Absolutely No Machete Juggling

Apparently there is some wordpress vulnerability that allows someone to replace my header file with a whole bunch of viagra links. Awesome.

Anyway, it actually overwrote the file on the server, so my design is all busted and I don't have it backed up in any way.

I'll be upgrading wordpress and fixing my site theme. This may take some time. Bear with me.

No, this is not an April fools thing. I actually got haxx0red, for realz. :/

Update: Alright, I've upgraded wordpress and removed the viagra links. It appears that someone was able to override my footer and header.php files for my theme. To an extent, I'm not terribly surprised, as those files are set world writable so that wordpress can write to them, allowing me to edit from the admin console.

This whole thing could have been much worse. The hack left my database untouched, all of my blog posts look the way they are supposed to. All it did was modify the files to my theme.

That said, because it so thoroughly destroyed my theme and I didn't back my theme up on my local machine (it's just a blog), I have set the site to use the default ugly wordpress theme until I can work up another one. It's just as well, I was sick of the old one anyway.

Extra Update: I just wanted to share the comment that informed me something was wrong with my site. It's humorous. These were both anonymous:

Real quick…I want an explanation for what the hell happened to your site or I’m reporting it to your hosting company and to Google. Two days ago I found this post and this site through Silicon Alley Insider and bookmarked it because I liked the blog design and wanted to work on something around it. I come back tonight and obviously the CSS file is gone. I clicked “view source” and not only is there no CSS file, there is no document head, no robots file, but there are about a thousand links to spam drug sites embedded in the source? You really don’t want me screencapping and posting this here and there, and you definitely don’t even want me to get started with Google, of all companies, reporting your ass if this isn’t a case of a your website being hacked.

Then later, same person:

You can hold my comments for moderation, I don’t care. I think you’re fucked either way. Looks like this site is owned and operated by the (fictitious?) Rod Hilton, whose own website is on a Google server. Try explaining that and all the spam links served to this site dynamically, viewable in the page source, before I get going on explaining it for you. You definitely don’t need to show my comments here to bury yourself in a world of shit.

Jesus, what a spazz. Well, thanks for letting me know my site was hacked, even if you did so by being a crazy person.

I hate Easter. In fact, with the exception of Halloween, I hate pretty much all holidays. I hate easter in particular though. Growing up, Christmas was the present holiday and Easter was the candy holiday, and I couldn't care less about most candy (at least when compared to presents). Easter was a no big deal kind of day for me. It meant I had to wear khakis to church, but that's about it.

However, my fiancee comes from a Catholic family, and Easter was a very big deal to them. They hid eggs, they hid baskets, they got presents, the whole deal. So as she and I integrate our lives together, doing something for easter is important, but I don't particularly like any of the egg-hiding mumbo jumbo. At least I didn't, until this year.

I have devised a system that makes Easter fun. It is a game that I have dubbed 'Peter Rottentail'.

Peter Rottentail essentially turns innocent and lame Easter festivities into seedy gambling events. I will detail the rules of how to play Peter Rottentail in this post. This is a great game to play for people without any kids who want to do something for Easter.

Continue reading ‘How To Play Peter Rottentail’ »

It's quite easy to have multiple versions of rails installed as gems when working with ruby on rails. Quite frequently, you will be working on a project that uses an older version of rails than one on your machine, and all you have to do to get the correct version is:

gem install -v 1.2.3 rails --include-dependencies

Multiple versions of rails can exist independently on your machine without much of a problem. Since your individual rails projects store the version number they expect, and your projects don't tend to depend on each other, you can have hundreds of different rails versions installed and never notice. Mostly.

If, however, you wish to start a NEW project, when you run

rails projectname

It will use the most recent version of rails. But what if, for some reason, you have rails 2.0.1 and rails 1.2.6 on your machine, and wish to generate a rails 1.2.6 application? This came up because I'm trying to teach a friend rails, and the book he has is for rails 1.2, meaning that if he uses 2.0 all of the scaffolding code (as well as other bits) from the book are incorrect. At the same time, the application he and I are working on together uses rails 2.0, so he needs both versions on his machine.

This solution works in linux (haven't tried windows):

rails _1.2.6_ projectname

I didn't see any documentation about this anywhere. In fact, I found it by cracking open the actual 'rails' script in /usr/bin and noticing that it did a regex match for a parameter that started and ended with underscores, then interpreted that as the version.

In any case, this allows you to happily generate a new rails app using an old version of rails. Nothing quite like discovering an undocumented feature by reading the source code.

This past Super Tuesday, I participated in the Caucus in Colorado. This was my first experience doing anything like this. I vote in every election, but typically I have absentee ballots mailed to me in order to vote. I'm normally registered as an independent, so I can't do much more than vote in the election itself anyway. This year, however, was quite different. I actually got involved.

Getting involved, in short, sucked. This is my story of why. Normally I would put pictures into a post this long, but I didn't realize until the Caucus was over that it was going to be such a ridiculous experience as to warrant a blog post, so I didn't take any pictures. Good for you if you manage to get through all of this anyway.

Background

For the first time, hearing a politician speak actually got me excited. Normally I view voting as a choice between the lesser of two evils, but for the first time a candidate was talking about things that really mattered to me. Ron Paul talked not only about how we shouldn't be in Iraq, but about how our foreign policy is actually making us less safe, from a practical standpoint. Ron Paul talked about how the executive branch has gotten too powerful, and it needed to be trimmed back. He talked about empowering states, and he talked about decreasing the overall power of the federal government. These were all things that were important to me, and hearing a person actually running for president talking about those things got me excited enough that I registered as a republican so I could support him.

Now, that was many months ago. Since that time, my support for Ron Paul has decreased. Not dramatically, but I'm nowhere near as enthusiastic as I was once. While the idea of adopting the gold standard for currency and abolishing the IRS both appeal to me, they both seem too extreme to do anything other than hurt the country. Ron Paul's stances on technology greatly irritate me - particularly that people trumpet it as a good thing (many clamor that "he voted against regulating the internet" like it's a reason to vote for him. I don't think people understand that was a vote AGAINST Net Neutrality). He has pushed numerous pieces of legislation forward that seem to contradict his world view of limited federal government, most notably bills that have to do with his personal religious beliefs. He is pro-life (I'm not). He trusts the free market a bit too much for my personal taste (a common problem with Libertarian candidates, who would seemingly like to remove things like the FDA). Despite all of these reasons (which would normally make a candidate lose my support), he still trumpets more than any other candidate how important our civil liberties are. In a "post 9/11 world", it's rare to see a politician actually espouse the position that our liberties are more important than our safety, and Ron Paul still does - vehemently. The short of all of this is that, by the time the caucus rolled around I was still a big Ron Paul Fan, but I was no longer a Ron Paul Zealot.

At the same time, Barack Obama was talking about a lot of things that mattered to me as well: the war, civil liberties, the war on drugs, and he also got bonus points for his views on technology. Between Obama and Ron Paul, I would have a hard decision to make. Yes, the two disagree on a LOT, but that doesn't mean it's impossible for me to support either one. Support for Paul would only exclude support for Obama if I supported ALL of Ron Paul's policies, which I do not. Their overlap is significant, and they both appeal to different aspects of what is important to me.

By February 5th, the republicans still in the running were Mike Huckabee, Ron Paul, Mitt Romney and John McCain. Of those four, Ron Paul is, in my opinion, the best candidate by miles. There was no need, at that point, to consider the fact that I was growing increasingly partial to Obama, since Obama wasn't running as a republican. On February 5th, I had two options: one, I could stay home and not participate at all on the grounds that I might not vote for Ron Paul if he were running against Obama, or two, I could recognize that Paul is the best republican of the bunch, and as a registered Republican I only had a say in the Republican Caucus.

I figured that the experience alone was worth the price of attending. I had specifically registered as a Republican in order to support Paul, so I figured I may as well do just that. It was either that or do nothing, so I picked do something.

Next time I do something "for the experience", I may want to think twice.

Continue reading ‘My First Caucus: The Tale Of The Reluctant Delegate’ »

One of the nicest things about Ruby is how well it supports metaprogramming. You can dynamically, at runtime, change the behavior of any other class or module in the system, even private methods.

When I was first learning Ruby, this seemed like a flaw, and while I still feel that this ability can be abused, it is definitely handy.

I'm going to explain a simple method of changing the behavior of part of Rails by a real-life example from work.

For a Ruby on Rails project I'm currently working on, we had a somewhat uncommon requirement. We're dealing with a lot of data, which we store for other companies. For various reasons, one of the concerns is that we may be subpoenaed and forced to provide all of our records for legal reasons. In order to fully protect the identities of our customers, our system was designed around never actually storing any identifying information about our customers. Instead, customers get a special code that identifies them, and we only have the ability to know the code, but we can't tie the code to any specific organization. This may seem like a strange restriction, but for our application it was important.

This important aspect of the project had a number of implications for the design and implementation of the system, but in this post I'm only going to talk about one of them. IP addresses, when recorded along with the time that an IP address accessed the system, could be used to make educated guesses about the companies using the system. While the system itself does not record IP addresses or timestamps for hits, the web servers themselves do. Modifying Apache not to log this kind of information was trivial, but one glaring issue remained.

In production mode, when an error occurs in the system, a log entry is created in production.log, which tries to provide details that the developers can use to figure out why the error occured. This log contains a stacktrace, some time information, and various other pieces of data that can be helpful in debugging a critical issue. It also logs the IP address of the user that generated the request that resulted in an error, like so:

Processing PostsController#some_action (for 127.0.0.1 at 2008-01-24 10:23:59) [POST]
  Session ID: b8f0b05d77fc4a5efdc04cf809f810d4
  Parameters: {}

The problem here is that the IP address is logged , and there is no way to change that via a configuration option. I can turn logging off entirely, but I'd like to keep the error information in the event that the system actually does have a bug in it.

Luckily, the design of Ruby allows us to actually override this behavior relatively easily, and I'm going to explain how.

Step 1: Figure Out What You Want To Change

For this problem, figuring out what needed to be modified was relatively easy. I was able to simply grep for "Processsing " inside of /usr/lib/ruby/gems/1.8/gems to find the file that was responsible for printing this line to the log. It turns out that it was the base.rb file inside of action_controller. Opening this file and searching revealed this method:

def log_processing
  if logger && logger.info?
    logger.info "\n\nProcessing #{controller_class_name}\##{action_name} (for #{request_origin}) [#{request.method.to_s.upcase}]"
    logger.info "  Session ID: #{@_session.session_id}" if @_session and @_session.respond_to?(:session_id)
    logger.info "  Parameters: #{respond_to?(:filter_parameters) ? filter_parameters(params).inspect : params.inspect}"
  end
end

This was a private method on the Base class inside of the ActionController module. The rest of the process is quite easy.

Step 2: Write The Override

To override something, you simply define a new method as though it never existed before. These get qualified in the same as defining any method on a class or a module. Here is what mine looked like:

module ActionController
  class Base
    private
    def log_processing
      if logger && logger.info?
        logger.info "\n\nProcessing #{controller_class_name}\##{action_name} (for [FILTERED]) [#{request.method.to_s.upcase}]"
        logger.info "  Session ID: #{@_session.session_id}" if @_session and @_session.respond_to?(:session_id)
        logger.info "  Parameters: #{respond_to?(:filter_parameters) ? filter_parameters(params).inspect : params.inspect}"
      end
    end
  end
end

As you can see, I am simply defining a method called "log_processing" on the Base class inside the ActionController module. When Ruby interprets the above code, it will define this method, overwriting the method if it already exists. All I did was change the IP address to say that it was filtered. Note that even though this method is private, I am still able to do this painlessly.

The next step is to simply get Rails to run over this code and overwrite the existing log_processing method.

Step 3: Making It Load

There are a lot of ways you can do this. The ideal way is to create a plugin in vendor/plugins that contains this code. Rails will automatically run over the code at the correct time. This is a slightly more complex approach than I'd like to cover here, however, so we're going to just try and get this into the system as quickly as possible.

I've found that once you start doing this sort of stuff, you like to have a single place to keep all the behavior modifications you are using. Sometimes you'd like to simply add a method to a class, or change part of Rails. These changes are basically all unrelated, except that they are important for your application. For this reason, I like to keep them all together in a single file so that it's easy to see what has been changed/added. Obviously if you wind up making a lot of changes, you should make a plugin instead, particularly if the changes might be useful in other rails apps.

Save the above code into a file called "extensions.rb" inside of the "extras" directory under my rails project directory.

Then, go into your environment.rb file and add this line to the bottom:

 
require File.join(RAILS_ROOT, 'extras', 'extensions')

The reason I suggest the bottom of the file (after the Rails::Initializer.run) is that you want to make sure all of the rails libraries are loaded first, otherwise they will overwrite YOUR method, instead of the other way around.

That's it. Now, whenever you run rails (even in script/console), your changes will be reflected. This successfully causes the error log to leave the IP address out of what is recorded.

This is not something that should be done a lot in your application. Changing the behavior of core parts of rails will likely confuse other developers on your team. That's why, if this method is employed, I believe you should keep these changes to a minimum, and keep them all in one place.

I use a projector for my home theater system. I recently upgraded to a Hi-Def projector, leaving me with an old, fully-functional InFocus X2 projector. Projectors are pretty expensive, so I wanted to get some money for it rather than just throw it away or give it to someone else. Thus, I decided to sell the InFocus projector on eBay. This was my first time selling something on eBay, and, given how it went, likely my last.

Making A Sale

The projector went up on eBay on Sunday night. On Tuesday, a user named 'hakim199' had used the Buy It Now option to purchase it for $300. The shipping address on that user account was for a hospital in Abu Dhabi. I had not planned on selling the projector internationally, but I didn't particularly care. I e-mailed the user to say thanks for buying the thing and I'll send the projector as soon as I get payment.

Shortly after this I received an e-mail from someone named "Mandy Pat" which said this:

Continue reading ‘My First eBay Scam Experience’ »

What Is This?

This is a bookmarklet that will allow you to store private sites a bookmark manager like Google Browser Sync.

What Does That Mean?

Google Browser Sync is a way of sharing browser data, like bookmarks, across all of the computers you use. It's a Firefox browser extension, and it works like a charm. The data is encrypted when transferred, and according to Google, the data is stored in Google's data center in a way that even Google employees can't see it.

Unfortunately, the extension code is (mostly) compiled, which makes it extremely difficult to verify that your browser data is actually stored in a way such that only you can decrypt it. Of course, I like to trust Google (and I want to work there *HINT*), but the fact that I can't view the source code makes me nervous about using Browser Sync on my desktop machine, since I store URLs there that I don't want anyone seeing, such as private torrent tracker sites. Er, I mean, uh, legal torrent, um, sites, er, with Linux distributions and, uh, creative-commons music.

What tinfoil-hat-wearing lunatics like myself need is way of storing bookmarks to super-private urls in a way so that the bookmark stored doesn't give away the actual url.

Continue reading ‘Craziest… Bookmarklet… Ever.’ »