt. Older technologies remain long after their life cycle expires largely because the approval process for new ones is long and arduous. You can imagine many frustrating meetings that end with, “Fsck it. We’ll put it on XP.”

2. Its user base is really large. Gallagher cits as one example a DOD email rollout that touched 1.5 million users. That’s an astonishing number for an in-house IT department. Certainly there are web companies with more users — there are 425 million GMail accouts, for instance — but Google does web for profit. The army’s IT department is an expense.

3. Flawed metrics. Gallagher notes that many government IT dashboards are filled with nice metrics that contain a lot of nines. Unfortunately, those nines have little bearing on end user experience. If department CIOs measured things that mattered, they’d be filled with zeros.

I’m sure these are valid criticisms but how do they vary from other large organizations? I work for a large corporation and this week my company finally moved my laptop off Windows XP. There’s no way the entire organization will be XP-free by end-of-life-cycle. It took a Great Recession to convince management that Linux was a viable alternative to HP-UX.

Our user base is 15,000 and every internal roll-out contains some glitches or problems. The army rolls out applications to a user base that is two orders of magnitude larger than ours. Where we roll out in a carefully controlled environment, they have to provide service to all corners of the world. Some of those corners are pre-fab barracks on an Afghanistan mountain top.

I’m yet to meet a person in my company who likes our out-sourcing partner. The bean counters like how little they cost, but they’re not happy with their services either. Yet if you look at this partner’s dashboard, you’ll find it’s filled with as many nines as those government CIOs. Faulty metrics aren’t limited to the public sector.

The Affordable Care website famously crashed during its rollout. Yet on the surface it wasn’t subject to many of government IT’s shortcomings. Most of the work was handled by a private partner. They used apache webservers on Linux. The site was fronted by the Akamai CDN which greatly reduces load by moving content close to the users. Most importantly, the site wasn’t tied to antiquated government infrastructure. Yet it failed. Why?

When you examine the site you find it’s simply not optimized for heavy traffic. The pages are too heavy and they contain too many elements. Fifty-six javascript files? Really? Then we learn the system was tested under load that was an order of magnitude less then what they received on October 1st. The site was basically slash-dotted.

Certainly there are good failures and bad failures. Collapsing under the weight of your own popularity is a good one. Still, with better planning and better coding the Affordable Care site could have experienced a more successful roll-out. Those operations require a high level of expertise which brings us to what I suspect is the real reason government IT projects fail: constrained by the tax payer’s dime, government can’t attract the talent necessary to service a very large user base. In other words, we get what we pay for.