I’m back!

So for anyone who cares, here’s what happened:

I hacked.
I got caught.
I served my time.

Yaaaaaay!

Yea, it sucked, but it’s over now. Moving on.

Advertisements

Squiggly Kim

[ URLs have been changed to protect the identities of the hilarious ]

As any sysadmin knows, it’s favorable to stay a few steps removed from the unwashed masses we call “users”. Escalation procedures exist for a reason, and I’ll be damned if I am going to talk to a customer every time they forget a password. Sometimes, however, a problem comes along requiring the unique insight that only a SA has.

One such problem was presented to me just the other day in the form of a conversation in our internal chat room. It went something like this:

———-
Alice: Hey, I have a customer on the line who is saying she can’t change her website. Any ideas?
Bob: Well did you confirm the URL?
Alice: Yep, same problem on our end.
Charlie: Have you logged into our server to make sure everything is stable?
Alice: Uh huh. Running just fine.

[ snip 20 minutes of throwing ideas around and none of them working ]

Zachary: Check the flux capacitor!
———-

At this point I decided I should step in before someone got hurt. I asked for a ticket number so I could check out the issue myself, and here’s what was recorded:

“Ticket #13376047 – User unable to edit her web page at http://www.example.com/squigglykim

Not much to go off, but I like a challenge. I look up which of our servers is hosting her site and SSH in. Sure enough, everything is working fine. Other users are FTPing in without any problems. Web pages are being served and life is great. So what’s the issue?

Maybe it lies deeper. It’s a VM so maybe there is a limit on the number of connections you ca- No, that’s all good. Possibly an issue with permissi- nope, 755 like all the others. Ah ha! Certainly the user tripped our IPS and got blacklis- all clean.

At this point I started doing what I always do when confronted with a problem I can’t fix: Rubber Duck Debugging. Except instead of a rubber duck, I have a plush goat. Don’t judge me. So I start talking to the goat:

“The problem is that a user cannot edit her web page. Her URL is http://www.example.com/squigglykim. I’ve verified that the site exists and works in a browser. Her FTP credentials are right. She can log in as kim with her password. The user kim is configured the same as any other user. Kim just can’t edit her squigglykim pa-”

squigglykim

squiggly kim

squiggly

~kim

If ever there were a moment in all human history – recorded and not – where a man needed to hit his head upon a wall, this was it.

Representaxation

“No taxation without representation!”

These words echo through time and reach the ears of students every year in the United States. They stir up feelings of rebellion and freedom, images of tyranny and oppression.

But enough of that picturesque crap.

I have never voted, nor do I have any strong desire to do so. I have many reasons, and all of them get the same reaction:

“NUOH MAH GOD YOU HAFTA VOTE! IT’S DA ‘MERCUN WAY!”

So just for fun lemme give some of my reasons, in no particular order, and you can react however you want.

1.) I’m lazy. Yea, maybe a weak reason, but standing in line early in the morning so I can fill in ScanTron sheets again does not appeal to me at all. Oh, I get a sticker for my efforts? Sweet! I can put it right next to all the other shit I don’t care about.

2.) My vote doesn’t matter. No, really, it doesn’t. It’s all math.

“But azelfrath, every vote counts!”

This is true. It does count, but it doesn’t matter. There is a difference. Counting means it adds to a total. Mattering means it makes a significant difference. If all 300,000,000+ people in the U.S. voted in the next election, then my single vote would be worth .0000000003% which is not going to be the deciding factor in any vote.

“But azelfrath, if nobody voted then the system would fall apart!”

This is true, but that is never going to happen. We have people in this country that practically get off on democracy. Voting for them is like a giant circle-jerk they wouldn’t miss for the world.

Even if only 10% of the eligible voters in this country cast a ballot (assuming a truly random population and all that other shit), it would statistically even out so that whoever would win with 100% of the people voting would win with 10%.

“But azelfrath, yours could be the opinion that changes everything!”

No. It’s not like I, Azelfrath McBlogger of azelfrath.wordpress.com am going to be the final decision-maker. Nobody is going to come to my doorstep with a camera crew and say “This is it, son. The fate of the country – nay! – that of the entire planet, rests solely in your hands.”

“But azelfrath, if you don’t vote then you can’t complain!”

The fuck I can’t. I can complain about the potholes in the roads even though I didn’t specifically vote to have them fixed. I can complain about the slow Internet speeds around here without picketing ComQuesT&T for days.

“But azelfrath, you don’t love America if you don’t vote!”

The fuck I don’t. There are things I love about this country and there are things I hate, but not voting has no bearing on that at all.

3.) Voting for a leader is like saying “I want things to change but I don’t wanna take any significant action to change them myself.” If you want the streets cleaned up, clean them up. If you want cleaner air, organize a guerrilla gardening crew. Voting = passive. Action = direct.

[[ Part 2, in which the Author gets to the fucking point ]]

Back to the quote: No taxation without representation.

What does this mean? Loosely, the Colonists did not think it was fair to be taxed by the British Parliament without also having a say in what went on. This makes sense: If someone is going to rob you of your hard-earned money, then you should get something in return.

I don’t think it’s a fair trade. ~23% of every paycheck I make goes right to the government. That’s almost one-fourth. That’s several nice dinners. That’s auto insurance. That’s a chunk of my vacation savings. That’s a lot.

And what do I get in return? I get to check some boxes and hope that my piece of paper changes something.

I say fuck that.

Let it be known on this day, March 7, 2012, that I, azelfrath of azelfrath.wordpress.com, will willingly and knowingly give up my right to vote in all local, state, and federal governmental elections, under the condition that I no longer am forced to pay local, state, or federal taxes. This includes income tax, sales tax, those gift taxes that nobody pays anyway, stamps on letters, and anything else of the sort.

I’m posting this with several intentions. One is just to rant because it’s hard to pay rent with a handicapped paycheck. Another is to get people thinking about what voting really means, and what it’s worth.

But perhaps most importantly, I am dead serious about this. If by some weird turn of events, Obama himself reads this post and is like “You know what? I’m down. No taxes for you, bro!” then not only would I be fairly shocked, but I would happily sign whatever needed to be signed so I could continue living my life much the same way I do now, except with my full paycheck.

No taxation without representation? I accept.

Your move, Obama.

Open Source Shaaaaaaame.

So a while ago I was looking around at some open-source shopping cart applications for a potential client. The guy never got back to me but I played around with the software anyway.

The app in question is called OpenCart and is pretty nice at a casual glance. Has a lot of features a potential seller would want, including a simple interface, sales statistics, multiple currencies, and coupons/discounts.

I would like to focus on this last category. By default you have three coupons to choose from: $10 off, 10% off, and free shipping. Also by default, these coupons have checkout codes of 1111, 2222, and 3333 respectively. The most surprising thing is that, still by default, these coupons are enabled.

Take a minute and think about that. By default, this app is configured to allow you to lose money.

It’s not that hard to discover this flaw, either. Anyone who downloads this app and has a brain in their skull can see that these coupons are present and enabled on a clean install. It doesn’t take a tremendous leap from there to get to exploitation. Why is this allowed?

Being the responsible person I am, I reported this to the developers via their site’s “report a bug” form with the following:

Potential oversight:

OpenCart comes default with three discounts, all enabled:

10% off – expires 01/01/2012 – Code 2222
$10 off – expires 01/11/2020 – Code 1111
Free Shipping – [expired]

If a vendor sets up an OpenCart installation and does not realize there are default discounts, anyone can come along and apply the coupons. They are trivial to discover just by downloading OpenCart and setting it up. I just tested this myself on v1.5.1.3 and it works.

Please email me back when you receive this.

Now before you say it, I did forget to mention in my message that only the $10 off and 10% off coupons would work (I wrote to them on December 8, 2011 right after I found this). By now, being past Jan 1, 2012, only the $10 off coupon will work.

Minor details, moving on.

So let’s say someone used this trick now. $10 might not seem like a ton of money, but to someone selling $15 items it’s quite a chunk. Regardless of the amount lost, this is still not something that should be enabled by default. That said, I’ll show you the reply I got:

its so the user can test this function when they set it up.

theres not much I can do if a none developer installs opencart and leaves this in.

I get the first part from a usability standpoint, but the second part is simply not acceptable. First off, you don’t write software like this for developers. You write it for users of all skill levels. A statement like that makes sense for some obscure linux kernel feature but not for an application that will be used by many people to make a profit. Second, there actually is something you can do about it, and I showed them in my reply:

I can’t help but feel that’s an irresponsible point of view for a developer to take. It would make more sense to have them disabled by default and give a notice, or even a short “Read This First” during the install process that explains the situation.

Not everyone who will be using this is going to be a developer, true. We can’t help that. But that doesn’t mean they won’t hire someone who is inexperienced to set it up for them. Having the user suffer monetary loss when the fix is so simple just isn’t acceptable.

I really would consider changing the default status of the discounts to “Disabled”, especially when a 10% off coupon could mean hundreds of dollars on a high-price item.

Bear in mind this was written when the 10% off was still valid, and I completely neglected to mention the possibility of a non-developer installing this. Another thing you don’t see here is the patch I wrote which was as simple as changing three 1s to 0s to disable the coupons by default. That was sent in another “contact us” submission, hence my not having a copy to share here.

I did not get a further response. This all took place in one night exactly a month ago (to the hour, even), so I don’t feel bad about posting this. Responsible disclosure and all that.

So to summarize:

*An OpenCart developer knowingly left a feature enabled that could hurt users
*After offering a simple patch, he still declined to apply it
*The logic behind his decision makes no sense at all

Shit Ain't Logical

I’d like to end with a deep philosophical statement about the state of mind some developers have and how times have changed and how this will surely mean the end of open source as we know it, but I can’t think of one right now so I’m gonna go have some wine and baklava.

First Design Job Debriefing

First off, I’m not dead. I kinda fell out of love with blogging for a while, but I think we can work on our relationship. I’m sorry for ignoring you, and I just hope that in the future you will come to forgive me. /hug

More on topic, I “recently” (and by that I mean a month ago) finished my first official web design job. I’m still debating whether or not I wanna post the link here, partly because I am not 100% satisfied with my work, partly because I am going to bash the client a tad bit, and partly because my name is on it and I don’t wanna associate myself with… well, myself.

So originally I had written several paragraphs for this post, but I hit a block and realized it was as boring to read as it was to write, so please enjoy this abridged version:

*Client wanted to pay only half of what I quoted
*Client was slow to respond to emails
*Job ended up taking three months instead of two weeks

Lessons learned:

*Never work without a contract, no matter how small the job
*Don’t forget that respect goes both ways
*CASH UP FRONT FOR FUCK’S SAKE

Not gonna go into more detail. Too scatter-brained. Bleh.

‘Tis The Season…

For scams!

That’s right folks! It’s that time of year again, when the only thing piling up faster than the snow are the emails. Here’s a gem I recently got that just screamed “Too good to be true”. At first I thought it was legit, since I had posted a few things on craigslist offering to help with various jobs for cash on the side. As I read on though, I quickly realized I was wrong. Lemme break down my train of thought section by section:

Hello,

I’m looking for someone that can be trusted and reliable to work very well with good understanding as my Personal Assistant.This position i am offering is home-based and flexible, working with me is basically about instructions and following them, my only fear is that i may come at you impromptu sometimes, so i need someone who can be able to meet up with my irregular timings. As my Personal Assistant, your activities amongst other things will include;

Alright, typing could be worse I suppose. Some grammatical errors and typos but maybe English is not this person’s primary language. I am a bit skeptical about “i need someone who can be able to meet up with my irregular timings” though…

Primary Responsibilities:

* Creating orders/pick slips/invoices/credit memos.
* Processing return authorizations for me as needed.
* Running personal errands.
* supervisions and monitoring.
* Scheduling programmes, flights and keeping me up to date with them.
* Acting as an alternative telephone correspondence while I’m away and when needed as i am hard on hearing that is why computer works for me. Making regular contacts and drop-offs on my behalf. Handling and monitoring some of my financial activities as the case maybe.

Credit card fraud.

Basic wage is $500 Weekly

Or drugs.

I’m sure you’ll understand I tend to have a very busy schedule at this point. Please note that this position is not office based for now because of my frequent travels and tight schedules, it’s a part-time work from home for now and the flexibility means that there will be busier weeks than others. I would like to give you an immediate trial, so if you are interested kindly get back to me. As I have been checking my files and schedules and would need someone urgently to run some errands for me this week/next week, while I am away. I will have some funds sent to you to complete the errands and would get back to you with more information on that, get back to me with your Personal/Contact Details such as:

Well yea, drug-dealing credit card fraud leaders tend to be busy.

FULL NAMES:
ADDRESS,Include Apt # If Available(No PO.BOX please):
CITY:
STATE:
ZIP CODE:
HOME PHONE #:
MOBILE PHONE#:
EMAIL ADDRESS:
PRESENT JOB:

Give ALL The Names!

Thanks in anticipation of your prompt response.

Yours Sincerely,

Anthoniette Grey.
Mildmay

What the actual fuck is “Mildmay”?

That’s the whole email, word for word and unedited. Turns out this is a resurgence of a previous scam using almost identical wording. I’m considering writing back with advice on how to write a more convincing letter.

Social Currency

Things I do not take as payment: Credit cards, check cards, and promises.

I used to operate on an honor system. You scratch my back I scratch yours. One hand washes the other. Quid pro quo. It felt good knowing that if I didn’t have cash, my friends would help me out if I needed it as long as it was understood that I owed them in the future. This could be in the form of money down the road, helping out with yardwork, or taking the blame for something if it’s that big of a favor. I always delivered on my promises owed.

It worked the other way, too. I was one of the first in my group of friends to get a car and license, so for a while I was the go-to guy for rides. Need a ride at 3AM because your ride is drunk? No problem. Parents flaked out and you’re gonna be late for a concert? I got your back. I didn’t do it for the money. I get decent gas mileage and had a lot of spare time, so I figured if I could help a friend and get $5 or a couple tacos for my time, it’s worth it.

This changed in 12th grade. I won’t name names, but one of my friends at the time was kicked out of her house and needed rides to school in the morning. I did it because I felt bad for her, and she said it would only be a week or so. I did this almost daily for a month, getting up half an hour early to help her out. After the first week, I asked if she could throw $10 my way for gas, and she said she would give me $50 when she had the money.

One day I had barely enough gas to get myself to school and no money, so I called her and tried to apologize. She lost her shit at me and never spoke to me again.

Flash forward a year. Another friend needs rides, and again I rise to the task. I pick her up from work a few times, bring her to various events, and cover for her in other ways I won’t detail here. Again I was strung along with promises to be paid. Let me reiterate that I don’t always expect cash. I’ve worked for home-cooked meals, help with welding, and things as little as a hookah session.

I didn’t see any of that. I think once I got $5 and a promise that there was more to come. That promise is still taking up space on my shelf. Knowing she wasn’t going to be able (or willing) to pay off everything she promised in any form, I asked if she would settle for dinner at a local seafood place. She said yes, and I let it sit for a while. And so it sat, and sits, and will sit forever.

The best part is, I was actually going to pay for both meals myself knowing she’d appreciate it.

Go get a snack or take a bathroom break and reflect on that for a bit. This’ll be a longer post.

[[[ Intermission ]]]

Welcome back.

It’s not just people I know personally that have done this. I recently posted about a web design job I was taking for some cash on the side. Being my first job outside of the family, I was excited and ready to do it right. I dropped all my bad coding habits, conformed to strict HTML5 standards, crossed my i’s and dotted my t’s dotted my i’s and crossed my t’s. It was a beautiful site, and the client hadn’t really even specified anything. I did this all out of passion for the job.

When it came time to decide on the scope and a price, it turned out that neither myself nor my client had any clue what a good number was. We both told the other to just toss out a number and we’ll agree on something. After some research and asking around, I found that someone with my experience doing this particular job should expect about $750. I thought that was a bit high, so I dropped it to $500 and made that offer.

That was twice what he wanted to pay.

Alright, I can work with this. Didn’t wanna lose my first client. I dropped some of the more advanced features and we worked out a deal for $250. All in all it was pretty good on both ends, until it came time to sign an agreement. I drafted up a contract based on a few templates I found online, trying to cover both our asses and do so in plain English. He appreciated the fact that it was easy to understand, but didn’t like some of my provisions (time table for completion, added fees for extra services, legalese). As bad a move this was, we both decided to continue without a contract.

I worked out the 90% that I could do on my own and waited for him to supply his thoughts on the site so far, along with text and graphics. At first things went smooth. We would email back and forth 3 times in a day with little tweaks and big changes. Then the time between emails stretched out to a few days, then a week. I’d ask for page text and have to ask again a few days later. Logos and opinions alike would take twice as long as they should to show up.

At one point I thought he had died or something.

Now don’t get me wrong. He’s a really busy guy. But part of working without a contract was the understanding that the respect was mutual, and both people had things they needed to do. I can’t help but feel that I was (and am, as of this writing) viewed as a back-burner issue, when in fact this job (which I agreed to do for a third of what I originally was told to expect) is a big part of my income right now.

Another promise, another letdown.

Go get a drink, almost done here.

[[[ Intermission ]]]

Alright, let’s wrap this up.

The underlying issue here is that, for the longest time, I worked on promises. This works well enough when you can trust everyone involved, but even in that case there are external variables that come into play and mess things up. The simple truth is that in this day and age, a promise is worth less than the air (or in the case of an email, the bytes) used to convey it.

So how do I plan to fix this?

First off, so you don’t all think I’m a cynical asshole*, there are some people I can trust with a promise. One of them is my good friend Brad. He’s a man of his word and if he says he will do something, it will be done.

Second, in terms of not falling into this trap again, I’m going to have to shed off a bit of my “wanna help everyone” shell and simply tell some people no if they cannot pay me upfront or provide really good collateral.

Last, and this will be hardest, I am going to have to get tough on people who don’t pay up. I hate to sound like a mobster, but if you aren’t forward with people you will get stepped on. I have the footsteps to prove it. This means outright refusing to do little favors until past dues have been paid.

So yea, gonna add this as another tally in my “Life Lessons” category and hope I can remember it in the future.

*I really am a cynical asshole, but I try to hide it