Monthly Archives: March 2012

Mad Men, Breaking Bad, and Chekhov’s Gun (Updated)

Posted on by
Reply

UPDATE (April 9 2012): It has just been brought my attention that Mad Men will run for seven seasons total, not five as I previously thought. Any predictions made below regarding Mad Men, while certainly still possible, are subject to change. I will revisit them once season 6 ends (assuming the show has not gone down the toilet by that point). Breaking Bad remains firm.

Last year, I discovered two shows that coincidentally were both broadcast on the AMC network: Mad Men and Breaking Bad. Both are absolutely amazing, and I would be kicking myself for waiting so long to watch them if I wasn’t so busy enjoying them.

One thing I applaud the writers and producers for is intentionally limiting the series — both will be entering their fifth, and final, season this year; This was a planned demolition, so to speak, and the shows will die in a dignified and respectable manner, unlike some shows that have taken on an almost undead / Frankenstein’s monster type feel. (*coughSimpsonscough*)

One nice thing about a tightly-run series is that it becomes a lot easier to make predictions about the direction the show is going based on character arcs; sort of a derivation of Chekhov’s Gun. My idea is that skilled writers will resolve the characters naturally to let them make their landings, gracefully, in turn. Continue reading

Tales from of a base64 WordPress Hack, part 4: dissection

Posted on by
1

Got hit again, briefly. Was able to recover very quickly thanks to the Git repos I had set up previously. I found a couple extra backdoors, using some alternate obfuscation methods. Instead of the typical “eval(base64_decode(” the attacker instead took an existing file, commented out all the code, and interwove a series of variable assignments.

I think it’s a good thing to know the enemy, and the more we know about both (a) what they are doing, (b) what they are CAPABLE of doing — the better we can both recover and detect / identify future attacks. I’ve decrypted their backdoor application and pasted it below (after the jump), with some commentary.

It looked like this:

Continue reading

One more week

Posted on by
Reply

My phone rings; a trip-hoppy ringtone reminiscent of Thievery Corporation.

“Hello?”

“No, I don’t want to.”
“Talk to Daddy”
“I want to talk on the puter”
“Here, talk to Daddy.”

*a few moments of static*

“Hello?”

“Hello?” I said, with a smile in my voice, “Hi Sullivan!”

“I love you, Daddy.”

“I love you too, Sullivan. Guess what! I’m going to see you in one week!”

“What?”

“Seven days; I’m going to see you in seven days. Then we’re going to get a big truck, put all your things in it, and we’re going to move you up here to Ithaca!”

“Ok. … Bye!”

“Bye, Sullivan. I love you.”

*a few moments of static, then the phone hangs up.*

Tales from a base64 WordPress Hack, part 3: prevention

Posted on by
2

(See parts one and two for background information.).

My sites are almost fully recovered. I’ve ditched the old fancy theme in favor of a more austere default theme that turns out to have some pretty nice features. I like minimalism anyways.

It turns out that the culprit was a vulnerability in timthumb.php. If ANY of your themes, even one you don’t currently have active, happen to use this script, please ensure that you download the latest version of timthumb.php and replace all instances on your server with that new version. It was quite common, particularly among so-called “premium” themes, and many themes that used image rotators on the homepage. Also, backup all themes on your site to your local computer, and then delete all themes you are not actively using on your blog. No reason to introduce any additional vulnerabilities.

In the aftermath, I have been able to implement a few solutions to help prevent this from happening again. I actually already had one relapse, but recovered in minutes. Here they are: Continue reading

Authenticating against WordPress in Rails 3

Posted on by
Reply

So I’m working on this Rails app for Melissa. It’s kind of a secret, but it’s pretty neat. She demoed it at a webinar and it was received well. :)

One problem I’ve encountered is that her main website that manages subscriptions and users is in WordPress. Users will register with that main website and may or may not have access to the Rails application, separately (depending on their subscription level). What I needed was a method to handle User Authentication in Rails that slaves to the subscription / account information held in WordPress. Ideally, this should all keep with the DRY principle to make it nice and Rails-y.

I wanted to avoid using any messy and potentially unsecure session cookie sharing, and I also wanted to avoid doing any database shadowing. I suspected that since all the data is up on databases on the same server, I should be able to just query it out, right?

Right! Continue reading

Restrictions and Creativity

Posted on by
3

Years ago, I read an article by the Lead Game Designer Mark Rosewater wherein he explained that (paraphrasing) “restriction create breeding grounds for creativity“. His exact words were:

["Rules are obstacles to creativity"] is probably the biggest myth that causes people to lash out against the rules. The problem is that this myth is based upon a false assumption. People like to believe that a world of infinite choices is more conducive to creativity than a world of finite choices. Essentially, the more choices available, the more chance for creative thought.

Unfortunately, scientific exploration into the means of creative thought has proven this not to be true. Testing has shown that restrictions actually aid creative thought. How is this possible? The answer rests in the human mind. It turns out that the mind isn’t good at completely open-ended choices. When faced with total freedom of options the brain retreats to known pathways. It simply repeats what worked last time it was in this situation.

This idea, that constraints somehow force us to explore creative space more, is one that has stuck with me ever since reading that article. I had read elsewhere that a coping trick for feeling overwhelmed is to break your mammoth task down into smaller bits and manage those bits little by little, and this is sort of the same principle: our brains are not particularly good at tracking large sets of data.  Continue reading