Okay, not quite... but if the developer registers a domain name and prints it on the sign/placard (QR code or human-readable), they really need to keep it active for the lifetime of the park. Or at least a little longer than the typical 5-minute attention span of Internet-goers (or marketers for that matter).

May 6, 2018

QR code at park next to west Edmonton school leads to porn website

An Edmonton mother was shocked when the QR code she scanned with her phone while her kids played at a park near a west Edmonton elementary school led her to a pornography website.

Did anyone else find the hidden hamburger-style menu on the right?

At first I thought it was a display glitch that was following the page as I scrolled. When you scroll it highlights different pieces based on where you are. If you mouse over it tries to do the same highlights as it tracks your cursor around the hexagon (poorly in Firefox).

... 'cause you know, you might need to jump down on the page quickly and going to the bottom-left coordinate of the hamburgerhaxagon is exactly how I would do that!

I had the follow conversation with someone at our ISP a while back.

From: abuse@isp.com
To: admin@customer.com
Subject: Internet Abuse Complaint -- IP address 1.2.3.4


Attention Customer,

There has been a complaint received by our security team indicating that an IP address traced back to your cloud instances. Blah blah blah, make sure your machines are not compromised... refer to the report below.

The Report:

ISP has received reports of unusual mail activity coming from your connection. Over 90% of mail to certain domains are being flagged as Spam. This is likely due to malicious software running on a pc behind your router.

IP Address: 1.2.3.4
For period: 1/8/2018 1:00 AM to 1/9/2018 12:00 AM
Potential Spam Attempts: 106
Message Recipients: 106

Me: Oh crud... I keep on top of security updates and have monitoring on that server. This can't be right.

From: quijibo@customer.com
To: abuse@isp.com

That IP address is our main external mail server that handles all contact with our customers. If ISP is doing any monitoring of network traffic that would be expected as we are in the middle of a seasonal increase in sales.

That said, I do understand that abuse of servers to send spam is serious so I will investigate immediately.

Do you have access to any emails (with headers) that were reported as spam to the abuse team?

Their reply:

From: abuse@isp.com
To: quijibo@customer.com

The report you received is forwarded to ISP from Microsoft’s Smart Network Data Services (SNDS). The SNDS is a service provided by Microsoft which is responsible for analyzing and reporting on spam sent to mail hosted by Microsoft, such as Hotmail, MSN and Live accounts.

Please note: SNDS reports are created and compiled by Microsoft. ISP does not create these reports nor determine what content is considered spam. Because of this, ISP is unable to request removal from SNDS or provide samples of the alleged spam.

So I dig into that server and look for anything usual and I found nothing obviously wrong. I counted up the number of going emails to @hotmail.com addresses. We sent receipts to 114 customers who provided an @hotmail.com address. That doesn't count all of the other domains that Microsoft owns.

I sent that information back to our ISP, letting them know that we can easily send 100+ emails a day to customers who sign up for services on our site. They didn't reply to my follow-up. So that's the end of that, right? Hah!

A week later...

From: abuse@isp.com
To: admin@customer.com
Subject: Internet Abuse Complaint -- IP address 1.2.3.4

Attention Customer,

There has been a complaint received by our security team indicating that an IP address traced back to your cloud instance has been abused in some way affecting other servers or users. You will find more information in the attached document.

(Attached Word file:)

ISP has received reports of unusual mail activity coming from your connection. Over 90% of mail to certain domains are being flagged as Spam. This is likely due to malicious software running on a pc behind your router.

IP Address: 1.2.3.4
For period: 1/15/2018 6:00 AM to 1/16/2018 1:00 AM
Potential Spam Attempts: 105
Message Recipients: 105

Okay, I'm beginning to see the pattern here.

From: quijibo@customer.com
To: abuse@isp.com


To whom it may concern,

The report indicates that we sent 105 emails to Microsoft servers on January 15. As I explained before, we have 10,000 active users on our site, so sending 105 emails to Microsoft servers in a day is not unusual or malicious, and certainly not enough traffic to "affect other servers or users".

Please provide direct contact information from the originator of these reports so that we can verify what specific activity is triggering the report, or whitelist our IP addresses with ISP's security team so that we do not continue to receive these erroneous claims.

The response:

From: abuse@isp.com
To: quijibo@customer.com

The report you received is forwarded to ISP from Microsoft’s Smart Network Data Services (SNDS). The SNDS is a service provided by Microsoft... blah blah

Word-for-word identical to last time. My solution? Prevent users from using a Hotmail email address when they purchase services on our site. Problem solved.

But seriously, 100 emails sent to Hotmail in one day triggers an alert from Microsoft? And no one at our ISP can comprehend how ridiculously low that number is, and therefore take that alert as a sign of a compromised server.

Ah, Wordpress... possibly the biggest POS ever made, and the only thing that marketing people "know how to use" (except they don't and I get stuck troubleshooting). Our last marketing "expert" convinced the bigwigs to move our site to Wordpress, and then promptly quit shortly thereafter, leaving us with this POS to maintain. Before that we had static HTML files that developers could edit as needed (and our site is static content anyway).

Fortunately, I was able to stand my ground and not make Wordpress publicly accessible. It is in a subdirectory with apache only allowing access through whitelisted IPs. We then use a plugin called Simply Static that crawls Wordpress and saves everything as static files, to the directory that apache then serves as our site.

Our logs are full of bots attempting to exploit what looks like Wordpress, but is not. Plus we don't have to be on the upgrade treadmill, so I can update Wordpress when I have time to go through and check that everything still works. Or never.

This whole debacle reminds me of what happened when, out of the blue, one government tried to ask citizens to vote for a new license plate design. They thought that they were being all trendy by having an online poll so that everyone could get involved in choosing their favorite design.

And then that plan blew up in their face... first by those asking why we needed a new design (and all options removing a cherished local symbol), and then by asking why the only designs were those created by 3M, when instead the project could have been put out to tender for local design companies.

In the end they promptly dropped the whole idea and just added a digit to the current plates, the sensible choice.

http://www.cbc.ca/news/canada/edmonton/alberta-licence-plate-redesign-scrapped-1.2770710

I read the story below the other day. Before this I had never heard of the scooter craze. It caught my attention because of the (to me) obvious hoarding that will happen from the "extra incentive" to find lost scooters and eventual fighting to pick them up before someone else does.

Also, I can't imagine anyone could make money charging these things in the vastly suburban area where I live. I suppose if the density of scooters is high enough it makes sense to drive around and pick them up, but my first assumption was that after gas for a truck or van and the wear-and-tear from the extra mileage that $5 per scooter must be close to break-even for the contractors.

Taylor Lorenz  /  May 20, 2018  /  Technology

Electric Scooter Charger Culture Is Out of Control

“Bird hunting” has become a pastime and a side hustle for teens and young professionals, but for some it’s a cutthroat business.

This reminds me of a similar incident over a custom license plate:

globalnewsdigital

‘Grabher’ licence plate court battle postponed until next year | Globalnews.ca

Lorne Grabher has been trying to reinstate his personalized licence plate since it was revoked in 2016 by the Registrar of Motor Vehicles following an anonymous complaint.

Meh. Just another n00b completely misunderstanding "the" (or "a") UNIX philosophy.

Having one program per task that does its task well does not mean that programming magically becomes easy. Other important benefits include modularity of code (in days when everything was C or assembly and not object oriented), and the ability to understand each piece very well. (Think from a sys-admin perspective who can understand that grep, sort, and uniq all do exactly what they are told and nothing more.)

And in the case of shell scripts, you don't need -print0 or -0 to handle spaces in file names. That is more for unicode characters and other odd cases. In Bash setting IFS=$'\n' works just fine to split the output of a program by newlines only and not spaces.

Like any language, you can mess yourself up in shell scripts if you don't think and understand the limitations of piping one program to another. You need split file names by newlines or null characters, quote file names that are passed as arguments to programs that you call, etc. No different than knowing that you need to use parametrized statements in SQL.

@timebandit said in EU wants to filter code:

Like most politicians, the sum of their knowledge about software is E_DIVISION_BY_ZERO

So very large when approached from the right?

See: Asymptote

For a while Sirius Radio did that (and maybe still do, I don't know). About 10 years ago I called their tech support because my username and password for the Internet radio access wasn't working. The person on the phone helpfully read out my username and password to check if that was what I was using to log in. Yikes. And that's why I always try to use my least secure password first when signing up on unimportant websites.

@Gąska said in CloudFlare down. Again.:

@dfdub said in CloudFlare down. Again.:

AFAIK, every jurisdiction on this planet has accepted the fact that there's no such thing as bug-free software.

And to be honest, I hate it. When a civil engineer fucks up building construction, he's liable for everything that goes wrong due to it. Software developers should be too, to some extent.

Actually... they don't seem to.

Honestly, I've been hearing that statement for my whole career, except I also have an interest in the construction industry and see so much crap all the time (that doesn't kill anyone, so sure, but unsafe buildings). Since that story came out I've been bringing it up as a good counter-example of how our perception of engineering is changing too.

Of course, maybe I will be proven wrong if some combination of the engineering company that made the design, the other engineering company that was supposed to verify the math, the contractor that saw the cracks, or even the DOT inspector that saw the cracks that morning and ignored them, are prosecuted. And then maybe my faith in humanity will be partially restored...

@levicki said in From the department of forgetting to renew certificates:

It's not even a security risk, it's just executive wankery.

Except it is a security risk to not have signed addons because a) malware can change unsigned addons and you won't know it and b) sites can trick you into installing (or other malware can drop it in your Firefox install) addons which can steal your private data (passwords, credit cards, etc) and Firefox won't know to disable them because they weren't released through proper channel (weren't signed).

Then you reverse it when you renew your damn certificate.

That's two builds to make, test and release on CDNs for little benefit except to placate a few angry users of a free, unsupported, product.

And just as important (or more-so), now there is a build of FF out there that will forever not check for signed add-ons. Other sites can archive it and keep distributing it, or someone may never update their FF after that version for any number of reasons. So the intermediary release is far from a "temporary" fix. That idea is a big security no-no!

@kazitor I think you missed the part where the "developer" dictated the contents of that page on microcassette and the secretary misunderstood "32" as "3-Q".

@Zmaster said in Good article on the root of Windows quality problems:

Frankly, the article assumes too much stuff IMHO and seems to just say “they’re not unit-testing their code”.
Some things are easy to unit test, but race conditions, drivers, integration between different systems are a different story. I’m not saying unit testing is a bad idea, it just won’t get you 100% covered.

Bang on. Also, what happens when Team A creates all of those great unit tests and later Team B commits something that breaks the tests, but no one on Team B has enough in-depth knowledge to update Team A's code (say with new APIs or necessary API changes due to a flawed design earlier)? I've seen that happen before.

Instead of being worried about "speed" and "number of unit tests", the real problem here is that management either doesn't care to stop deployment of highly broken code or those who know about it don't have the authority to say it isn't ready yet. Marketing promised the release of the great new shiny and no matter what the shiny will ship on time.

This reminds me of a similar incident over a custom license plate:

globalnewsdigital

‘Grabher’ licence plate court battle postponed until next year | Globalnews.ca

Lorne Grabher has been trying to reinstate his personalized licence plate since it was revoked in 2016 by the Registrar of Motor Vehicles following an anonymous complaint.

For a while Sirius Radio did that (and maybe still do, I don't know). About 10 years ago I called their tech support because my username and password for the Internet radio access wasn't working. The person on the phone helpfully read out my username and password to check if that was what I was using to log in. Yikes. And that's why I always try to use my least secure password first when signing up on unimportant websites.

@PleegWat Yes, I agree that storing passwords on a dedicated security device would be better. However, my assumption is that my home PC is secure enough to work with the unencrypted data. (If that was not the case then there are other larger issues like how to set up the password database securely in the first place.)

Rather, my idea was to protect against someone with a copy of the encrypted file from brute forcing the master password. Requiring a 2048-bit GPG key along with an "okay" master password accomplishes that as long as I have the security device with the GPG key with me.

@Parody said in Google Authenticator API - like dragons, for cans:

There are a couple of plugins for KeePass for Windows that give OTP functionality, in both the "you must provide an OTP from somewhere else to open the database" ...

What exactly does that protect the database from?

I did some searching to see if my new security key could be used to add 2FA to my KeePass database and by end of that I was convinced that having OTP in KeePass (or for any static file) makes no sense. For example, if OTP changes after each use, then the static file must be re-encrypted with the next OTP to be able to open it next time. However, if a bad guy has an older copy of the file then the previous OTP that was used to open the file would be forever usable, which defeats the purpose of a one time password.

The closest (and possibly best) idea that I can think of is to use the GPG key on my security device (along with a password) to encrypt the database. That creates a 2-factor system because the security device never discloses its GPG key and needs to be present to open the file, but this is not an OTP.

I read the story below the other day. Before this I had never heard of the scooter craze. It caught my attention because of the (to me) obvious hoarding that will happen from the "extra incentive" to find lost scooters and eventual fighting to pick them up before someone else does.

Also, I can't imagine anyone could make money charging these things in the vastly suburban area where I live. I suppose if the density of scooters is high enough it makes sense to drive around and pick them up, but my first assumption was that after gas for a truck or van and the wear-and-tear from the extra mileage that $5 per scooter must be close to break-even for the contractors.

Taylor Lorenz  /  May 20, 2018  /  Technology

Electric Scooter Charger Culture Is Out of Control

“Bird hunting” has become a pastime and a side hustle for teens and young professionals, but for some it’s a cutthroat business.

Okay, not quite... but if the developer registers a domain name and prints it on the sign/placard (QR code or human-readable), they really need to keep it active for the lifetime of the park. Or at least a little longer than the typical 5-minute attention span of Internet-goers (or marketers for that matter).

May 6, 2018

QR code at park next to west Edmonton school leads to porn website

An Edmonton mother was shocked when the QR code she scanned with her phone while her kids played at a park near a west Edmonton elementary school led her to a pornography website.