Category Archives: amusing

Ruby on Rails dead. All sites p0wned. GitHub shoots the messenger?

Two things here: if you run any Rails site, check out the security hole ASAP if you haven’t already. You might be safe – but given that even GitHub wasn’t, I’d double check if I were you. (The Rails community seemingly isn’t patching it – and there’s nothing recent on the Security list. Which leaves me going: WTF? The evidence is right there on GitHub of how bad this is right now, in the wild).

Secondly … what just happened? Apart from doom and gloom and “the end of every unpatched Rails site on the planet”, there’s a fun story behind this one. As someone put it “it’s the whitest of white-hat attacks” (i.e. the “attacker”‘s motives appear extremely innocent – but foolish and naive)

It seems that GitHub got hit by the world’s nastiest security hole, in Rails – trivial to take advantage of, and utterly lethal. The hole appears to allow pretty much anyone, any time, to do anything, anywhere – while PRETENDING to be any other user of the system. So, for instance, in the attack itself, someone inserted arbitrary source code into a project they had no right to.

Hmm. That’s bad. It effectively destroys GitHub’s entire business (it’s already fixed, don’t worry)

But it gets worse … it’s a flaw in the RoR framework, not GitHub itself (although apparently GitHub’s authors were supposed to know about the flaw by reading the Rails docs, as far as I can tell from a quick glimpse at the background). Rails authors have (allegedly) known about it and underestimated how bad it is in the wild, and left Rails completely open with zero security by default.

So, allegedly, the same attack works for most of the web’s large Web 2.0 sites – any of them that run on Rails.

WTFOMGBBQ!

Who was the perpetrator of this attack? Ah, well…

made an impossible issue, a post that GitHub’s database believed was created 1,000 years in the future.

Classy. Dangerous (high risk of someone calling the police and the lawyers), but if people won’t believe you, and *close* your issues, claiming it’s not that important, what more amusing way to prove them wrong?

Whoops, shouldn’t have done that

I can’t state this strongly enough: never attack a live system. Just … don’t.

Any demonstration of a security flaw has to be done very carefully – people have been arrested for demonstrating a flaw allegedly *at the owner’s request*, because under some jurisdiction’s it’s technically a crime even if you’re given permission. In general, security researchers never show a flaw on a real system – they explain how to, and do it on a dummy system, so no-one can arrest them.

(why arrest the researcher? Usually seems to be no reason beyond ass-covering by executives and lawyers, and a petty vindictiveness)

Homakov appears to have been ignorant of this little maxim, hence I’m writing it here, let as many people as possible know: never attack a live system (unless you’re very sure the owners and the police won’t come after you)!

GitHub’s response

On the plus side, they fixed it within hours, on a weekend. And then proceeded to tell every single user what had happened. And did so in a clever way – they put a block on all GitHub accounts that practically forces you to read their “here’s what happened, but we’ve fixed it” message. They could have kept it quiet.

Which is all rather wonderful and reassuring.

On the minus side, IMHO they rather misrepresented what actually happened, portraying it more as a malicious attack, and something they fixed, rather than what it was – the overspill from an argument between developers on some software that GitHub uses.

And they initially reported they’d “suspended” the user’s account. Normally I’d support this action – generally it’s a bad idea to let it be known you’ll accept attacks and not fight back. But in this case it appears that GitHub didn’t read the f***ing manual, and the maintainers apparently (based on reading their tickets on the GitHub DB) refused to accept it was a serious problem – and apparently didn’t care that one of their own high-profile clients was wide open and insecure. The attack wasn’t even against GitHub per se – it was against the Rails team who weren’t acting. IF it had e.g. been a defacement of GitHub’s main site, that would have been different, both in impact and in intent. Instead, the attack appears to be a genuinely dumb act by someone being naive.

Seems that GitHub agreed – although their reporting is a bit weak, it happened days ago, but they never thought to edit any of their material and back-link it.

“Now that we’ve had a chance to review his activity, and have determined that no malicious intent was present, @homakov’s account has been reinstated.

…and it’s pleasing to see that their reaction included a small mea culpa for being unclear in what they expect (although anyone dealing with security ought to be aware of this stuff as “standard practice”, sometimes it’s not security experts who find the holes):

“We haven’t been as clear as we should have been on how to responsibly disclose security problems, and for that I’m sorry. To prevent future confusion about security-related account suspension, and to make explicit our stance on responsible disclosure, we have added a section entitled Responsible Disclosure of Security Vulnerabilities to our Security policy.”

Rails’s response

I’d expect: shame, weeping, and BEGGING the web world to forgive their foolishness. I’m not sure, but it’s going to be interesting to watch. As of right now, the demo’s of the flaw are still live. I particularly like one commenter’s:

drogus closed the issue 5 days ago

kennyj commented

5 days ago

“I’m closing it (again).
@drogus was close it, but it still open.
github bug?”

Closed

kennyj closed the issue 5 days ago

“github bug?” LOL, no – massive security flaw :).

Mongo DB is WebScale. MySQL is not WebScale.

There’s good reasons for adopting Mongo, I’m unconvinced (but open-minded) that performance is one of them. Here’s a ROFLMAO viewpoint on it:

“If your write fails, you’re ****ed”

Obviously, MySQL’s not perfect, but in most cases I’ve seen, it’s been lack of competence on the developer side, and the lack of basic DBA skills – not problems with MySQL itself – that’s broken scalability. In which case, I’m a little suspicious that a company that fails to scale MySQL will equally fail to write their code correctly on Mongo. In many ways, throwing away SQL makes it much easier to prevent scalability…

Side effects of treating everyone with suspicion

Today I was forwarded what looked like an interesting little event: “The Gamification of Everything”. I applied. Or … tried to.

The process on all event websites today is:

  1. Type in your name
  2. Type in your email address
  3. Click “attend”

3 steps.

This event has a process with … 15 steps (!).

The website claimed to have registered me for the event.

Your registration is cancelled

And then, after all that, they emailed me to say they weren’t accepting my request to attend, apparently because I didn’t give them an acceptable company name (I put “n/a” in the field, as I was attending as a private individual):

I noticed that you’ve signed onto our website and want to register for the next Convergence Conversation meeting , but you don‘t say which organisation you represent nor where you are based. But you are the ‘founder’ of what?! I would appreciate more information please – if you are self-employed I can use your name as the organisation.

Maybe you were in a hurry – but as I’m sure you will understand. we like to know who the attendees are, the field of work they come from/represent.

The price of suspicion

To be clear: I signed up for their event, and the website accepted it. I put it in my diary. Then they contact me acknowledging that I “wanted to register”.

What? No: I *did* register.

Will I find myself turned away at the door when I turn up on the day? WTF?

Thanks, but no thanks:

“I’m not going to risk turning up to an event and being turned away on
the door. Just the thought of that is unpleasant. Feel free to delete
my application. I’m sorry to say that I won’t be coming ”

It amazes me how many people seem unaware of the effect it has on others when they pre-suppose guilt and nefarious motives. I mean … what on earth did they imagine I was going to do? Burst in and scream:

“Death to the infidel Gamifiers! Gamification is the scourge of mankind!”

…and start knocking over tables?

PS: that 15-step signup in full

The process for this event is:

  1. click signup
  2. type in
    1. name – WARNING: YOU MUST GIVE US YOUR REAL NAME, AS PER OUR TERMS AND CONDITIONS
    2. email
    3. where you live
    4. the company where you work
    5. the city where your company’s office is situated
    6. the *postcode* of your company
    7. the *country* of your company (yes, really – these are all required fields, form won’t submit without them!)
    8. your job title
    9. …some other bits I’ve already forgotten
  3. wait for a confirmation email
  4. click the confirm email link
  5. wait for a password email
  6. login to the website using the new password (most sites at least auto-login at this point; not this one)
  7. return to the event page
  8. click the “I’m attending” button

52 card MOO – Part 1: The Challenge

I’ve known MOO for 6 years (back when they were PleasureCards), and I’ve been using them as my primary business / personal cards for most of that time.

Back when they only did the PleasureCard form-factor, it was always fun to find a fellow MOO customer. Shared conversations were easy with strangers, usually over the great reactions we get from non-MOO users.

Ever since they first integrated with flickr, one concept has come up again and again in those conversations:

“What about a custom 52-card deck made using MOO.com?”

Rounded Corners…

MOO just introduced a new option on their cards – Rounded Corners. This is a trivial thing.

…unless, like me, you still want to do that 52-card playing deck. Now much easier!

Also, they recently upgraded their Flash uploader / composer software, and seem to have fixed most of the bugs that plagued the last version I used, back in 2010.

What do we need to make this work?

The Spec

To make a deck of playing cards, we need:

  1. At least 52 unique cards, ideally 54-58 (2-4 jokers, plus 2 blanks in case a card gets damaged)
  2. All cards have an identical back
  3. All cards have a unique front (except for the blanks, which share the same empty image)
  4. ROUNDED CORNERS

Also, to make this more than just a vanity project, it would be great if we could also have:

  1. The “identical back” has some (subtle) text – maybe just the URL of the author/company, plus their twitter handle

MOO’s current features

  1. 52-58 unique cards: FAIL: they do a “maximum” of 50
  2. identical back, full-sized image: SUCCESS (it’s a new option: full-image instead of contact details)
  3. unique front: SUCCESS (this is MOO’s raison d’etre)
  4. ROUNDED CORNERS: SUCCESS
  5. TEXT on the identical back: FAIL: their flash uploader won’t let you (“Computer says No”)

So, I sent an email to MOO support, outlining the above, and making some suggestions about how I could make this work – but asking if there’s an easier way?

My plan (in brief):

  1. Online, it says a “max” of 50 cards. That’s probably not a hard limit – is there a way I could get 60, if e.g. I do a large enough order size? You guys do orders in multiples of 50, 100, 150, 200, 400, 600, 800, 1000. I could do 60 cards (only a slight wastage over the 58), and make my orders in multiples of 600. i.e. 10 complete sets.
  2. There seems no reason to prevent me putting an image and text on the identical back – it’s just that your loader won’t allow it. Any way around this? I could bake the text in, but then it would be a massive pain to change – I would do fewer print runs.

MOO.com Support FAIL

I reached out to MOO, explained how I could achieve this with manual pain, working around the missing features. Also, asking if they had better ideas of how to do it – or if there was a way around the 50-card-limit?

MOO’s response:

Thank you for getting in touch with the MOO Team.

You can have multiple images on one side of the cards in a pack, you can’t specify how many of each but the systems will divide the designs as equally as possible.

The other side must remain exactly the same for every card in the pack.

You can upload a logo to the left right top or bottom of the side of the cards with the text on (contact info etc).

basically, if you were to upload 52 different designs (cards) and 2 jokes, your total uploads to a pack of 100 would be 54. The remaining 46 would be repeats of the first 46 to be uploaded.

I hope the above makes sense.

Some observations:

  1. I’ve bought literally thousands of MOO cards over the years, and I know very well how it works. I didn’t need a re-hash of the facts I’d already included in my original email! I’m surprised he didn’t see from my account how many cards I’ve ordered in the past
  2. He’s simply wrong about the logos; go on the website right now, and you’ll find that you can put a full screen image on both sides of the card.
  3. No real answer about my core request. Is it impossible to do 60 cards instead of 50? Maybe, maybe not. Who knows?

Understandable, but overall I’m disappointed by that response.

I’m doubly disappointed that MOO featured the following on their website, 2 years ago:

http://www.moo.com/blog/2009/07/02/the-story-of-jacks-rounded-cornered-business-cards/

…but apparently isn’t interested in other people doing this for themselves.

What now?

I can still do this, it’s just going to be a LOT harder (I’ll have to do lots of things manually that MOO could automate easily). I’ll document it as I go, it’s a fun challenge. Part 2, coming soon…

1337

More from the world of silly website screenshots – StackOverflow says I’m l33t. I couldn’t have done better if I’d tried (I wonder how hard that would be – deliberately downvoting other people, perhaps, to bring your score down to the right number?)

Passenger (Ruby) – oh, the irony

When Passenger crashes, you get this wonderfully ironic error page:

(click for full-size image)

(this is what you currently get when you try to access the web-interface for BeanstalkApp.com – the git / SVN hosting company)

(have a look at the logo in top-left ;))

Scamming under the name “Liverpool Embassy”?

UPDATE: I’ve had a followup email from them that suggests it’s legit, and we were just mis-targetted (I’d guess they’re using a call-list they got from somewhere that’s not great on its filtering).

Strange email exchange this morning:

Subject: contact [sic – no capitalization, no sentence]

Could you kindly supply me with your Business address and telephone number for the purpose of our database please?

Kind Regards,

Elisa

Elisa Sullivan
Liverpool Embassy
2nd Floor
New Broad Street House
35 New Broad Street
London
EC2M 1NH

What? Why? Who are you? Why do you want our phone number?

And, most bizarrely, why are you asking for info that’s – by law – published for free on the Companies House website?

I smell something fishy(ing attempt)…

I sent a couple of followup emails: “what database?”, we’ve never heard of you, what’s this for?, etc.

Responses were all dodging the question, and then she gave up with:

Ok thanks for your help Adam , sorry for any inconvenience caused.
Elisa

So, yeah. Probably a scam. If you get an emails from “liverpoolvision.co.uk”, I suggest you trash them.

(and if they’re a bona fide outfit, then … wow. They really don’t use email much, do they?)

Apple: “Yes, we have iPhones in stock. But you can’t buy them”

Apple UK continues to show that they don’t have a clue how to operate a retail operation.

We’ve got an app that’s demoing today and tomorrow, and it would help if I had an extra iPhone4 to run it on. So, I try to buy one from the local Apple shop.

Hi, do you have any iPhone 4’s?

“Do you want a contract?”
“No”
“Well, in that case: no. We don’t have any” ([To Other Guards] I told him we already got one)
“But … if I *do* want a contract, you’ve got some?”
“Yes!”
“But you won’t sell me one of those, even though you have them?”
“No!”

When will you have [these magical non-contract] phones?

“No idea. Maybe tomorrow. Maybe not”
“…”
“Here’s a phone number – you can call them at 9am tomorrow morning and they’ll tell you if we have any that day”
“So, I can call, and reserve one and collect it that day?”
“No. They’ll only tell you if we have one RIGHT NOW when you call – it could be gone when you get here”
“So, this number is totally useless?”
“Well … it’ll tell you whether maybe we probably might have one. We don’t do reservations any more. We used to, all the time. But then we … uh … stopped”

http://store.apple.com/uk

“Order now, in stock, ships in 24 hours”

The ultimate excuse for iOS developers…

Rebooting again, everything killed thanks to Xcode4, I thought of xkcd’s comic on “compiling”, and a little modification came to mind:

Appropriately, working with Xcode3 often suffered from time wasted for the weak compiler to churn through relatively tiny projects. We’ve moved on – Xcode4 has a much better compiler/linker/build toolset – but it’s brought it’s own (worse) problem to replace it…

Xcode4 commits IMHO the second-worse (*) sin for an IDE: serious memory / CPU leaks; run it for long enough (as little as 1 hour) and it will crash badly, and drag down your whole computer with it. Since you cannot work without the IDE, this means you waste hours every week just rebooting over and over again. Apparently, OS X has little protection against rogue apps – the whole OS seizes-up, mouse cursor stops working, etc.

Varies from machine to machine, and project to project. e.g. high CPU machines (fast Quad-core) seem to be affected only very rarely (if ever). With some machine/project combos – e.g. dual-core machines around 1.6Ghz CPU – this happens multiple times a day, every day. They’re fast machines, generally – it’s just that Xcode has some fatally bad code somewhere. Xcode3 on the same machines was fine.

(*) – worst sin: data-loss; an IDE that corrupts your source code / build settings. Those just make me lose the will to live.

My next game will be named: Power Battle Love Magic … III

(because sequels always look better in SEO, no?)

http://www.achilleseffect.com/2011/03/word-cloud-how-toy-ad-vocabulary-reinforces-gender-stereotypes/

I’ve always wanted to do a “mash-up” of the words used in commercials for so-called boys’ toys. I did a little bit of this in my book, but now, thanks to Wordle, I can present my findings in graphic form. This is not an exhaustive record; it’s really just a starting point, but the results certainly are interesting.

The results, while not at all surprising, put the gender bias in toy advertising in stark relief.

Top steps tips viral mobile iphone success profit

Did that get your attention?

In the last day or so, I’ve seen a barrage of crap on this topic – much of it ACTIVELY destructive (it’ll make your iPhone apps less successful than if you didn’t do it!). I’m not going to hotlink most of them – they don’t deserve the attention – but some of them mix bad with good, e.g. a guest post from someone with some good points, but also glaring inaccuracies.

So, some myths:

Thursday is the best day to launch an app

No. It’s one of the worst days. Why? Because every idiot who ever read “Thursday is the best day to launch an app” … now launches their apps on Thursday. Duh!

Facebook and Twitter sharing will make your app “go viral”

Virality is based on value, not on the presence of a corporate logo. Find some *real* iPhone developers, and ask them what happens if you launch an app with sharing in it.

Only apps that are already spreading virally, and heading for major success, ever benefit from this integration.

i.e. don’t bother until you actually need it; in some cases, for big apps, where you’re confident of 100,000 initial downloads … you may need it at launch. Most apps don’t.

Choose carefully every word in your iTunes description

Nope. Ask any experienced developer how many of their users read the iTunes description, and they’ll probably laugh at you. There’s a really, really good reason for this (but this is a post on what NOT to do, not what to do).

Check-in makes your app as popular as FourSquare

Um … WTF? How stupid are you?

“You need check-in on everything. Let your users check in to articles, blog posts, events, places, shopping items, videos, or even slide share feeds ☺.

People love to tell their friends where they are and what they are doing, so just make it easier for them.”

Who’s that from? Oh, yes – a company that doesn’t actually make apps, but sells a product to churn out crummy identikit apps, where “check-in” is one of their features.

No. In general, it just annoys people. Unless it’s part of the app’s core activity – but in that case, you never had an option to “not” include check-in. (also: why are you even trying to compete with 4square? Have you any idea how tough that is?)

Chart ranking is everything

Again, this is from the school of:

“I am a marketing person who doesn’t make apps, and doesn’t know what they’re talking about. Nor do I bother to ask anyone who does”

…because this info is several years out of date (i.e. a lifetime in App Store terms). In fact, for the last 10-18 months, chart ranking has been largely irrelevant in a lot of sectors – largely due to the surge in FAAD and their ilk.

Engaging with “the community” will give you huge sales

Sad but true: first you need a success before you even have something we’d call “a community”. You need a substantial number of downloads – AND daily actives. “Ten of your mates downloading it once” does not a community make.

Variant: for games, pandering to the TouchArcade community

Ask a game developer how easy / successful it is to promote your game on TA.

Again: back when almost no-one was doing it, this helped enormously. But that was years ago. Now … good luck getting any visibility amongst the sea of other developers doing exactly the same thing.

And finally…

If you feel you want even more “gotchas” and things to avoid, have a look at Jake Simpson’s very recent (February 2011) experiences of trying many of these – and more! – and having them fail miserably.

NB: Jake’s experience was particularly harsh, and actually goes more negative than I think is accurate, in general. At some point, I’ll do a followup that looks at the good parts (things you SHOULD do, that never seem to get old).

But, let’s be clear: mostly, this is standard Marketing. If you’ve hired someone to do your marketing who even bothers to read these sites, you made a mistake. Instead, find someone who’s good enough at marketing to invent the tactics they need all by themself. Preferably, hire someone for their skill at marketing “strategy”, not for their knowledge of “tactics”.

Adobe still doesn’t understand this “world wide web” thang…

Given how badly Flash is getting smacked-down at the moment, I find this hilarious.

Right now, Adobe.com’s store page (where you get redirected if you google for Adobe products) doesn’t work in a mainstream desktop browser (Firefox). I go to the page, and suddenly my keyboard stops working, and the mouse is only half working. WTF?

Ah. A bit of digging, and I find crap like this:

…fully “custom” scrollbar, which I suspect is disabling keyboard and mouse input.

What does this achieve?

  1. HEY! It looks “different”!
  2. Confusing: looks like a Tab, instead of a scrollbar
  3. Reduces performance: this scrollbar *flickers* as you drag it, because the rendering routine is so horrendously slow. This is on a Core2 Duo processor that’s not doing anything else.

What does it break (aside from performance)?

  1. Keyboard navigation: spacebar, cursor keys, and left/right switch tab (VERY annoying: it seizes control of your keyboard and won’t let you navigate away)
  2. Mouse navigation: it bypasses the web-browser (stupid idea, Adobe), and so all the mouse gestures – even the OS-built-ins like 2-finger-scroll – stop working

It’s like a microcosm of why people get frustrated with Adobe – and perhaps of how Flash is going to go down in flames. It would be subtle and clever if today were April 1st:

  1. Who cares what the user thinks? Give them useless crap that doesn’t even look pretty! (think of the features added in most revisions of CS)
  2. …but FORCE it on them, too; choice is bad! (recall the Adobe trojan that they wrote to take over your PC and force-install Adobe products)
  3. Performance? Who cares about performance? (Illustrator and large files … nuff said)

Wikia.com’s Uberfuzzy: you idiot

I just tried to create a free wiki on Wikia, to help the developer commuity with Entity Systems. This has no benefit to me, it’s purely for other people. I figured a system like Wikia would welcome such a wiki.

Wikia hasn’t yet implemented any of the common username systems, and won’t let you look at the Wiki to see if it supports the features you need … until AFTER you’ve given them your email address.

So I chose a username containing the text “get open ID”, as a quiet form of protest.

Oh. Crap. Wikia has now enacted a permanent block (their wording) – I cannot create any wikis, I cannot signup under a different username, I’m just blocked.

Wikia has a special page to tell me the name of the person who did this:

http://community.wikia.com/wiki/User:Uberfuzzy

Wikia then tells me to “contact them”.

Only … that person:

“has chosen not to receive e-mail from other users.”

Oh. The only way you’re allowed to contact them … is by creating an account. But Uberfuzzy has banned me from creating accounts.

Indeed, if you click the link to contact Uberfuzzy within the system, you get the text:

You do not have permission to [contact Uberfuzzy]…
…The block was made by Uberfuzzy…
…You can contact Uberfuzzy or another Administrator to discuss the block.

Sometimes the ability of otherwise intelligent people to be so incredibly stupid makes me want to weep :).