Fork me on Github
Fork me on Github

Joe Dog Software

Proudly serving the Internets since 1999

Valgrind: Apology Edition

The things Your JoeDog will do for you….

A couple weeks ago he complained about Valgrind (and probably a whole bunch of other stuff but we’re talking about Valgrind now). His snippet was leaking memory and valgrind was unable to identify the leak. The leak was manually identified in this function:

ARRAY
array_destroy(ARRAY this) 
{
  int i;

  for (i = 0; i < this->length; i++) {
    xfree(this->data[i]);  
  } 
  xfree(this->data);
  this = NULL;
  return this; 
}

While we freed the elements of the array, we never freed the array itself. The leak is fixed like this:

ARRAY
array_destroy(ARRAY this) 
{
  int i;

  for (i = 0; i < this->length; i++) {
    xfree(this->data[i]);  
  } 
  xfree(this->data);
  xfree(this);
  this = NULL;
  return this; 
}

Today Your JoeDog was coding on the train again.  Before he boarded, he downloaded the above code onto his snazzy Linux laptop.  He was turning caffeine into code when wouldn’t you know it? Another stinkin’ memory leak. “What the hell,” he thought. “Let’s give valgrind another try.” Unfortunately it wasn’t installed on snazzy Linux laptop. For some reason, Amtrak’s proxy won’t allow downloads larger than 10MB. Stupid Amtrak.

That’s easy to bypass. Your JoeDog established an ssh tunnel from his laptop to this webserver and proxied to the Ubuntu repository.

 

--2014-10-25 10:15:13--http://us.archive.ubuntu.com/ubuntu/pool/main/v/valgrind/valgrind_3.10~20140411-0ubuntu1_amd64.deb
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:11111... connected.
Proxy request sent, awaiting response... 200 OK
Length: 15078790 (14M) [application/x-debian-package]
Saving to: ‘valgrind_3.10~20140411-0ubuntu1_amd64.deb’
100%[=============================================>] 15,078,790 290KB/s in 73s
2014-10-25 10:16:26 (202 KB/s) - ‘valgrind_3.10~20140411-0ubuntu1_amd64.deb’ saved [15078790/15078790]
 Funny thing. That copy of valgrind found the leak. Guess where it was? Give up?
ARRAY
array_destroy(ARRAY this) 
{
  int i;

  for (i = 0; i < this->length; i++) {
    xfree(this->data[i]);  
  } 
  xfree(this->data);
  //xfree(this);
  this = NULL;
  return this; 
}

In order to illustrate his first post on valgrind, Your JoeDog commented out the fix he told you about. Well, this second copy of valgrind found it. So what gives?

1. Valgrind works and I’m sorry I busted on it.

2. RedHat’s version doesn’t seem to work but Ubuntu’s does.

 



Check Your Inputs: SQL Injection Edition

Here’s a question which tends to make Your JoeDog cringe: “So, what do you do?”

It’s often asked when he has a drink in his hand. And when he has a drink in hand, he doesn’t want to talk about work. Sometimes the inquiring person hears the answer, parses “computers” and wants to know why their laptop is slow. Honestly, Your JoeDog has no idea. Occasionally, he meets another nerd who wants to talk shop.

Recently he met a web nerd, the kind of web nerd who suffers from illusory superiority because he lacks the skill to recognize his ineptitude. These guys often contain a conspiratorial streak. This guy was no exception. The conversation soon shifted to hacking and web security.

Web Nerd puked a word salad of vulnerabilities but his beloved PHP was exonerated. “You can’t inject SQL because the mysql libs don’t allow multiple statements,” he said.

Couple points. 1.) the PHP mysql_ functions are deprecated. Astute JoeDog readers use PDO or MySQLi. 2.) You can still do injection as long as you keep it in a single statement.

Let’s try that after the jump!

Continue reading Check Your Inputs: SQL Injection Edition



Gamergate

Your JoeDog hasn’t weighed in on Gamergate largely because he’s not a gamer. Unfortunately, it’s become too big to ignore. If you write about technology you’re almost required to have an opinion. So here’s an opinion: some guys are a bag of dicks.

Whoa, hold on.  First of all, what is Gamergate?

As far as I can tell, it began with an accusation. Well, first it began with a game, then an accusation.

Zoe Quinn released Depression Quest, an unusual game that caused a stir in the community. It’s a saga in which you follow the tribulations of a person going through depression. What makes it particularly unusual is this: nobody goes postal with an AR-15. Some liked it while others thought it wasn’t a game at all. To them it was some sort of interactive story. So Gamergate began as an esoteric argument about the nature of gaming. It might have stayed that way if not for that accusation.

In August Zoe Quinn’s boyfriend posted a lengthy indictment in which he claimed she cheated on him with several guys inside the gaming industry. She did this, Angry Ex-boyfriend said, in order to get ahead in the industry. He named a writer from Kotaku, which is part of the Gawker network. What makes this writer especially loathsome to Angry Ex-boyfriend is a penchant for red pants. (Full disclosure: Your JoeDog has a pair of red pants). Well if Zoe slept with Red Pants to get ahead,  then she failed in that regard. It doesn’t appear that Depression Quest was ever mentioned on that site.

It didn’t matter. After the charge was made, social media lit up in a shit storm. Under the guise of a debate on journalistic ethics, things turned nasty. Quinn’s personal information was published online. So were nude photos. She became the target of personal attacks. But it didn’t stop there. The war expanded and more women inside the industry were threatened. The FBI is taking the matter seriously. Gamergate became another front in the Culture War.

On one side we have traditional gamers who love blowing shit up while getting virtually blown. On the other we have newcomers who like the challenge of gaming but don’t care for the industry’s violence and misogynism. Breitbart added its voice in the beginning of September. Feminists, in their eyes, were wrecking the gaming industry. The nature of gaming had morphed into rightards vs. libtards on another front.

Your JoeDog is basically sick of this shit. Disagreements are one thing but threats are another. We can no longer face challenges because half the world is convinced the other half is evil. The women who’ve become the focus of gamer scorn have been forced into hiding due to personal threats. That’s not dialog, that’s terrorism. And if that’s your preferred tactic, then you’re pretty much a bag of dicks.

 

 



Memory Leaks

Your JoeDog loves C but he hates memory management. That’s why he writes objects in C. They make managing memory easier. Still, he’s been know to cause a memory leak or two … okay, maybe a few more than that.

Valgrind is supposed to help identify those fsckers. You run a program inside valgrind and it checks your memory utilization. Awesome! Except when it’s not.

Your JoeDog has had zero point zero luck with valgrind. He’s been working on a snippet that will be incorporated into Your Fido. Your JoeDog loves snippets. By reducing complexity they allow him to focus on the integrity of the new code. In this particular snippet, he placed the new functionality inside a loop to check its long-running performance. The damn thing leaked!

“How did you know it was leaking?”

“I watched its memory usage in top and it continued to expand.”

“Well that sucks.”

“Indeed.”

So Your JoeDog ran the program in valgrind like this:

valgrind -v --leak-check=full --tool=memcheck ./haha

After it completed its iterations, valgrind had this to say:

==21112== HEAP SUMMARY:
==21112== in use at exit: 0 bytes in 0 blocks
==21112== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==21112==
==21112== All heap blocks were freed -- no leaks are possible

What the hell? This thing was leaking all over the place. Now Your JoeDog may have done something stupid. Instead of memory leaks, he might have created memory hogs. “What are memory hogs?” They are allocated resources that are no longer used but with references that are still maintained. Valgrind won’t identify a memory hog as a memory leak. But this was a snippet and an audit was easy. There were no hogs; something was leaking.

After an extensive audit, Your JoeDog identified the leak. It wasn’t in the snippet. He was using a dynamic array from array.c Here’s the offending code:

ARRAY
array_destroy(ARRAY this) 
{
  int i;

  for (i = 0; i < this->length; i++) {
    xfree(this->data[i]);  
  } 
  xfree(this->data);
  this = NULL;
  return this; 
}

Your JoeDog freed everything but the array object itself. Here’s the fix:

ARRAY
array_destroy(ARRAY this) 
{
  int i;

  for (i = 0; i < this->length; i++) {
    xfree(this->data[i]);  
  } 
  xfree(this->data);
  xfree(this);
  this = NULL;
  return this; 
}

It’s not clear why valgrind didn’t identify that. Any thoughts?

 



New Features For Fido

There’s rumors on the Internets. “Oh, really? What do they say?” They claim your posting frequency affects Google’s crawling frequency. The more you update, the more often it crawls.

Your JoeDog wanted to scrutinize this hypothesis. He wanted to monitor his logs and compare Google’s crawl rate against his web site updates.

So he added this rule to fido.conf

/var/log/httpd/joedog-access_log {
 rules = Googlebot
 action = /home/jeff/bin/googler
}

With that config he produced this document: google.txt

“J!!!!!!!!” Funk shouted in IRC. “You need to verify Googlebot”

“You mean a lot people forge that User-agent?”

“I’ll bet forty percent is forged.”

“D’oh!”

Fido can’t validate an IP address, nor do I want it to. Still, it needs a new feature, namely the ability to interact with its action script. Your JoeDog will add support for regex capture to his rules. This will allow you to capture part of the match and send that text to your action script.

“I have no idea what you just said.”

Okay, let’s modify the rule above with its intended implementation:

/var/log/httpd/joedog-access_log {
 rules = ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*Googlebot
 action = /home/jeff/bin/googler
}

The parentheses are highlighted in red because they represent the proposed feature.

On a match, fido will capture everything inside the parentheses and send it as argument 1 to the googler script. In this case it will be an IP address which googler can then verify as one that belongs to Google. If you have multiple captures, fido will send them as space separated arguments, i.e.,  /home/jeff/bin/googler  173.240.11.11 GET /index.php

For a sh script, $1 = 173.240.11.11, $2 = GET and $3 = /index.php

If all I wanted to do was solve this problem, I’d just write a script that parses the logs. However, I think this will be a valuable feature that will allow fido more flexibility to solve all the world’s problems.



Bitcoin Bust

Your JoeDog hasn’t spent much time blogging about Bitcoin but it does interest him for two reasons: 1.) He studied economics in college and 2.) The rogue currency has a technology/Internets angle. From an economics perspective, a successful currency must provide a medium of exchange and serve as a reasonably stable store of value. Bitcoin certainly provided the former but the latter was always in doubt.

And doubt won. Since its peak, Bitcoin has lost two-thirds of its value. Its bust was obviously not without victims. From Izabella Kaminska, we hear the story of one of those victims. Redditor Whattodobtc appears to have impoverished himself with bad bets on Bitcoins.  Izabella claims, “Some extremely wealthy libertarians have a lot to answer for if these sorts of ppl lose all due to believing in them.” Your JoeDog is certainly no libertarian but he feels the burden of risks should be placed on those who take them.

Certainly there have been influential libertarians who’ve been pushing Bitcoin as a hedge against fiat money. And if people like Whattodobtc better understood currency, they’d be less inclined to go long on a Libertarian pipe dream. But is this any different than the hucksters who shilled gold as a hedge against non-existent hyper-inflation? If you believed Glenn Beck back in 2012 and sunk your savings in gold, you lost 36% of your investment. That’s not as depressing as Whattodobtc’s story but it’s equally devoid of a happy ending.

Whattodobtc posted to Reddit because he wanted advice. Should he sell or weather the storm? He should have posted a similar inquiry before he sunk his savings in Bitcoin. Personally, I’d sell now before all I had left were some worthless binary numbers.



Another WordPress Attack

Your JoeDog was viewing his usage stats this morning and … well, see if anything stands out:

daily_usage_201410

There was a 94% increase in traffic yesterday. Was your JoeDog slashdotted? There was no hint that slashdot or any other site sent additional viewers this way. The vast majority of traffic arrived by direct request. “What does that mean, a direct request?” It means somebody typed “www.joedog.org” in the URL field of their browser. “So eighty-one thousand people decided to type “www.joedog.org” in their browsers? That seems unlikely.” That’s what Your JoeDog thought.

The usage report revealed another interesting fact. Eighty-one thousand requests were made from a single IP address: 173.245.50.137. The next most active IP address made 97% fewer requests. That’s interesting. Let’s see was Mr. 173.245.50.137 was doing on this site, shall we?

$ egrep 173.245.50.137 joedog-access_log
173.245.50.137 - - [04/Oct/2014:17:59:48 -0400] "POST /wp-login.php HTTP/1.1" 403 214 "-" "-"
173.245.50.137 - - [04/Oct/2014:17:59:48 -0400] "POST /wp-login.php HTTP/1.1" 403 214 "-" "-"
173.245.50.137 - - [04/Oct/2014:17:59:48 -0400] "POST /wp-login.php HTTP/1.1" 403 214 "-" "-"

He — you know it was a he — was making POST requests to the WordPress login page.  In other words, he was running a dictionary attack against the site. This attack persisted for four hours. For each of those requests, apache responded with HTTP-403. “What does HTTP-403 mean?” It means “Forbidden.” Thanks to a dictionary attack defense Your JoeDog documented in June 2013, the attacker never reached the login page. He was thwarted by an apache rule.

Why did a futile attack persist so long?

It was probably launched by malware on a zombie computer. Given the expected number of failures, the program was probably designed to report successes, not denials. So even though its assault was futile, the zombie diligently ran through its entire list of credentials.

When this happens to you — and it will happen to you, don’t get too upset. It’s not personal. These guys are running these attacks on any site they can find. Your site just happened to be in IPv4 address space.

[JoeDog: How To Stop A WordPress Dictionary Attack]

 

 



The Cyberattack on JPMorgan Chase

From today’s New York Times:

“It was a huge surprise that they were able to compromise a huge bank like JPMorgan,” said Al Pascual, a security analyst with Javelin Strategy and Research. “It scared the pants off many people.”

Honestly, this is only surprising to people who don’t work in large organizations. Large companies are filled with aging hardware kept alive beyond lifecycle. These servers host applications that are too important to kill but not important enough to port to newer architecture. Your JoeDog has seen servers that nobody owns. “What’s that do?” I don’t know. The guy who administered it retired five years ago.

The easiest way to circumvent millions of dollars in network security devices is with malware. Let’s say — and why not? — there’s a 0.001 chance that somebody falls for malware click bait. If your company has 100 employees, chances are less that 1 you’ll be malwared. But in a company of 10,000 people, ten mother fsckers are going to click that link.

Large corporations have been instrumental in driving down programming costs. While they may have a few senior developers on staff, most of the grunt work takes place overseas. Now Your JoeDog is not disparaging overseas developers. There are many fine programmers the world over. And the good ones all cost the same: lots o’ money. Large corporations don’t want those guys. They can find them in the US. They want cheap ones.

True story: Your JoeDog was kept abreast of the details of an outsourcing operation. When the initial quotes came back from India, there was much surprise. “This isn’t going to work, you guys cost more than our own people.” Well, the Indians said, we have another team in Bumfsck, India. They cost one-fifth as much as the Bangalore team. “Really? We’ll take it.”

The breach at JPMorgan Chase came in through the web servers. We don’t know where that was coded but Your JoeDog has his hunch. At some point a decision maker at JPMorgan was quoted the cost of Bumfsck coders and said, “Really? We’ll take it.”

 

 

 



Referer Spammers

The Internets are full of spam. Maybe you’ve noticed?

It’s in your inbox, in your comments and scattered throughout your web forums. Every spammer is a bag of dicks but the worst bottom feeder on the Internets is the referer spammer.

If you’ve never administered a website, then you’ve probably never heard of referer spam. Yeah, what is that?  Glad you asked. These dregs send requests to your web site with a fabricated referer that points to a site they want to advertise. Ideally, they’ll send requests to a site that publishes its traffic reports. When their URL makes the report, they get a free link back to their site.

Sites that publish their usage reports are easy to find. Put this in the Google Machine and see what pops up: “Top * Total Search Strings” This is what we’re looking for: Usage Stats: Top Referers.  Your JoeDog can get himself on that report by doing this:

Bully $ siege -H "Referer: http://www.joedog.org/" -g http://www.pickart.at/
HEAD / HTTP/1.0
Host: www.pickart.at
Accept: */*
User-Agent: Mozilla/5.0 (unknown-x86_64-linux-gnu) Siege/3.0.8
Referer: http://www.joedog.org/
Connection: close
HTTP/1.1 200 OK
Date: Fri, 03 Oct 2014 17:53:38 GMT
Server: Apache
Connection: close
Content-Type: text/html

Now if he’s really intent on making that report, he’ll repeat that request a few hundred times and place himself at number two on the chart. But here’s the thing: Referer Spammers will spam your logs even if you don’t publish your reports. They’ll go to all that trouble just to lure webmasters to their esoteric fetish sites.

So what can you do to prevent this stuff? Mostly you can decrease their incentive.

  1. Put your usage stats inside a password protected area
  2. Add a robots.txt with a bot exclusion rule so search engines don’t index it.
  3. Add a nofollow directive inside every link, again so engines don’t index them

I guarantee you’ll still get the stuff. They’ll send faked referrals just to capture the attention of the site’s administrators but at least you won’t award them with a boost to their Page Rank.

NOTE: Yes, Your JoeDog spelled Referrer with only two r’s. Most humans use three. Phillip Hallam-Baker is not most humans. He was the first guy to miss an ‘r’ in the original HTTP specification. I say, “first guy” because hundreds of eyeballs viewed that document and none of them noticed the misspelling. By the time it became RFC1945, “Referer” was set in stone. It would have been easier to change the world’s English-language dictionaries at that point….



So Are You Vulnerable To Shell-shock?

Here’s a quick command line test to see if you’re vulnerable to shell-shock, the bash vulnerability that everyone — I mean everyone — is talking about:

$ env x='() { :;}; echo 1. env' bash -c "echo 2. bash"

If your bash is vulnerable, it will execute the echo command inside the environment, if it’s not vulnerable, then it will only execute the stuff after -c

A vulnerable system prints this:

$ env x='() { :;}; echo 1. env' bash -c "echo 2. bash"
1. env
2. bash

A non-vulnerable system prints this:

$ env x='() { :;}; echo 1. env' bash -c "echo 2. bash"
2. bash

On the vulnerable system, the echo command that is set in the environment is executed by bash when the shell is invoked:

env x='() { :;}; echo 1. env' bash -c "echo 2. bash"

The stuff in red should NOT be executed. That’s a bug; it needs to be fixed.

NOTE: The second command was run on the server that hosts this blog entry. You guys can quit trying, mmmkay?