Category Archives: Uncategorized

Friendly advice

Tweet by sarah_edo:

A lot of people, mostly university friends, called me during last month after they learned that I was unable to walk due to a leg injury. People don’t forget to leave some advice during the calls. These include:

* Migrate to another country (from those who have already migrated to other countries)
* Live for a few years in a different country (from those who are abroad temporarily for work reasons)
* Marry ASAP (from those who are married)
* It’s time I should marry and have some kids (from those who are married and have kids)
* Build a house (from those who own houses)
* Switch to a better car (from those who have more expensive cars)
* Get the shit together (from someone who has theirs together, probably)

I’m not bluffing – this is 100% real. I’m thankful for all the advice, but I feel worse than ever now.

How Computers make Random Numbers

Came across an easy-to-follow article on how random number generators, or LCGs, work.

One thing we haven’t addressed yet, is the issue of deciding the initial seed. We could fix it to some constant number. This is useful in cases where you need random numbers, but they have to be the same every time the program is executed — generating the same map every game for example.

Another way to decide the seed is to fetch it from a source that is different each time the program is executed — like the system time. This useful in a case where a general random number is needed, like a program to simulate a dice roll.

Slack SAML authentication bypass

Antonio Sanso writes:

This means that if I present to a ServiceProvider A an assertion meant for ServiceProvider B, then the ServiceProvider A shoud reject it.

Well between all other things I tried this very really simple attack against a Slack’s SAML endpoint /sso/saml and guess what? It worked 😮 !!

To be more concrete I used an old and expired (yes the assertion was also expired!!) Github’s Assertion I had saved somewhere in my archive that was signed for a subject different than mine (namely the username was not asanso aka me) and I presented to Slack. Slack happily accepted it and I was logged in Slack channel with the username of this old and expired Assertion that was never meant to be a Slack one!!! Wow this is scary….

Scary indeed. And it isn’t a particularly sophisticated hack either. Slack has now patched the issue.

100s of useful AWK examples

Came across this nice cheatsheet with awk examples on Hacker News today: Github link

awk is a highly underrated Unix utility. I’ve seen very few developers use it, but it’s both powerful and useful. Awk is a language of its own, but you don’t need to master it to start using it.

Some time back, I moved a large bunch of files to a home directory in a server by mistake. I had used the following (naive) command to move them back to the original location (according to my notebook):

ls -ltr | grep '14:57' | awk '{print $8}' | xargs -I '{}' mv {} vftemp

Apparently I had exploited the fact that the moved files all had the 14:57 time stamp and filtered them with grep, and then used awk to get the 8th column of the list, which should have been the filenames and moved them back.

The State of Being Stuck

A high school mathematics teacher interviews Andrew Wiles. Wiles is one of the most famous mathematicians in the world today; best known for proving the 350-year-old Fermat’s Last Theorem.

Wiles explained the process of research mathematics like this: “You absorb everything about the problem. You think about it a great deal—all the techniques that are used for these things. [But] usually, it needs something else.” Few problems worth your attention will yield under the standard attacks.

“So,” he said, “you get stuck.”

“Then you have to stop,” Wiles said. “Let your mind relax a bit…. Your subconscious is making connections. And you start again—the next afternoon, the next day, the next week.”

Patience, perseverance, acceptance—this is what defines a mathematician.

Reading a User-Agent header

Tweet by @jschauma:

Whenever a browser makes an HTTP request to a server, the browser sends in a User-Agent header, so the server can know what kind of a browser/agent the request is coming from. I’m writing this post in a Safari browser in macOS and the string it sends is:

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38

It says Mozilla at the beginning, but it’s not Firefox.

Confusingly, the User-Agent string of Google Chrome has both Mozilla and Safari in addition to Chrome:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

These strings will change depending on both the browser version and the OS you are on.

While these strings seem cryptic, you can use this handy guide from MDN to identify the browser from User-Agent strings:

Zawinski’s Law

I was reading Finish your stuff by Martin Sustrik (creator of ZeroMQ) today and stumbled upon Zawinski’s Law from The Jargon File.

“Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.”

Emacs comes to mind (you know what they say, it’s “a great operating system, lacking only a decent editor”).

However, we see that a lot of bloated software being replaced by leaner and minimal products, which might seem to be in contrary to this rule. Lots of people moved from WordPress to much simpler Medium. But Medium, in turn, has become a bloated piece of JavaScript by now, which aligns with Zawinski’s Law.

Quoting the Wikipedia article on the subject:

Eric Raymond comments that while this law goes against the minimalist philosophy of Unix (a set of “small, sharp tools”), it actually addresses the real need of end users to keep together tools for interrelated tasks, even though for a coder implementation of these tools are clearly independent jobs.

Splitting a text file into two

Today I was trying to open a text file with a Node.js script and failed, apparently because it exceeded Node’s maximum buffer size. The most straight-forward solution was to split the file in half and open the two new files separately.

How do you split a text file by two, though? With a quick hack using head and tail of course.

head -n 1000 input-file > output1
tail -n +1001 input-file > output2

The + in the tail command tells it to count lines from the top, instead of from the bottom which is the usual case of tail.

Source: unix.stackexchange

Re: Tools are not the Answer

I quoted Uncle Bob’s post two days back and Hillel Wayne has written a much comprehensive response to the original post. In summary, it says:

Uncle Bob gives terrible advice. Following it will make your code worse.

I see nowhere in the original article where it says the tools are bad for you. In fact, it maintains that:

I have nothing against tools like this. I’ve even contributed money to the Light Table project. I think that good software tools make it easier to write good software. However, tools are not the answer to the “Apocalypse”.

There’s a very interesting discussion on Hacker News as well and I urge you to go read it. Uncle Bob Martin himself has left a few (albeit succinct) comments. It’s very interesting to listen to all parts of the story, especially from people who have far greater experience than you.

Tools are not the Answer

Uncle Bob responds to an article in The Atlantic titled “The Coming Software Apocalypse”. The Atlantic article apparently proposes better tooling to avoid software bugs.

I disagree. Tools are fine; but the solution to the software apocalypse is not more tools. The solution is better programming discipline.

We have fancy IDEs, sophisticated build systems and what not, but a sloppy programmer is a sloppy programmer. If tools can make her a good programmer, probably this is a field that robots can fill up easily.