Category Archives: Uncategorized

New server + HTTPS

This site used to be in a Hostgator shared host which I had bought long before I understood how servers work. I didn’t bother changing it as it just worked and this was not the only site/app that was hosted there. (If I was to move, I wanted to move everything)

Lack of WordPress know-how was another problem. I have/had multiple WP sites including this one, and moving meant creating a multisite, configuring it to match the original URLs, while supporting other non-WP stuff as well. Also I didn’t want to migrate the blogs as static sites for different reasons.

Finally I’ve moved most of the stuff to a separate VPS in Vultr (thx to @gaveen for referring). The major motivation was TLS support. You had to pay additionally for TLS in Hostgator, which didn’t make sense as we have Let’s Encrypt.

The multisite is mostly working now, but I need to get images working properly (uploads directories not properly configured for sub-sites), fix old thameera.com/files/... links, set up rss2email and also see what else is broken 😆.

Using ncdu to examine disk usage

du has been my go-to tool for checking disk usage and it’s wonderfully simple. But I’ve been using ncdu for a few weeks now.

ncdu is short for NCurses Disk Usage. In addition to being able to visualize disk usage by directory, it lets you sort on different parameters, delete files, show hidden files, and a few more stuff that you’ll miss if you go back to plain du. Most importantly it acts as a file manager, so you can simply enter the directories to see a more fine-grained breakdown of file sizes. As an added bonus it has Vim keybindings along with normal arrow key movements.

ncdu - ncurses disk usage

Screenshot of ncdu + help popup

Installation:

brew install ncdu # macOS
sudo apt-get install ncdu # Ubuntu/debian

Printing double-sided in a non-duplex printer

My printer doesn’t support duplex printing, but I regularly print double-sided booklets. It’s not straight-forward and I always forget how to do this so I keep a checklist to consult every time. Publishing it here so I won’t lose it and someone searching for this in the interwebs might find it useful.

  1. Select ‘Odd Pages Only’ in print settings (usually under ‘Paper handling’)
  2. Print
  3. Take the printed papers out and put them in the same orientation to the tray (white side up, no turning)
  4. Select ‘Even Pages Only’ in print settings.
  5. Also, select ‘Reverse’ for Page Order
  6. Print

If you are printing a booklet, note that you will need to convert the document to a booklet format first. I use Booklet Creator for this, but there are other alternatives as well.

How the macOS root user vulnerability happened

Mac security specialist Patrick Wardle digs into the root cause (pun intended) behind why a blank password gave you root permissions:

* For accounts that are disabled (i.e. don’t have ‘shadowhash’ data) macOS will attempt to perform an upgrade

* During this upgrade, od_verify_crypt_password returns a non-zero value, and an error code which is not checked

* The user (or attacked) specified password is then ‘upgraded’ and saved for the account

It appears that od_verify_crypt_password should fail (update: it does and Apple just didn’t check for this!).

It might be an oversimplification, but what I gather from the post is that proper handling of the function’s return value (error code) could have prevented this on hindsight.

Now I’m pondering about all those times we ignore the error codes returned by the OS for file I/O operations and whatnot.

Root user vulnerability in macOS High Sierra

It has been discovered that you can get root permissions on a macOS system running High Sierra without any password. To test, click on the padlock in any System Preferences dialog and enter root as the username and keep the password to blank. Now click Ok (or whatever the confirmation button is) twice and you have root privileges!

This is like the worst nightmare ever, but note that the attacker needs to have physical access to the machine. Until Apple sends the patch, the easiest way to secure the system is by changing the root password as described here: https://support.apple.com/en-us/HT204012

Unfortunately it looks like the vulnerability was publicly disclosed without letting Apple know and waiting for a patch.

Imgur hacked

Imgur has apparently been hacked in 2014 and this has come to light only a few days back. 1.7 million emails and passwords have been leaked – passwords encrypted with SHA256. (Imgur has been using bcrypt since 2016, though)

From the article:

Although in an ideal world Imgur would never have been hacked in the first place, I believe that the company should be commended on two counts.

Firstly, Imgur didn’t ask users when they created accounts to enter any extraneous unnecessary information – such as real names, dates of birth, addresses, or phone numbers that could have made this breach much more damaging to its victims. There’s a great deal to be said for companies limiting the amount of information that they ask from their users – the less they store about you, the less they can lose.

One of the key requirements in GDPR is that websites collect only the minimum personal data necessary to perform its operations. It will be very hard to keep the user stores from being pwned, but having the least possible amount of data in them definitely helps lessen the damage.

The curse of knowledge

I came upon an article titled Are You Suffering From the Curse of Knowledge? recently in a reddit thread.

Another famous example is that of an extremely successful salesman for IBM who was asked by an interviewer why he was so good at sales, to which he responded, “It’s because I stopped coughing!”

A couple of experts in sales were so confounded by his answer that they decided to examine him more closely. After a while they found that he was actually doing a lot of things really well—he was using a ton of sales tactics brilliantly, he just wasn’t aware of it. He was naturally talented at sales.

The moral of this little story is that the IBM sales guy falsely attributed the reasons for why he was so successful.

The secrets of success from the top scorers in an examination might actually not be the secret sauce that led them to those results. Sometimes it’s not obvious why someone is doing really good.

How can you tell the type of a void pointer?

TLDR: You can’t

There’s a writeup on a newly found vulnerability in Adobe Acrobat Readers:

We all know that void pointers are by definition typeless, may point to any object, and any object may be cast to it. But surely, after we’ve cast an object pointer to a void pointer, it’s still possible somehow to detect its origin type, right? Not quite.

Once an object is cast to a void pointer, it’s absolutely impossible to detect its origin type. So, how do we check the type of a void*? The answer is that we don’t. And when you try, what you get is a vulnerability.

In case you’re not familiar with void pointers in C/C++, you can assign _any_ pointer to a void pointer, regardless of the type.

void *ptr = any_ptr;

This can be helpful if you don’t know what kind of a pointer you will receive in a function, etc. But usually it’s better to avoid them like the plague.

Hashes and Nonces in CSP

Troy Hunt has a nice article about inline-scripts and CSP with some practical examples.

By default the following CSP directive will block all inline scripts:

Content-Security-Policy: default-src 'self'

The most straight-forward way to remove the restriction is to add unsafe-inline but it disables all the defenses against inline scripts and XSS. Thankfully you have two alternatives: using a hash or a nonce. (TIL!)

If the script is static (the content does not change), you can add a SHA-256 hash of the script to the CSP directive, so the script will be whitelisted.

Content-Security-Policy: default-src 'self'; script-src 'sha256-blLDIhKaPEZDhc4WD45BC7pZxW4WBRp7E5Ne1wC/vdw='

However, if the script is prone to change, you have the option of adding a base64-encoded nonce (random value) to both the CSP directive and the script tag.

Content-Security-Policy: default-src 'self'; script-src 'nonce-4AEemGb0xJptoIGFP3Nd'
<script type="text/javascript" nonce="4AEemGb0xJptoIGFP3Nd">

Summary of Chrome Dev Summit 2017 Videos

Dan Fabulich has a post titled I Watched All of the Chrome Dev Summit 2017 Videos So You Don’t Have To:

tl;dr: Google wants you to build PWAs, reduce JavaScript file size, use Web Components, and configure autofill. They announced only a handful of features around payments, authentication, Android Trusted Web Activities, Chrome Dev Tools, and the Chrome User Experience Report.

Check out the full post for a more detailed summary.

This is three weeks old and I kept putting off posting this in AH. It’d be super cool if someone wrote TLDRs for all conferences happening everywhere.