Block IP Addresses With, um, block

Last night we told you that ISIS assholes were attacking America and its WordPress blogs. Have no fear, kids. In the War Against Internet Dickbags, Your JoeDog is here to help. Whenever he’s attacked by these people, i.e., all the time, he grabs their IP addresses from the logs and blocks their asses. He feeds those addresses to a script called block which, um, blocks them.

The script is just a convenience which makes your life easier. iptables does the heavy lifting. If you’re running a linux system — and why aren’t you? — then you probably have iptables.

Let’s block some dickwads now! (Continued after the jump)

Continue reading Block IP Addresses With, um, block

WordPress Vulnerability: wp-super-cache

spaghetti-codeWhenever someone says “PHP sucks!” Your JoeDog assumes they got that impression from WordPress. It uses inline programming tags that mix logic with content. Whenever you do that, the result is always a nice heaping mound of spaghetti code.

PHP doesn’t have to be coded this way. The there are plenty of nice frameworks which support model-view-controller. Your JoeDog uses WordPress because he likes it as a blogging platform. He blogs on this site more often than he codes it; a cost-benefit analysis leads him to WordPress.

He also opens himself to vulnerabilities. Oh, look! Here’s another one now: Persistent XSS in WP-Super-Cache. Your JoeDog uses that module. What’s wrong with it?

Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.

Fortunately, the fix is already out. If you’re also using wp-super-cache, make sure you’re running version 1.1.4. This is a dangerous vulnerability which is easy to exploit. Get up to date or get out of the game.

NOTE: Your JoeDog considers PHP a rather elegant language. It’s many bad implementations and design decisions that make it seem like Suck.

Zombie Bugs

From Nibble Sec we get one of those stories that makes roll our eyes. Actually, it makes us shake our heads but Your JoeDog refuses to type ‘SMH.’ Wait a second – you just typed it! Shaddup.

A four-year-old Adobe bug (CVE-2011-2461) is back from the dead. The flaw puts flash users at risk of having their sessions hijacked. But this bug was patched by Adobe back in November 2011 — why are we talking about it now?

Static libraries! If an app was compiled using the vulnerable SDK, then it still contains the vulnerable code unless it’s recompiled with a patched SDK.

Here’s how it works: Static libraries contain subroutines which are compiled into the executable. In this case, bad binary code was copied into the app. To fix the bug, you need to recompile the app so good code gets copied into it.

Really? Yes. Really.

“I have nothing to do today.” –Nobody in IT, ever.

Easter Not-so-nice-time

Is Big Software cracking down on programmers who insert Easter Eggs into their code?

“Are they going away? Indeed they are,” says Dr Diomidis Spinellis, a Greek computer science academic and author of The Elements of Computing Style.

“As programming becomes more corporate, more official, one cannot appear to have code that is not officially sanctioned,” he says.

Easter eggs have not undergone the same levels of scrutiny of the rest of the code, he says, and there may be vulnerabilities attached to them.

“They still happen, but they’re less likely to be little bits of code, more likely to be hidden in documentation or code comments,” adds Brendan Quinn, a software architect in London.

“Actual executable stuff hidden in code is something that people are trying to eliminate. With varied success around the industry.”

The argument goes if a manufacturer can’t stop developers from sneaking in benign undocumented features in, how can you be sure they’ve not inserted a backdoor, too.

Your JoeDog doesn’t hide Easter Eggs inside his code. It’s open source. To find them, all you’d have to do is read….

[Business Insider: Twenty-two Easter Eggs]

[BBC News: The End of the Easter Egg?]

A New Day Dawing

Your JoeDog updated this site today. What does that mean?

For the most part the site has the same look and feel it’s had since 2012. But underneath those changes, there are some technical improvements that will make our lives easier. We’re using a three-column layout from a template by Dynamic Drive. And we’re programming things in a more WordPressy fashion.

But here’s the biggest change: The comments are now managed by Disqus. Even though we changed the policy so that only pre-approved commenters could post, comment spammers were still hammering the site on a daily basis. These dicks are why we can’t have nice things.

Beware of the (Joe)Dog

Tom Wolfe tells us that “you can’t go home again.” It was a adage he stole from Ella Winter, the British activist. It’s certainly difficult for people like George Webber, the chief protagonist in the novel that made Wolfe’s phrase so famous. Webber infuriated his hometown with a novelistic depiction of them.

Yet the same is true for developers. You can’t go home again. It’s hard to look at old code. It makes us cringe; it can make us blush. “Why the hell did I write it like that?” If you’re not embarrassed by old code, then you haven’t learned anything in years.  The same is true for old websites: Beware of the Dog (2001).


A sh script INI parser

An INI file provides an old-timey way to configure applications. On MSDOS and early versions of Windows, it was the primary configuration mechanism. (Sadly, it’s been mostly replaced by the stupid registry.) Fortunately, INI files are still around because they remain very useful. On Linux, many developers have adapted the format.

Years ago Your JoeDog wrote an INI parser in sh. This enabled him to use one config file across multiple SAP landscapes. Each section of the file, is headed by the landscape name: [D] [Q] [P] etc. A script’s configuration varied depending on which landscape it was launched in. This enabled us to test on one landscape and promote the script without any changes to the next one.

Recently a colleague needed this type of one-with-many configuration. She needed to loop through a list of servers and reference their many attributes. Your JoeDog dusted off this parser for her and now he’s passing it along to you.

Consider this INI file:

# The parser supports comments
 srv =
 usr = jdfulmer
 file = haha.txt
 path = /usr/local/content/www
 srv =
 usr = jeff
 file = papa.txt
 path = /usr/local/content/ftp

Now here’s a script that contains our parser along with an example of how to use it:

## Parses an INI style file:
## [section]
## attr=thing
## key=val
## [header]
## thing=another
## foo=bar
## <p>
## @param file full path to the INI file
## @param section a header that matches the stuff in brackets [section]
## @return void (the variables are made available to your script)
ini_parser() {
 eval $(sed -e 's/[[:space:]]*\=[[:space:]]*/=/g' \
 -e 's/[;#].*$//' \
 -e 's/[[:space:]]*$//' \
 -e 's/^[[:space:]]*//' \
 -e "s/^\(.*\)=\([^\"']*\)$/\1=\"\2\"/" \
 < $FILE \
 | sed -n -e "/^\[$SECTION\]/I,/^\s*\[/{/^[^;].*\=.*/p;}")
# A sections array that we'll loop through
for SEC in $SECTIONS; do
 ini_parser "papa.conf" $SEC
 echo "scp $file $usr@$srv:$path/$file"

Now let’s run this script and see what happens:

Pom $ sh papa
scp haha.txt [email protected]:/usr/local/content/www/haha.txt
scp papa.txt [email protected]:/usr/local/content/ftp/papa.txt


Have you ever wanted to initialize a java ArrayList to a certain size? You peruse the javadoc and you see what appear to be two different options, one is a constructor option and the other is a chained method.

Here’s the constructor:

ArrayList (int initialCapacity)

Constructs an empty list with the specified initial capacity.

And here’s the method:

void ensureCapacity(int minCapacity)

Increases the capacity of this ArrayList instance, if necessary, to ensure that it can hold at least the number of elements specified by the minimum capacity argument.

And here’s the thing: Neither one changes the logical size of the array. They each change its capacity. That is they change the size it can reach before it has to start copying its values to resize itself. If you do something like the following, you’ll get an IndexOutOfBounds Exception:

ArrayList<String> list = new ArrayList<String>();
list.add(190, "JoeDog");

Exception in thread "main" java.lang.IndexOutOfBoundsException

If you want to initialize an ArrayList to a particular size, you’ll have to roll your own method:

 private static void ensureSize(ArrayList<?> list, int size) {
   while (list.size() < size) {

You can call it like this:

ArrayList<Thing> list = new ArrayList<Thing>();
ensureSize(list, 64);


Nerd Splaining Large Numbers

Holy shit — the Economist really outdid itself. What now? In this post, they explained why Gangnam Style will break YouTube’s view counter. They used 3726 characters and 612 words to explain that computer integers don’t go on forever. When the Gangnam Style counter reaches 2,147,483,647 it will stop counting. Why?

Integers are stored in a series of ones and zeroes. On a 32-bit platform, you can only store value in 32 consecutive ones or zeros. Go to this binary to decimal calculator and put 32 ones in the binary field. Press “Calculate” and you’ll get this answer: 4294967295.

But the Gangnam Style counter is maxed at half of that? How come? That’s because computers use positive and negative numbers. The range falls above and below zero, i.e., from -2,147,483,648 to 2,147,483,647. Gangnam Style is approaching the upper bound.

If YouTube switched to 64-bit architecture they could capture up to 9 quintilian views.

Remember kids, there are 10 kinds of people in this world. Those who understand binary numbers and those who don’t.

[Economist: Wordy Word Words on Computer Integers]


In Praise of Default Values

Your JoeDog likes options. He feels that if a program takes a variable value, that value should be configuarable. A programmer can spend a great deal of time selecting the perfect socket timeout, but unless the user works in the same environment it’s not necessarily perfect for them.

On the occasions when Your JoeDog uses Windows, he finds himself struggling to make the software do his bidding. It takes time to add another text field to a Windows GUI, so developers tend to limit the number of configurable options.

At the same time, he hates complicated software. You shouldn’t need a computer science PhD in order to configure scheduling software. Yet it’s impossible to use Tivoli’s workload scheduler and not feel completely overwhelmed. It can take days to set up.

These notions don’t have to be mutually exclusive. Software can be extremely flexible and simple to use. Your JoeDog achieves this notion in his own software with a novel concept known as the “default value.” If you don’t set a value, you get the default. If you require more precision, you can change those settings.

Generally speaking, software users don’t care about every configurable value. They have a subset of values they want to change. If everything has a default that doesn’t need to be set for the software to function, then the documentation becomes less overwhelming. If all you want to do is change one setting, then you can search the docs for just that configuration.

Your JoeDog does enough GUI programming that he can speak to the notion he mentioned above. It takes time to add labels and text fields to a program. Those GUI elements also take valuable screen real estate. As a result, many programmers limit the flexibility of their programs.

Here’s a thought: why not make the program configurable with a combination of a GUI and a configuration file? You can place the frequently changed stuff inside the GUI and the more obscure features inside the file. Trust me, the users who really want to change something will discover how to do that if you let them.

Keep it simple but make it flexible and your users will be appreciative … until you blog about it.