Squiggly Kim

[ URLs have been changed to protect the identities of the hilarious ]

As any sysadmin knows, it’s favorable to stay a few steps removed from the unwashed masses we call “users”. Escalation procedures exist for a reason, and I’ll be damned if I am going to talk to a customer every time they forget a password. Sometimes, however, a problem comes along requiring the unique insight that only a SA has.

One such problem was presented to me just the other day in the form of a conversation in our internal chat room. It went something like this:

———-
Alice: Hey, I have a customer on the line who is saying she can’t change her website. Any ideas?
Bob: Well did you confirm the URL?
Alice: Yep, same problem on our end.
Charlie: Have you logged into our server to make sure everything is stable?
Alice: Uh huh. Running just fine.

[ snip 20 minutes of throwing ideas around and none of them working ]

Zachary: Check the flux capacitor!
———-

At this point I decided I should step in before someone got hurt. I asked for a ticket number so I could check out the issue myself, and here’s what was recorded:

“Ticket #13376047 – User unable to edit her web page at http://www.example.com/squigglykim

Not much to go off, but I like a challenge. I look up which of our servers is hosting her site and SSH in. Sure enough, everything is working fine. Other users are FTPing in without any problems. Web pages are being served and life is great. So what’s the issue?

Maybe it lies deeper. It’s a VM so maybe there is a limit on the number of connections you ca- No, that’s all good. Possibly an issue with permissi- nope, 755 like all the others. Ah ha! Certainly the user tripped our IPS and got blacklis- all clean.

At this point I started doing what I always do when confronted with a problem I can’t fix: Rubber Duck Debugging. Except instead of a rubber duck, I have a plush goat. Don’t judge me. So I start talking to the goat:

“The problem is that a user cannot edit her web page. Her URL is http://www.example.com/squigglykim. I’ve verified that the site exists and works in a browser. Her FTP credentials are right. She can log in as kim with her password. The user kim is configured the same as any other user. Kim just can’t edit her squigglykim pa-”

squigglykim

squiggly kim

squiggly

~kim

If ever there were a moment in all human history – recorded and not – where a man needed to hit his head upon a wall, this was it.

Advertisements

Open Source Shaaaaaaame.

So a while ago I was looking around at some open-source shopping cart applications for a potential client. The guy never got back to me but I played around with the software anyway.

The app in question is called OpenCart and is pretty nice at a casual glance. Has a lot of features a potential seller would want, including a simple interface, sales statistics, multiple currencies, and coupons/discounts.

I would like to focus on this last category. By default you have three coupons to choose from: $10 off, 10% off, and free shipping. Also by default, these coupons have checkout codes of 1111, 2222, and 3333 respectively. The most surprising thing is that, still by default, these coupons are enabled.

Take a minute and think about that. By default, this app is configured to allow you to lose money.

It’s not that hard to discover this flaw, either. Anyone who downloads this app and has a brain in their skull can see that these coupons are present and enabled on a clean install. It doesn’t take a tremendous leap from there to get to exploitation. Why is this allowed?

Being the responsible person I am, I reported this to the developers via their site’s “report a bug” form with the following:

Potential oversight:

OpenCart comes default with three discounts, all enabled:

10% off – expires 01/01/2012 – Code 2222
$10 off – expires 01/11/2020 – Code 1111
Free Shipping – [expired]

If a vendor sets up an OpenCart installation and does not realize there are default discounts, anyone can come along and apply the coupons. They are trivial to discover just by downloading OpenCart and setting it up. I just tested this myself on v1.5.1.3 and it works.

Please email me back when you receive this.

Now before you say it, I did forget to mention in my message that only the $10 off and 10% off coupons would work (I wrote to them on December 8, 2011 right after I found this). By now, being past Jan 1, 2012, only the $10 off coupon will work.

Minor details, moving on.

So let’s say someone used this trick now. $10 might not seem like a ton of money, but to someone selling $15 items it’s quite a chunk. Regardless of the amount lost, this is still not something that should be enabled by default. That said, I’ll show you the reply I got:

its so the user can test this function when they set it up.

theres not much I can do if a none developer installs opencart and leaves this in.

I get the first part from a usability standpoint, but the second part is simply not acceptable. First off, you don’t write software like this for developers. You write it for users of all skill levels. A statement like that makes sense for some obscure linux kernel feature but not for an application that will be used by many people to make a profit. Second, there actually is something you can do about it, and I showed them in my reply:

I can’t help but feel that’s an irresponsible point of view for a developer to take. It would make more sense to have them disabled by default and give a notice, or even a short “Read This First” during the install process that explains the situation.

Not everyone who will be using this is going to be a developer, true. We can’t help that. But that doesn’t mean they won’t hire someone who is inexperienced to set it up for them. Having the user suffer monetary loss when the fix is so simple just isn’t acceptable.

I really would consider changing the default status of the discounts to “Disabled”, especially when a 10% off coupon could mean hundreds of dollars on a high-price item.

Bear in mind this was written when the 10% off was still valid, and I completely neglected to mention the possibility of a non-developer installing this. Another thing you don’t see here is the patch I wrote which was as simple as changing three 1s to 0s to disable the coupons by default. That was sent in another “contact us” submission, hence my not having a copy to share here.

I did not get a further response. This all took place in one night exactly a month ago (to the hour, even), so I don’t feel bad about posting this. Responsible disclosure and all that.

So to summarize:

*An OpenCart developer knowingly left a feature enabled that could hurt users
*After offering a simple patch, he still declined to apply it
*The logic behind his decision makes no sense at all

Shit Ain't Logical

I’d like to end with a deep philosophical statement about the state of mind some developers have and how times have changed and how this will surely mean the end of open source as we know it, but I can’t think of one right now so I’m gonna go have some wine and baklava.

First Design Job Debriefing

First off, I’m not dead. I kinda fell out of love with blogging for a while, but I think we can work on our relationship. I’m sorry for ignoring you, and I just hope that in the future you will come to forgive me. /hug

More on topic, I “recently” (and by that I mean a month ago) finished my first official web design job. I’m still debating whether or not I wanna post the link here, partly because I am not 100% satisfied with my work, partly because I am going to bash the client a tad bit, and partly because my name is on it and I don’t wanna associate myself with… well, myself.

So originally I had written several paragraphs for this post, but I hit a block and realized it was as boring to read as it was to write, so please enjoy this abridged version:

*Client wanted to pay only half of what I quoted
*Client was slow to respond to emails
*Job ended up taking three months instead of two weeks

Lessons learned:

*Never work without a contract, no matter how small the job
*Don’t forget that respect goes both ways
*CASH UP FRONT FOR FUCK’S SAKE

Not gonna go into more detail. Too scatter-brained. Bleh.

‘Tis The Season…

For scams!

That’s right folks! It’s that time of year again, when the only thing piling up faster than the snow are the emails. Here’s a gem I recently got that just screamed “Too good to be true”. At first I thought it was legit, since I had posted a few things on craigslist offering to help with various jobs for cash on the side. As I read on though, I quickly realized I was wrong. Lemme break down my train of thought section by section:

Hello,

I’m looking for someone that can be trusted and reliable to work very well with good understanding as my Personal Assistant.This position i am offering is home-based and flexible, working with me is basically about instructions and following them, my only fear is that i may come at you impromptu sometimes, so i need someone who can be able to meet up with my irregular timings. As my Personal Assistant, your activities amongst other things will include;

Alright, typing could be worse I suppose. Some grammatical errors and typos but maybe English is not this person’s primary language. I am a bit skeptical about “i need someone who can be able to meet up with my irregular timings” though…

Primary Responsibilities:

* Creating orders/pick slips/invoices/credit memos.
* Processing return authorizations for me as needed.
* Running personal errands.
* supervisions and monitoring.
* Scheduling programmes, flights and keeping me up to date with them.
* Acting as an alternative telephone correspondence while I’m away and when needed as i am hard on hearing that is why computer works for me. Making regular contacts and drop-offs on my behalf. Handling and monitoring some of my financial activities as the case maybe.

Credit card fraud.

Basic wage is $500 Weekly

Or drugs.

I’m sure you’ll understand I tend to have a very busy schedule at this point. Please note that this position is not office based for now because of my frequent travels and tight schedules, it’s a part-time work from home for now and the flexibility means that there will be busier weeks than others. I would like to give you an immediate trial, so if you are interested kindly get back to me. As I have been checking my files and schedules and would need someone urgently to run some errands for me this week/next week, while I am away. I will have some funds sent to you to complete the errands and would get back to you with more information on that, get back to me with your Personal/Contact Details such as:

Well yea, drug-dealing credit card fraud leaders tend to be busy.

FULL NAMES:
ADDRESS,Include Apt # If Available(No PO.BOX please):
CITY:
STATE:
ZIP CODE:
HOME PHONE #:
MOBILE PHONE#:
EMAIL ADDRESS:
PRESENT JOB:

Give ALL The Names!

Thanks in anticipation of your prompt response.

Yours Sincerely,

Anthoniette Grey.
Mildmay

What the actual fuck is “Mildmay”?

That’s the whole email, word for word and unedited. Turns out this is a resurgence of a previous scam using almost identical wording. I’m considering writing back with advice on how to write a more convincing letter.

The Sneaky Bastard…

As you may or may not know, I am a huge fan of the TV series Leverage. I recently bought seasons 1 and 2 on DVD and started watching from the beginning. I’ve seen all the episodes already, but sitting down and really watching them is almost as good as seeing them all for the first time.

And as you can probably guess, being a computer geek, my favorite character is Hardison. Normally the type of Hollywood hacking portrayed on TV bothers me to no end (*glares at the likes of CSI et al*) but the Leverage cast and crew pulls it off marvelously. Unrealistic? Sure. Fun to watch Hardison (and later Wil Wheaton) spread the nerd love? Hell yea.

Now one of the things I do that tends to annoy people is to point out the inaccuracies in tech scenes. Yea, I’m that guy, though I try not to be obnoxious about it. Anyway, while watching Leverage I always like to focus in on the scripts that Hardison runs. Usually they scroll by too fast, but I am used to a command-line interface so I can catch glimpses here and there.

Overall I’m impressed. While he does tend to use a flashy interface, most of his solid work is done in a terminal. This got me thinking. Since I own the DVD now, I can slow down and actually read what’s going on!

As I would expect, a lot of it is made to look cool. It sure as hell looks like real output though. I started doing this on The Mile High Job from season 1. At the 37 minute mark, Parker is looking at a control system in the cargo bank. I paused as soon as the screen came into focus, then stepped frame by frame reading each line.

Then I saw it.

“/Users/tomslattery/Documents/” yadda yadda yadda

My Google Fu brought me to this page. Sure enough, he’s listed as a Visual Effects Designer for Leverage! As far as I know, nobody else in the public realm has caught this. I’m impressed, not only because it looks like he knows his stuff, but because he left that little gem there for someone to find.

It gets better.

The text he uses in that scene (or possibly one earlier, can’t remember) is actually found in a deleted scene from The Miracle Job where Hardison has a flashback to his Finland bank hack. He has a program called “The Encryptor” running that appears to be the same script the attackers use to try and take down the plane!

Now if I can be “that guy” for a minute, I’d like to point something else out about the deleted Miracle Job scene. At the 31 second mark, Hardison has his script running (since God doesn’t outlaw crazy dancin’) and the output includes references to code that would not have existed when Hardison was a teenager. Specifically, I saw libssl 0.9.7 which I believe was first released as an alpha in 2004.

My eyes are on you, Tom…

A Scary Thought

It’s 6:00 PM and I am bored in class. Teacher is going on about the difference between reactive and proactive anti-virus. Fun stuff. I decide to check eBay for anvils, and after a few minutes I see one I like.

6:05 PM now, and I have decided to go through with the purchase. For $155 I could get a 40 lb anvil, 14″ long by 3″ wide with hardie and pritchel holes. Not a bad deal. At this point I realize it’s been a few years since I have used my eBay account, and I don’t remember the password.

6:07 PM. I go to recover my account info. I’m asked some questions that I know the answers to, but I have mistyped some of them. I’m tired, give me a break. I re-enter the info. Wrong again. Oops, I forgot that I used to use a different address. Third time’s a charm.

6:10 PM. Alright, “Buy Now”. Free shipping, so the total is $155, and I make a $5 donation to some children’s education fund. Oh crap, gotta verify via PayPal.

6:12 PM. Alright alright, I admit it. I wrote down the password to my PayPal because it was long, and the pass is at home somewhere. No problem, “I forgot it”. Not even asked questions this time, just for my email.

6:13 PM. Email arrives, click link, reset pass. Damn, not long enough. Alright, got it. PayPal pass changed.

6:14 PM. I go to confirm the order, change my address to my current one, and click the button to complete the order.

6:15 PM. I sit back and smile as I revel in my quick grab of a good deal.

6:16 PM. Holy shit I just did all of that in 15 minutes.

Think about this. In 15 minutes I went from being half-asleep in class to having goods shipped across the country to my doorstep. This could have easily been done by someone else with the right knowledge. Emails are fairly simple to intercept in a coffee shop. You can guess a staggeringly high amount of questions/answers. A professional criminal could have done this faster, and with more accounts nabbed in one sitting.

It’s kinda scary to think that I basically just hacked myself while answering questions in class and texting my friends. And I didn’t even realize I had done it.

The Humble Hyperlink

I don’t have a snappy intro to this post, so I’ll just say it: The rent is too damn high The web is too damn big.

Allow me to explain. Just about any search term you can imagine will return multiple results from different sources. Just off the top of my head, I searched for “how to make cupcakes” and got 10 different web sites with 10 different recipes.

Some people would call this “information overload”, but I don’t think that’s the right term. Information overload implies that you can’t handle the amount of information being thrown at you, which further implies that you are actually attempting to absorb all of that information.

I prefer to call this “cruft”. Cruft, for those of you who do not know, is a term used to describe anything unnecessary or unwanted. In software, this means largely unused code, or code which is messy and gross to look at. Similarly, having all these similar yet distinct links just seems like too much. I say this for two reasons.

One, people tend to only look at the first few links, and very rarely do they go to the second page. This means that most links are just wasted space on the page, bandwidth that could better be used routing Farmville or some crap.

Second, there comes a point when there are just too many articles on the same topic. I was reading today about symlink race condition attacks, and there was the Wikipedia page, then about 4 other pages quoting that article with little to no added value.

So how does this relate to the hyperlink? Put simply, it is my opinion that it makes much more sense to simply link to an existing article than to rewrite one of questionable quality. This does two things. First, it elevates that single article to a position of authority in the Internet realm. It’s like mentioning K&R to a group of programmers. Everyone knows it. Second, it means that searching for that gem of knowledge is made much simpler than dredging through mounds of data for hours on end.

Yea, there are some drawbacks. No, I don’t feel like writing more right now. Maybe I’ll edit this later.