Saturday, December 1, 2007

What's interesting to me about SquirrelMail attack


A few days back, it was announced that the open source web mail program had been attacked and poisoned so that any site that installed it would be vulnerable to a remote code exploit.

The interesting thing about it to me is that the attacker chose to poison it by modifying the PHP code slightly to create an non-obvious exploit:
"While the modification was minor, a simple change to a PHP global variable, it led to the case where the compromised versions of SquirrelMail would allow arbitrary remote code execution. With the earliest affected version (1.4.11) having been made available in late September, it could be that there are a significant number of installations that may now be vulnerable to attack and compromise."
I dug around a bit to find what the compromise looked like, and finally found a description on a blog that showed what code was inserted:
/** set the value of the base path */
if (isset($_SERVER['HTTP_BASE_PATH'])) {
    define('SM_PATH',$_SERVER['HTTP_BASE_PATH']);
}
Initial views on the code change showed this shouldn’t be able to do anything, because HTTPBASEPATH wasn’t a defined variable. That’s where the problem is. These variables are passed in from the HTTP server, which means that the remote user could push them via the http transaction, and get PHP to load them. This is a bad thing, because it means that the next page loaded would really be loaded from the remote host. This then allows the user to execute malicious PHP code, as the webserver user, on the victim’s host, without any interaction with the victim at all.
PHP is a difficult language to write secure code in. What I find really interesting is that the attacker chose to write some obfuscated global variable hack, presumably to make it harder to spot that it was a remote code exploit, and apparently it worked.

So this leads me to wonder, what kinds of security errors / attacks is Haskell vulnerable to? I would really love it if someone did an analysis of typical attacks, buffer overflows, global variable problems, etc. in PHP, and show how Haskell is vulnerable to them, or how it is not. Strong typechecking should help a lot, lack of global variables should also help.

For extra credit, propose ways to extend or modify Haskell to not have those problems. Should we eliminate unsafePerformIO, IORefs/MVars/IOArrays and the FFI?

This is not to say that I'm blaming PHP. Obviously, if the attacker has access to the server and permissions to modify the distribution, there's not much that can be done to prevent them from poisoning the distribution. Also, the nature of HTTP applications in any language adds the difficulty that the URL, for instance, can introduce variables. I don't know anything about the SquirrelMail codebase so I can't really tell why the above code works. I'm guessing the Haskell wouldn't be quite so easy to hide, because of the side-effect of the "define" is not really applicable to Haskell.

Another funny thing about this attack is that it was caught because the MD5 of the package didn't match the new tarball that the attacker created. I don't understand (maybe someone can enlighten me) why the attacker didn't change the MD5 stamp on the server as well, since I'm guessing they reside on the same server. The sums were also posted in the announcement so maybe someone noticed the discrepancy there? I'm also curious how the attacker got access to the account that was used in the first place, but haven't seen any data on that.

Saturday, October 27, 2007

E-Books


I just finished reading A Tale of Two Cities by Charles Dickens. I read it on my PDA/phone as an "ebook". I really like reading ebooks because I can keep them in my pocket without taking up any extra space. That way, I always have a book with me if I want one.

When I commute, I ride my bike to the train, and then I take the train to work. For the sake of my back, I don't like carrying anything extra in my backpack, so it's nice to just have my book on my cell phone. That way, I can read on the train.

Project Gutenberg is a great web site that has a huge collection of free electronic books. Since they are mostly books that are in the public domain, the best books on there are older classics like A Tale of Two Cities. On the other hand, I did read some books by Cory Doctorow who releases his books under the Creative Commons license.

I've read a few other ebooks as well. I really like them. I would be happy to buy ebooks. Except for one thing: Digital Rights Management. What's DRM? In the words of Cory Doctorow, "a stupid, scientifically bankrupt technology that seeks to restrict how you use and copy digital files after acquiring them".

I could (and would) go online and buy books and read them on my PDA, and I would not post them on the internet for all to read. But I won't buy a locked book. I won't type in my credit card number to "unlock" something I've already paid for. When I buy a book, I want to be able to keep it and use it again and again and lend it to my friends. Someday, that credit card number that I need to "unlock" the book with will be long gone. Some day that "ereader" program that I use to read the book will be long gone. That operating system I use to run that program will be long gone.

Why should I lose the book I paid for because I got a new phone? Digital Rights Management is stupid. I won't buy ebooks with DRM.

Sunday, October 14, 2007

Cyclocross, October 14th


I just got home from my second ever cyclocross race! I mentioned my last race here. This time I actually snapped some lame photos with my cameraphone, so scroll down for that, as well as some YouTube videos from last year's Portland cross races :)

I feel like I biked really strongly this time. On my last cross race and my road race on Tabor, I felt like I didn't ride as well, partly because I didn't know when I was on my last lap, and wasn't really able to plan my energy well. With some help from Dylan on the sidelines, and from my bike computer, I actually knew when the last lap was today, and I actually planned a sprint at the end, which put me in front of several other riders.

I don't know the results yet, but I'll post an update when I find out. [UPDATE: I came in 34/104. I'm pretty pleased with being in the upper 1/3 :) ]

You'll see from the photos that there was a mountain unicycle division! I was totally amazed at those folks. They did only one lap, but it looked very challenging on one wheel.

Dylan and I rode in different divisions, so I got some photos of him, but none of me. Here's Dylan riding up a hill. He and I both enjoyed the hills because we train on hills pretty regularly biking between home & work. Lots of people were actually dismounting on the hills and we were both passing people a lot :)

There was an entire category of Mountain Unicycles!! I think at least 10 of them!



More photos here.
Here's a video that explains cyclocross, and Portland's cyclocross series:


And this video is last year's version of the course I rode today. There wasn't anything quite this tricky on today's race :)

Saturday, September 29, 2007

Portland, Columbus, Tickets, etc.


Just a collection of stuff I've read on the internet:
  • From the NYTimes, Portland is a great place for restaurants: "Every little neighborhood in this city of funky neighborhoods now seems to be exploding with restaurants, food shops and markets, all benefiting from a critical mass of passion, skill and experience, and all constructed according to the gospel of locally grown ingredients. ... World-class wine is produced in the Willamette Valley, the center of the Oregon wine industry, just a half hour’s drive away. Portland has six micro-distilleries making any kind of spirits you can name and, if you’d like a chaser, more breweries than any other city on earth. Just as important is a receptive populace, demanding yet eager to be wowed."
  • In Columbus news, here's an NYTimes Article about the Drexel Theater.
  • Whining drivers: It's no surprise that there are forums on the internet where you can whine about getting a traffic ticket, but thanks to reddit, I came across one by cops and for cops where cops can whine about how unfair it is that they should get any kind of tickets instead of being shown "professional courtesy". Oh it's so not fair! Why should the rules apply to them?!
  • Monday, September 24, 2007

    My First Cyclocross Race!


    I raced in my first cyclocross race last Sunday, and it was awesome :) I came in 19th/33, which I thought was OK for my first race. Dylan came in 8th! We were both racing in the beginner's category.

    From wikipedia: "Cyclocross is a form of bicycle racing ... and consists of many laps of a short (2.5–3.5 km or 1.5–2 mile) course featuring pavement, wooded trails, grass, steep hills and obstacles requiring the rider to quickly dismount, carry the bike whilst navigating the obstruction and remount in one graceful motion."

    My lovely Torelli bike was designed for cyclocross racing, although it's an older bike and a little heavy, it still works. It's also a great road bike and commuting bike. To get it cross-ready, all I have to do is change out the tires from slick road tires to nubbly off-road tires. That's a bit of a pain, though, so I got some new wheels so that all I have to do is swap out the wheels, which is considerably easier than swapping out the tires :) I needed new wheels anyway.

    Sunday, September 16, 2007

    Haskell and OpenID


    Today I've been doing some investigation about creating an openid implementation in Haskell. There are lots of implementations in different languages, but surprisingly none in C. That would probably be the easiest language to create a binding for.
    A few approaches I'm thinking about:
  • Creating a binding from Haskell to another language. This wouldn't be a real implementation, just a binding, but there's no C implementation listed... it's likely that there is some out there, though.
  • Creating a simple client-side only implementation that's just an experiment... leaving out a lot of the details like encryption, state, & delegation. Then building that up over time.
  • Or maybe jumping right to implementing The 2.0 version to try to make a reference implementation in Haskell. Who knows, maybe it'll get some people attracted to Haskell :)


    Click "read more" to read more :)


    I created an OpenID Identity at myopenid.com and created a delegation for http://ipj.syntaxpolice.org, so now I have my own identity at my own server. This is actually really easy:
    How to create an OpenID identity and delegate it to a personal web server:
  • Create an identity at some OpenID provider.
  • Create an HTML document on your Unix server someplace like "/var/www/ipj/index.html" and add this content:
     <html>
        <head>
           <title>Isaac Potoczny-Jones OpenID</title>
           <link rel="openid.server"   href="https://www.myopenid.com/server">
           <link rel="openid.delegate" href="http://isaac.potoczny-jones.myopenid.com">
        </head>
        <body>
           <p><a href="mailto:ijones@syntaxpolice.org">Isaac Potoczny-Jones</a></p>
    
        </body>
     </html>
    
  • Create a virtual server in apache by creating a file like "/etc/apache2/sites-enabled/ipj.conf" with this kind of contents:
    <VirtualHost *>
     ServerName  isaac.potoczny-jones.syntaxpolice.org
     ServerAlias ipj.syntaxpolice.org
     DocumentRoot /var/www/ipj
    </VirtualHost>
    
  • Then restart apache
  • And try logging into LJ or something. The next version of drupal supports OpenID, so when I upgrade I'll probably use my own server, presumably with the same identity.
    But the thing is, I haven't picked a new nick since I got married. Should I be: isaac.potoczny-jones, ipojo, ipj, or just isaac?
    peace,
    ipojo
  • Saturday, September 8, 2007

    Mount St. Helens


    In July, me, Anna, and our friends Chris & Christina climbed Mt. St. Helens the volcano that famously blew its top in 1980.

    Here are some photos of our climb!
    Mt. St. Helens is no longer a technical climb. Before the major eruption, it was apparently a pretty difficult and interesting mountain to climb, but now it's a strenuous day hike with a lot of scrambling over boulders, and some slogging up ash the fields.

    Unfortunately for us, it was very very foggy when we climbed it, as you can see from the photo below. Before it got foggy, there were some good views, but we got all the way to the top and looked down into the crater, and saw vast nothingness of fog and clouds. A bit anti-climactic. Despite having no sunshine, though, I got terribly sun burned.

    Nevertheless, it was a great hike and Chris & Christina did a fine job planning the trip and making sure we were well prepared for it. Because of the way the permit system works, you have to choose the day of the hike way in advance, so you never know what the weather will be like.

    For training, Anna and I climbed Larch Mountain in the Columbia River Gorge, (trailhead at Multnomah falls), as well as some smaller hikes. Larch Mountain turned out to be pretty good preparation for the climb of St. Helens, and as it turned out, had much better views that day. From Larch, you can see Mt. Hood, Mt. St. Helens, Mt. Adams and others. Sweet.

    Saturday, September 1, 2007

    Bike Commuting Stuff :)


    In Portland, we have a new 10-foot bike lane on the Hawthorne bridge, which is on my way to work. This widening of the existing lane is really really nice, because it's uphill and right after a light, so it gets congested with cyclists going at different speeds.

    You should join The Bike Commute Challange this year. Check if your company is already on the list.

    Folks at my work are getting into the idea of commuting by bike. One person already bought a new bike, and at least two others are planning to. That's in addition to all of us who already bike!

    Monday, August 20, 2007

    Cyclists attacked


    Two cyclists were apparently allegedly attacked by a driver in our part of town here in bike friendly Portland, OR. Now I'm sure that most people consider this kind of road rage just as disgusting as I do, but apparently there is a vocal minority of morons who think it's justified. Just scroll down to some of the comments in that article and prepare to be shocked.

    The Futility of Car Kicking. Supposedly, one of the cyclist kicked the car (although the cyclist denies it) and so the driver ran him over and then hit another cyclist (who wasn't riding with the first). For one thing, I have trouble believing that the cyclist kicked the car. Try kicking something on a bike sometime. Your knees are pointed in the wrong direction for it, and how the heck can you keep your balance on the bike after kicking an object with the momentum of an SUV? In any case, I don't think kicking a car is a capital offense. Also, the cyclist denies it. Also, the other cyclist had nothing to do with it.

    Be careful out there. For my fellow cyclists (and drivers) out there, you gotta keep your cool. Remember, you're sharing the road with people like this:

  • "The biker that kicked the car deserved what he got."
  • "Maybe next time a biker will think twice about spitting, slapping or kicking a car. (I don't have trouble taking any drivers word that a biker kicked their car, I see it going on all the time.)"
  • "Are YOU one of those charming folks with the sleeve tats and the Che Guevara shirt who just LOVES to flip off the motorists and bang your messenger bag-cum-oversized-purse against the windows of their cars? ... Or are you one of the junior Tour De France-ers with the name-branded aerodynamic unitard and pointy-tailed helmet, all clicking derailleurs and toeclips?"
  • "How could this be!! He should have backed up and run them over again!"


    Those are quotes from the above-mentioned news article on the topic. Anger breeds anger. Violence breeds violence. Ride and drive peacefully :)

    Who is Who? Why is it that so many people have so much trouble understanding that a stereotype about a group of people doesn't have anything to do with a particular person in that group? "Cyclists run red lights all the time," is something I often hear and read. I've even seen it happen. What the heck does that have to do with me? Absolutely nothing; that wasn't me. What does that have to do with the guy that supposedly kicked the car? Nothing; that wasn't him. What does that have to do with some poster on kgw.com? Nothing; it was a different person entirely.

    Why is that so hard to understand?

    Calm Down. Portland isn't a very big city. You can bike from one side of downtown to the other in about maybe a little more than 5 minutes. You can even drive it in less than 10 minutes! ;) Why does anyone rush around in such a hurry? How much time can you really save by driving fast or talking on the phone while driving? We'd all be better off to set our alarm clocks to 6:28 instead of 6:30 Just relax and leave a little early for your appointment. Most drivers in Portland are amazingly polite to cyclists, pedestrians, and each-other. I really appreciate it.

    Some Statistics. In the US, more than 43,000 people were killed in cars or by cars in 2005. In Oregon alone, there were 488 fatal car crashes and only 11 cyclists killed. Of those Oregon car crashes, if I'm reading the numbers right, over 300 of them were with something other than another car; that is, hitting an object or overturning your car. Driving is horribly, horribly dangerous. Is it more dangerous than cycling? I don't really know; it would be nice to read a neutral treatment on the topic, but I know for sure that it's healthier, more fun, less dangerous to those around me, and I think it's less dangerous for me.

    Some Perspective. Of course, The News is mostly bad. There are so many people out there biking, having a nice time, and being happy.
    Read more about it on the bike portland forums.
  • Wednesday, August 15, 2007

    Getting to Yes, Getting Things Done


    I work for a small company and sometimes get involved in business affairs. I'm not primarily a hacker most of the time. I read a lot of books about business, personal productivity, leading projects, giving talks, marketing, etc,. as well as books on technology, of course.

    I'm a little bit addicted to these books actually. But it's not too bad. I don't take most of them very seriously. I don't constantly say to myself, "I must adopt this new pare-a-dime!" Don't worry.
    I have read a few really good books, though, and I'll briefly mention two of them today:
  • Getting to Yes and
  • Getting Things Done
    Of the many, many books in the world of business and personal productivity, I think these two are really worth a read. I really like the perspectives and the attitude that they bring to work. I'm mentioning them together for a few really good reasons:

  • They both start with the word "Getting",
  • They look a bit similar, and
  • I read them both over a year ago and still find them useful.
    Getting Things Done: This is a book about personal productivity; I think of it as a relatively simple system of tracking work and keeping promises. I saw this book mentioned on Slashdot, and had heard of a few other people reading it. I implemented the process in this book about 2 years back and still use it today. The book gets it right about most aspects of getting work done.

    It doesn't require a really complicated software system, or really any software at all. You can implement it effectively with file folders and loose-leaf papers. I implement it using a wiki called Trac... so I do happen to use a complicated software system to do a relatively simple job, but that's just me ;)
    Trac is really neat for this system, though, because:

  • it's a wiki - which is a nice way to organize data and
  • it's a "ticket tracking system" - which is a nice way to keep track of "TODO" items.
    If you have access to Trac, I recommend using it for this. When I get email with TODO items in it, I often just copy the email into a ticket, or if it's information that I actually want to save longer term, I copy it into the wiki (or later on move it from the ticket system to the wiki). Then if more emails come in that are related to the same TODO, I actually copy those into the same ticket so that I collect together all of the information that's related to a single action.

    But enough about the technology. The best advice in "Getting Things Done" is about boiling "stuff" into "actions". The author points out that a lot of "TODO items" aren't really very actionable as originally conceived.

    For instance "Hire a new developer" isn't a really good "TODO item" because it's not really a single action that you can perform. On the other hand, "Talk to HR about the job description for a new developer" is a real action.

    So the idea is that it actually takes a bit of thinking to get from the basic idea for a project to an tangible action (not always a lot of thinking, but a bit). It's really important to articulate the tangible action that you need to perform for all of your "TODO items". That way you can look at them and think, "Should I do that NOW?"

    Getting to Yes: This book is about negotiating in a principled and ethical way. I really like the ideas here because I believe in taking care of long-term relationships in all aspects of life, including negotiations. A lot of people approach a negotiation with the idea, "Let's see how much I can get out of this". That can be really damaging when that negotiation is with a coworker for instance. Maybe buying a used car is a different story, since you probably don't really care about a long-term relationship with the person you're buying a used car from.

    The book was recommended by my brother who used it as a text book in law school and applied it in real-life arbitration situations.

    The basic ideas in the book are as follows:
  • Don't bargain over positions, but rather focus on the interests & concerns of each party. It's often the case that positional bargaining limits options, and focusing on interests allows each side to be more creative and "invent options for mutual gain".
  • Invent options for mutual gain. If people are creative and understand each-other, you can create new options that are beneficial to both parties.
  • Separate people from the problem. Don't let personalities rule. Make it possible to be friends. Be hard on the problem, but soft on the people.
  • Insist on using objective criteria. Don't give in to pressure or personalities. Base agreements on objective measures that both sides can see.
    You can read more about that on wikipedia.

    Two relatively simple books with good messages and good attitudes. Definitely a far cry from the run of the mill book on business. In the future, I might write more about my trac configuration for "Getting Things Done". Email me if you're interested in it.
  • Friday, August 10, 2007

    Trojan Horse


    As my friend Paul Heinlein said... "Security Through Obscurity" ;)

    Tuesday, January 16, 2007

    Haskell': Changes to the Report!


    The recent goal for Haskell' has been to actually start committing modifications to the Haskell98 report. Well, as mentioned on the mailing list, we've started making changes relating to Pattern Guards.

    The current draft of the Haskell' report will be auto-generated whenever someone submits a patch. Thanks for setting up the build system, Malcolm!

    Haskell' ("Haskell Prime") is the working name of the next Haskell language standard. Haskell is the best programming language in the world.  

    Monday, January 15, 2007

    Open, Linux-based Phones


    I want a cell phone that runs Linux. I've been wanting one for a long time. Why should I care what OS it runs? Well, I have two main reasons: 1) because I want to support commercial ventures related to free software, and 2) I want to write applications for it, and I don't want to be beholden to some vendor to sell me a development kit, and tell me what I can and cannot write. I want to apt-get install the developer kit, write some code, and upload it to the phone. Rock.

    I've been paying only scant attention to the cell phone market since I got a Treo 600, which I like a lot. It is _not_ a Linux-based phone. It runs PalmOS, which is a pretty crufty OS, but I've been using it since 2001, so I have a lot of data in there. It should be pretty easy to get the data out, though, so I'm not worried. I really like the Treo's thumb-keyboard; It's qwerty, and I can type pretty fast on it. Numeric keypad based phones are lame. I hardly ever type in numbers anyway.

    Apple recently announced the iPhone, which I shouldn't even mention because it doesn't allow 3rd party applications, doesn't run on a free operating system, and is probably very buggy since they've never done anything like that before. Enough about Apple.

    As I poke around the intern-webs, I find that some stuff has been happening over the year when it comes to Linux-based phones, but I'm having a hard time figuring out exactly what is happening. It's surprising how little information is out there. Despite this great list of starting places from linuxdevices.com, the rabbit trail never leads to a "buy this phone" button.

    Look! There's an open Linux-based phone platform called OpenMoko. At least, I think that's what I pieced together from the scant information available on their web site. Maybe OpenMoko is the phone and openembedded is the platform? I had a very nice conversation with some folks on freenode who explained a bit about this really cool project to me. It looks like they even have a phone that it sounds like is going to be released soon, and it's discussed on LinuxDevices.com. That phone looks pretty sweet. It has a GPS built in too. I like the touch-screen idea that I guess it has, based on the pictures, and it's not way too expensive. Maybe that's the phone I'll get.

    All it's missing is a "buy it now" button. Oh, and "apt-cache search openmoko" doesn't turn up anything.
    So on to the Green Phone by Trooktech. This looks pretty good, but not as a replacement for my Treo, since the primary interface is a numeric keypad instead of a qwerty keyboard.

    It looks like you can actually buy a development version of the phone, but it's not overly free; you cannot develop commercial applications on it without paying them a licensing fee. Lamers. According to some folks on freenode, this phone is just a prototype for vendors like this one. (But do you see a "buy this phone" button on that page?)

    There's a nice article that talks about several of these devices, including the Nokia N800, which is a Linux-based handheld computer / web appliance. I played with one the other day, and it's pretty sweet. Too bad it isn't a phone, or I'd buy one today.

    So it looks like there's no open, Linux-based, qwerty phone out there yet. If you know otherwise, let me know. Perhaps one is coming out next month. I think I can wait that long.   

    Sunday, January 14, 2007

    Karen Sept's Osteopathic Practice


    Some of you may know Karen Sept from Saint Stephen's. I just put a web site for osteopathic practice up on my server. She runs her practice in Hawaii. Karen is a great person, and I'm really hoping her practice takes off :) So if you know Karen, link to her site. Osteopathic medicine sounds really cool. I never knew what it was before.

    I was really pleased with how easy it was to set up a brand new site. I just logged into my registrar and added the new name, pointing it to my IP address. Then I modified my Apache configuration to bring up that web site when people visited that URL using Apache's Virtual Host system, which took all of 3 minutes, and I didn't even know anything about it; I just copied some example. She wrote the site content, so all I had to do was untar it onto my server.

    That probably sounds pretty hard to folks who are using a complete hosting service where you have FTP access and all you have to do is drag the files over to the server. Well, I like doing things the "hard" way and then talking about how easy it is ;)  

    Monday, January 1, 2007

    Cycling Fun and Pictures of Oregon


    I've been having a nice vacation from work over the last week. In Portland, the weather has been pretty darn good, and I've been doing a lot of cycling. I rode up two of Portland's extinct volcanos, Rocky Butte (which is also a climbing area) and Mount Tabor, where my friend Jenn thinks she might get married. Speaking of Jenn, I also biked up and over the hills of Washington Park to go visit her place the other day.
    I also did some biking in Forest Park (pictured below) with Phil, who was visiting this week. I had a great time with Phil. We talked a lot about books, and played an epic game of Risk for new years. It was awesome. I've never played Risk before. Phil is lots of fun, it's great when old friends visit :)
    And now for some pictures of Oregon.
    This is Beacon Rock (actually, I have to admit that it's in Washington). Heres me climbing it:
    And my friend Dan, which gives more of a perspective view:
    Here's Anna at an Oregon vineyard. Oregon has lovely vineyards and good beer :)
    Here's Forest Park, previously pictured on this blog:
    And back by popular demand, a picture of my cat. He is clearly very clever: