Monty Montgomery

Monty's Friends


[tech] Wordpress Hosted Security Problem?

Back in January, at Arisia, I was hanging with someone who is a serious geek, and whose expertise I have no reason to question. He told me there was a serious security problem with WordPress, which caused WP to divulge private cookie data to anyone who knew how to tickle its API. "You mean WordPress, you install yourself on your own server?" No, he clarified, he was talking about WordPress.com, the free hosted blogs site, and the problem would not be fixed because it was something WP was doing deliberately to indulge its real customers -- advertisers -- even though it involved divulging your cookies from completely unrelated third-party sites to, well, anyone really. Someone else who was also apparently a serious geek (don't know the guy, but he'd been keeping up in a security conversation and seemed sane thus far) chimed in to confirm this story. Both stressed that one should have nothing to do with hosted WP unless one used Incognitio mode or your browser's equivalent, to deny WP access to your cookies to other sites, or take similar measures.

I was very dubious about this story (I mean, I didn't even think it was possible for WP to get at other hosts' cookies?) but the source it was coming to me from was not given to nonsense in my experience.

So I've been trying to find evidence of this, but searching for security problems in WP.com is impossible in the flood of hits about problems in the WP software.

Does anybody know anything about this? Able to confirm or deny? Able to point me at reputable journalism about this problem? Or even credible rumor?


[T, MA, women] Faster Than a Speeding Locomotive

Someone here once, in response to my disappointment that the train being extended through Somerville and into Medford would be the Green Line, asked what I had against the Green Line.

Here. Allow Rita Jeptoo, as of this morning three-time winner of the Boston Marathon women's division, demonstrate:

Rita Jeptoo out-running a Green Line train

(LJ won't play the whole thing. Originally from here.)
Tags: , ,



I'm thinking of signing up for a goodreads account, and wondering how I want to strike the spam-defense v availability balance. If I give them my actual email address --- the MIT one most of you know --- will that cause a noticeable uptick in spam? If I create one just for them, will that make it harder for friends with goodreads accounts to find me?


[tech] Understanding git usage?

I'm attempting to grasp git usage best practices.

Let me explain something that I think I understand, and those of you who are git users can tell me if I have it right.

Consider the common scenario that you're hacking away on Verion 2.0 of your widget, and an urgent issue, say a critical bug, comes up in the Version 1.13 release, and you have to stop what you're doing on Version 2 to go fix Version 1.

Do I understand correctly that the git way of doing things is that you commit everything you've changed in your working directory on Version 2, and then you [verb] the historical version (possibly by tag) of the project, thus syncing your working directory to the Version 1.13 state, you make your fix, commit the files, [merging them back in?] making a Version 1.14, then [verb] back your working directory to Version 2 and return to work on your project, only with the merged in changes?

Instead of getting a copy of Version 1.13 in a new directory tree and working on it there without disturbing your work on Version 2?


[women] Enter a gentle astringer

I have had this picture up on my computer for four days, so I figure I might as well post it.

A girl and her giant raptor: 13 yo Ashol-Pan and a golden eagle she's learning to hunt with; it rests on her right arm, which she has low, waist-height -- the bird's face level with hers, eye-to-eye, and extremely close to it, two finger's breadths between her nose and the beak.  It's leaning in towards her, incredibly intimate, its wings slightly extended about her, she is smiling, and her left hand gently rests on the eagle's breast, as if caught mid-caress.

My inner five-year-old has lost her mind over this picture. If I'd seen that picture -- or any of the others of Ashol-Pan with the eagles in this article -- in grade school, I would have swum the Atlantic and walked to Mongolia.

More other great surely-thats-photoshopped-but-no little girl power fantasy fodder pictures at that link.

Wikipedia's page on the golden eagle -- which is astonishingly comprehensive, even by wikipedia's standards -- tells me that white on the tail feathers indicates that this is a juvenile; apparently these two young ladies will be growing up together. And think: neither one is at her full size yet.

ETA: From the photographer's website:
At the end of the photographing session, I sat down with her father and the translator to say my goodbyes, and I asked him this:

“How did it feel watching your daughter dressed in Kazakh uniform, on a mountain top, sending the eagle off and calling it back again?”

“Very good”

“And honestly... would you have considered truly training her? Would she become Mongolia’s first ever female eagle huntress?”

I expected a straightforward “No” or a joking “Maybe”, but after a short pause he replied:

“Up until two years ago my eldest son was the successor of the eagle hunting tradition in our family. Alas, two years ago he was drafted to the army, and he’s now an officer, so he probably won’t be back with the tradition. It’s been a while since I started thinking about training her instead of him, but I wouldn't dare do it unless she asks me to do it, and if she will? Next year you will come to the eagle festival and see her riding with the eagle in my place.”


[tech, nas] Follow-up: Other people's bugs, II: cronjob running twice

So, yes, it turns out that apparently all the previous problems were an artifact of something the ghost was doing. On boot, the ghost takes a copy of /etc/crontab and installs it as root's personal crontab, in /var/spool/cron/crontabs/root.

Having wiped out the latter, all my cron jobs have run fine. (Well, I'm down to known bugs in my own code. :)

But since the ghost's going to unfix that every time I reboot, I'm going to need to run something at boot time to ununfix it. Yes, I need a daemon to clean up the ghost's mess. Yes.

Well, okay, I don't actually need a daemon. I just need a shell script that runs on boot.

Do I just pretend it's a service and put it in /etc/init.d like all the real sevices, add it to runlevel.conf, etc? Is that the tasteful way to do this? What's the right proper [Debian|Linuxy] way to have a script run on boot, but not until the ghost has run?
Tags: ,


[psych, MA] "King of the Whirras"?

MIT AG peeps: is there anyone in the house who can either point me to a canonical version of "The King of the Whirras" story, or who can tell it? I may be misspelling "whirras". This is from IIRC a game in 1988 (just before my time). Ideally a version which does not name the player it happened to (or really anybody in it).

This keeps coming up -- it is one of the most epic examples of a particular kind of logical mistake -- but I am weak on the details and haven't heard it in 25 years.
Tags: ,


Hit & Run

I'm fine; my car's probably not damaged enough to be worth repairing. But I have learned a life-lesson today. Albeit one with limited applicability. But maybe if I share it, it will do somebody some good.
When some asshole rams your car and takes off — and you manage to read his license plate and keep repeating it to yourself as you call 911, do not stop repeating it when the 911 operator answers, in order to listen to and answer their questions. Instead, keep repeating it, clearly, until you are quite certain that it has been recorded. Then answer the 911 operator's questions. Otherwise, it just may turn out that by the time you've answered their questions, you no longer recall the damned license plate number. Thereby letting the asshole get away with it.


[tech, nas] Other people's bugs, II: cron job running twice?

Now that I've got /etc/cron.daily/apachelogrotate slightly more debugged, I've discovered new, interesting issues.

For one thing, sometimes it tries to delete (rm) a file that it just learned about by ls, but by the time (several microseconds, presumably) that it gets around to trying to delete it, it's already gone.

Which suggests a race condition with something. Something running at the same time is deleting files that it's working with. What could that be?

Well, since adding the line echo "Running apachelogrotate! `date`" to the top of apachelogrotate...
sidereasnas:~# more dead.letter

Running apachelogrotate! Mon Apr 14 06:25:01 EDT 2014

/bin/sh: root: not found
Running apachelogrotate! Mon Apr 14 06:25:01 EDT 2014
[...other bugs cut for length...]
Oh, hell: somehow apachelogrotate is getting called twice. At the same time. The log files have long lines that will break your friends page.Collapse )

Googling "cron being called twice" brought up the reasonable suggestion to check to see if you have two cron processes running. I checked. Negative, just once. I am rebooting the server now, and will see how it comes up... yeah, comes up with just one cron process.

(Actually googling "cron being called twice" brought up a lot of unhappy sysadmins across a lot of unices, all mostly not being able to figure out why their cron job is being fired twice.)

Thoughts? Suggestions?

[* As a side question: why is /var/log/cron.log yelling at me? Unix is case sensistive: there is no such thing as "/USR/SBIN/CRON" on my box, it's "/usr/sbin/cron". WTH?]
Tags: ,


[law, tech, USA] The 5th Amendment and Encryption

Okay, I recently heard that 5th amendment privilege extends to not being forced to give up passwords, but I just found out the details are not what I understood, and apparently not what my friends who I discussed this with understood.

From Wired, quoting the decision of U.S. Magistrate William Callahan Jr. of Wisconsin:
This is a close call, but I conclude that Feldman’s act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with ‘reasonably particularity’—namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman.
(emphasis mine)
Feldman didn't enjoy the 5th Amendment privilege not have to produce the password because the encrypted drive's contents would incriminate him. Feldman didn't have to produce the password because doing so would prove the encrypted drive was his.

From The Volokh Conspiracy on a different case that came to a different result but the same conclusion on the 5th Amendment and passwords:
If I’m reading Fricosu correctly, the Court is not saying that there is no Fifth Amendment privilege against being forced to divulge a password. Rather, the Court is saying that the Fifth Amendment privilege can’t be asserted in a specific case where it is known based on the facts of the case that the computer belongs to the suspect and the suspect knows the password.
Again, if it's already been established that the encrypted volume is yours and you have the password, the fact that unlocking it would decrypt information that would implicate you in a crime is not considered to make you eligible for 5th amendment privilege. Fifth amendment privilege only kicks in when they can't prove it's your device or that you ever had control of it -- where producing the password proves that you had access to it all along, and that fact had not been already established.

Unless there's other case law I don't know about. In which case please post a cite.
Tags: , ,

You are viewing xiphmont