Archive for Programming

Keep FTP in sync with a Git repo

I was tasked with making some changes to a site today over FTP.  It seems odd that people are still OK with letting developers push and pull files from FTP without so much as a change log or automated linting, testing, etc.  Anywho, I tried to find my cowboy hat but it snowed yesterday so all my summer gear is put away and since it’s moderately inappropriate to do cowboy things while looking like a snowboarder, I had to come up with a better way to make working on files over FTP less Wild West and more Gnar Gnar.

TL;DR

  1. Setup a cron script to maintain a local mirror of the remote FTP using lftp and automatically commit the changes to a hosted git repo.
  2. Setup a project in Jenkins to monitor the git repo for changes
    1. Ignore the commits created by the cron task mirror script
    2. Lint the project
    3. Execute a reverse mirror lftp script to push the local changes to the remote FTP host also deleting the files no longer relevant.

Read more

Apps that make OSx useful

It’s been a long time since I’ve wiped out my workstation and started with a fresh Operating System.  I’m starting to get a real solid grasp of OSx so a clean slate to work with sounds fantastic. Having a much better knowledge then I did a year ago about the apps I like, which apps to I definitely don’t like and in what combination I find them most useful.   So here’s a quick breakdown of the OSx Apps I use while things backup backup before I race down green-glass lane, nuke this MacBook & arrive at destination defaults.

Web Browsers

Code Editors IDE’s & Support

  • Netbeans – PHP/Java IDE
  • TextMate $$
    • Simple GUI text editor
    • I rarely use it now however given that it’s paid for…  It’s still noteworthy to mention that I use VIM much more often.
  • Github + Command Line Tools
  • Arduino

DB Tools

Video/Graphics

  • GIMP - All my graphics editing needs under one easy to use roof.
  • VLC - Have Video File… Will Play.
  • Quicktime – pre-Bundled w/OSx
  • Camtasia $$ – Everybody loves screencasts and video demo’s

Organization, Notes & non-code Text

  • Evernote $$ – THE only notes app worth using on all platforms & architectures when logging all things noteworthy in any media type (txt,image,audio,etc)
  • OmniGraffle $$
    • Flow charts, Wire Frames, Brain Storming, Network Maps, Visual website site maps…  and whatever else you can think of once you get good at using it, it’s hard not to.
  • OfficeLibre – Offline office suite
  • FreeMind – Offline Mind Mapping otherwise I use Mindmeister $$ w/an entry level paid subscription.

Communication

Misc

  • Jing & Snagit – Screenshot + annotation & sharing tool.
  • SEO Power Suite $$
  • MarketSamuri – DEPRECIATED – Keyword research tool
    • This shouldn’t be listed here.  I can’t recall the last time I used this.
  • VirtualBox – Virtual Machines for all!
  • uTorrent – Leech

System Resources

  • FUSE for OS X
    • MacFUSE
    • NTFS-3G
  • TrueCrypt –  It’s all encrypted.  Everything.  Thumbdrives, backups, shared containers.  Everything.
  • Little Snitch $$ – Amazingly simple firewall
  • QuickSilver – Cutting shortcuts and mashing mashups for super quick access to everything.
  • GPGTools – This stuff should be understood now.
  • Homebrew – An OSx Packaging system that’s as useful as it is easy.
  • oh-my-zsh – Useful & Pretty.
  • Java – Necessary

Submitting Personal Information with[out] SSL

UPDATE:As of September 24 2013 
TeachingChile.com is completely wrapped in SSL.  
~Thank you!

This post is no longer entirely relevant. TeachChile.com has updated their site and wrapped it in SSL. Thanks guys!

https://teachingchile.com

 


URL: http://teachingchile.com/apply_online/machform/view.php?id=6

TeachChile.com has an online application process that requires the submission of quite a bit of personal information including your Passport Details over plain text. Seriously? I almost feel like someone’s playing a prank here.  with SSL and ‘secure websites’ being pretty well understood it’s mind boggling to see websites like this still exist requesting personal information including passport number be submitted via plain text non-secured form data. What’s more amazing is that the lack of SSL is just one of what seems to be a whole ton of security-ignorance which pretty much guarantees anyone submitting data to these guys gets their identity (all their submitted data) jacked.

Wha? Google shows some love.

What makes it more astonishing is the domain was registered in 2005 and ranks #1 for “Teach in Chile” on google(us) and ranks really well for quite a few other keyword phrases. With the potential traffic exceeding thousands of visitors a month – I wonder how many fill out that insecure form?

Source: http://www.semrush.com/info/teachingchile.com

Google gives the page that links to the Non-SSL encrypted page a PageRank of 3.
http://teachingchile.com/to_apply.htm – With all the crazy search listing algorithms and such you’d think Google wouldn’t demonstrate much appreciation for this.

WTF? Guess until you find a stored form!

Saved forms can be easily brute forced!  Now this is so far over the top I’m not sure what to make of it but it offers to let you save the form if you provide an e-mail address like so:

Save Form & Resume Later

and upon saving you are presented with a ‘special link’ which at a quick glance looks like a simple 10 character alphanumeric hash.

Link to permanently saved form.

http://www.teachingchile.com/apply_online/machform/view.php?id=6&mf_resume=f4e2cdde3a

As far as I can tell that is permanent unless they purge the system of old resumable forms at some point. But to drive my point home – all one has to do is generate hash values 10 alphanumeric characters long. The following function ‘should’ generate those hashes.  Can’t say I checked but it is quite that simple.

function generate_random_hash($length=10){
 $chars = '0123456789abcdefghijklmnopqrstuvwxyz'; // Our Hash Building Alphanumeric Soup
 $char_count = 1; // Counter for how many characters our hash is (as it loops and grows)
 while($char_count <= $length){
   // Add random chars from our alphanumeric soup until we hit our target length
   $hash .= substr($chars,rand(0,35),1);
   $char_count++;
 }
 return $hash;
}

Replace the ‘special’ part of the resume URL with generated hash & test for live data.

There can’t be more then 6.something quadrillion hashes possible used to uniquely identify the  saved forms are in their database.  6 Quadrillion is a lot, don’t get me wrong but it’s really not if you break the work down across 1 thousand, 10 thousand or even more computers it becomes pretty easy to pull the task off in a very short period of time, even if approached in a slow enough manner as not to bring their web server down.  I’m digressing though – this isn’t the school of brute-forceology.

Verifiably Exploitable Platform…

If I were to assume TeachChile.com was using Mach Forms (which they are) based on ‘machform’ being in the url or some other simple means then a quick Google search for existing (and very well documented) Mach Form exploits might apply. The latest exploit having been uncovered less than two months ago.  *shakes head* … I’ll just stop there on the topic of exploits.

Just 1 of 1,000+ Other Sites on the Server

With over 1,000 other sites likely hosted at the same IP address (server) I wonder what the odds are that the server itself isn’t entirely compromised already? Source: http://www.reverseip.us/?url=teachchile.com

Running across this situation on a legit website isn’t something that happens anymore. I’m blown away by the seemingly legitimate operation being run on TeachChile.com.  Beyond notifying their contacts I’m not sure what else to do about it.  Should anyone beyond their posted contact be notified of this? Lets hope this application isn’t to teach web development. ^_^

The purpose of this post!

Be very aware of what you’re doing when you release personal information online.  In this case It’s pretty safe to assume that data submitted to TeachChile.com will become property of some nefarious individual. Unless you have some otherwise unobtainable insight in to what happens to your data after you submit it – be cautious.  It doesn’t take much for a web server to fall victim to an automated attack, especially and very specifically DATA because that’s what everything is all about anyway.  Nobody reads the ‘terms of use’ or ‘disclaimers’ anyway (and in many cases, neither do the writers of those things so they don’t identify how your personal information is being securely managed anyway; further – there is no code enforcement to ensure what you’re reading is in fact what happens) so it’s best to assume all the data you’re submitting to a website is going to be retained indefinitely by an individual or a staff that isn’t specifically driven by keeping your data safe. Most techs are extremely trustworthy however often quite lazy.  It doesn’t take much oversight for a whole database, server or better yet a cloud driven limitless data storage asset to become the property of an attacker.  It’s often just a password between the evil attacker and your personal information.  

Don’t EVER submit your Social Security Number or Passport information online.  Just don’t. Perhaps try using your dog or cat’s social security number as a temporary placeholder. ^_^

Arabic and Java

Rosetta Stone in hand and Netbeans on screen I’ve taken to two new languages.  I have for quite a few years now wondered why I don’t have a firm grasp of Java and considering I’m an avid developer capable of effectively supporting furthering development of applications sourced in Perl, Ruby and PHP (yeah, I’m a web developer – ya got me) there’s really no reason why I shouldn’t have a solid grasp of Java at least to the level of being able to comfortably support an open source project if nothing else.  What makes the deal really sweet thought is that Zahira is brilliantly intelligent beyond any claim I could make here and she’s motivated to learn and understand the use of Java so that just seals the deal.  I’m personally 100% confident Java will be commonplace in our household within months.

On an entirely different thought process I have become the average american and seemingly let go of any ability to be understood by any means other then this sad representation of written and spoken language most of us call English.  Normally when I felt like this I would force feed some spanish and submerse myself with a vacation or enlist someone to communicate with me in spanish at some semi-regular interval.  This time however I’m in an awesome new situation in which many people in my immediate bubble can speak in Arabic so I’m taking the opportunity to jump in and for the first time in my 30 years of espanglish existence I am taking on a truly new language. The notion of copy/pasting some Arabic here crossed my mind but I’m at such a lack of knowledge that I’m going to submit this post and begin dedicating some time to understanding it right now.

Live Love Life!