A few days ago, some researchers announced a novel exploit in the SMTP protocol which they have called SMTP smuggling. There has been some breathless reporting about how it bypasses security measures, will end email as we know it, dogs and cats sleeping together, and so on. However, it seems to me to be something of a tempest in a teapot for the vast majority of server operators, or at least something the vast majority of operators cannot do anything about. (Most servers running an SMTP service are not email service providers.) Anyway, their vulnerability report is here if anyone wants the details from the horse’s mouth, so to speak.
I recently had cause to do some research into ethernet wiring standards as part of a troubleshooting exercise. A quick trip to the Google yielded all manner of information of varying quality passed off as absolute fact. Some of that information is clearly nonsense and I wanted to address some of that. First, I’ll start with some background and then move on with the wiring bits.
So I thought it would be cool to be able to log in to the Alberta government’s “MyHealth” site to get access to various health records. I mean, it sounds useful to be able to see that stuff, right? Well, it might be. If it worked.
Well, I went through the steps to authenticate which involved waiting for a code in the mail and a few other things. That part worked well enough and logging took me to some sort of dashboard with a great big widget to click on to access my health records. So I clicked on it.
I watched my browser step through loading a number of things which isn’t particularly unusual for single sign on type things like a government account thing. And then it landed on a page that proudly proclaimed “OOPS! There is a problem” and noted that I was signed out. It then suggested I should be using Firefox or Chrome or Edge or Safari. Well, I was using Firefox. Okay then. So I tried Chrome. Same thing. So I tried Edge. Same thing. I can’t try Safari since I’m not on a Mac.
The text says “MyHealth Records does not work with your current borwser or operating system.” Okay. So I’ve ruled out the browser being the issue. That leaves operating system. (I’m not using Windows either.) Okay, pop quiz: what the fuck does my operating system have to do with a web site? If you answered anything other than “nothing”, you’re part of the problem.
So. The Alberta government has created a site that’s meant to make accessing health records easy. And they’ve fucked it up to the point that unless you’re using Windows or Mac (as far as I can tell), it doesn’t work.
If you’re reading this and you’re responsible for a major web site, go check your site on an operating system other than Windows or Mac. If it doesn’t work on, say, a modern version of Linux like Ubuntu or Mint, rip your web developers a new one. There’s no excuse for that. Period. And, no. You do not ever need anything that is operating system dependent on your web site. Ever. Especially if your organization is part of a government agency.
So the Government of Alberta has officially taken leave of its senses and signed on to some sort of feasibility study to build a hyperloop between Edmonton and Calgary. I’m calling it now: this will turn into the worst boondoggle in Canadian history.Continue reading “Hyperloop in Albera?
Okay, now that click bait has been achieved, let me start by being perfectly clear: I do not condone racism of any kind, period. Making assumptions about a person based on the colour of their skin or the shape of their eyes or whatever is plain wrong. I had originally written a lengthy diatribe about how Black Lives Matter (BLM) is racist itself among other things but it read like an angry rant so I decided to spare everyone that. Instead, I have a couple of points about the current landscape.Continue reading “Racism and Black Lives Matter”
Good. Now that I have your attention, you can probably go back to whatever you were doing an generally ignore everything I’m about to say. For those of you who stick around and get the reference, yes, I really am referencing the Late Bronze Age Collapse. With that out of the way, on with the wild speculation.Continue reading “The Information Age Collapse”
So the sixth season of Agents of Shield has been underway for a few episodes now. You might have expected the season to take place in the aftermath of the Thanos snap but it seems like that is not the case. This would seem to cause trouble for the timeline with respect to how Shield fits in with the overall MCU timeline given references in the finale of the fifth season. I’m not so sure, however.
Endgame established conclusively the notion of a multiverse in the MCU canon. It also established the notion of branching timelines which is also something that Shield suggested as well, and looks like they have explicitly established it now based on events moving forward. That means that Shield can actually still be in the same continuity as that established by Endgame yet not be in the same timeline.
Endgame established a timeline where Thanos never gathered the infinity stones on account of him leaving that timeline to the future depicted in Endgame where he subsequently died which would seem to preclude him going back where (when) he came from. That means there is a whole timeline where the infinity stones were never collected from their previous locations. It also means that many of Thanos’s ravages never happened which would have some massive knock on effects in the timeline leaving the present basically unrecognizable from the perspective of most of the main characters of the MCU movies. However, those events would likely have had minimal impact on anyone not directly involved in them. For instance, the events of Guardians 1 would not have had any impact on Earth. Even so, references in various episodes of Shield indicate that it cannot exist in a timeline where Thanos did not follow his infinity stone collection quest to its conclusion.
That leaves us with an apparent conundrum. On screen evidence indicates that Shield shares a timeline up to some point near the conclusion of Infinity War. Barring some sort of reveal later on in Shield, that would suggest we need another explanation than Shield being in the “non-Thanos” timeline. I can think of two explanations. One is more compelling than the other in my opinion. I’ll save that for second.
Suppose Shield season 6 really is in the post-snap MCU? But wait! Where is all the fallout? Why was there no mention of it? How come none of the main cast were dusted? Well, considering the main cast all did the time travel thing, they may not actually count as part of “all life” or might otherwise be immune. We don’t know what the consequences of that time travel macguffin actually are. Or maybe one of the weird phenomena that occurred in the Lighthouse had some impact. After all, there is a *lot* of stuff there. Also, since randomness is lumpy, it’s actually not impossible that nobody in the Lighthouse was dusted. And, as far as not seeing the consequences of the snap, well, we don’t see a lot of the world outside the Lighthouse in the few episodes we’ve seen so far. We also didn’t see a lot of it in Endgame so we don’t know what else may have happened in the five year time jump in Endgame that left things the way there were. And, while you would expect some mention of it, they have been rather busy so far. Still, this is a major stretch and doesn’t seem all that compelling so unless Word of God says otherwise, I’m going to assume this isn’t the case.
The other, and more compelling, option is that some sort of butterfly effect thing lead to their timeline having a slight difference in the final battle(s) of Endgame. There were several points where the battle could have gone in the heroes’ favour. Starlord could have not hesitated. Thor could have taken a head shot. That sort of thing. If any one of those things happened, the resulting timeline would have been identical up to the points referenced in the finale of Shield season 5. At that point, things could diverge. This feels like the most satisfying explanation to me so barring some sort of reveal later on, this is what I’m going with in my head canon.
Incidentally, one such reveal that is possible comes to my mind: It may be that the references in Shield season 5 were to some other events that we haven’t seen. It’s entirely possible that much less time has passed on Shield than we think over the past several seasons and that we’re still somewhat pre-snap in the timeline. I kind of hope they don’t use this trick, but it’s not entirely unlikely. I hope they don’t go this way because it still leaves problems for the other Marvel shows. But if the Marvel TV shows are all in a universe where Thanos was defeated conventionally by heroes not screwing up during the final battle(s), then it makes things less complicated and we can just get on with having a multiverse.
Anyway, as I said, my head canon is going with “alternate universe where the Avengers and allies didn’t completely fuck up the final battle(s) in Infinity War” until such time as an alternative explanation is provided. Regardless, though, what we’ve seen so far on Shield season 6 is not really irreconcilable with the MCU movies. There are options. (Actually, the current story arc on Shield could lead to any number of those options.)
I will finish by saying that given that the current season of Shield was in production before Endgame was released, I expect the producers didn’t actually know how things would proceed after the snap so it’s not surprising there are apparent contradictions. Since there is apparently going to be a seventh season, it will almost certainly be addressed then if not before.
So I play Pokémon Go. It’s something to do when I’m out and about on foot. I’ve recently got to the point where I actually care a bit about the relative strengths of my pokémon. To that end, I’ve started using the naming feature to include some details. However, due to the crazy short length limit for names, I have to abbreviate some of the longer pokémon names to fit the extra information in. Continue reading “Niantic Are a Bunch of Morons”
So I was at Walmart today to purchase a couple of things. I encountered some truly dizzying dumbassery in not one, but two places. For reference, this was at the Sage Hill Walmart in Calgary.
First, I was buying cat litter. So I get to the cat liter section and what do I see? Well, take a boo at this:
Not carefully the top of the Slide box. Yup, that’s right. They’ve shoved it onto a shelf whose frontage space is shorter than the box is tall. I wonder what putz thought that was a good idea. To add insult to injury, the next shelf down does have enough space and in the position below, they have one of the smaller sized boxes (like the ones to the right of the Slide box in the picture). Basically, whoever was setting up the shelves is <bleep> stupid.
But remember I said there were two cases? Well, take a look at this one (click on the image for full size so you can actually see the details):
Pay particular attention to the sale tags which read “2 for $3”. You’ll note they list the regular price as $1.67 and also proudly proclaim “Save 34¢ each”. This must be some kind of new math which I have not previously encountered. By my calculation, “2 for $3” means $1.50 each. Compared to the regular price, that is a 17¢ saving on each, or a total saving of 34¢. So, to the geniuses at Walmart, which is it: do I get 2 for $3 or do I save 34¢ each? It can be one or the other. Not both.
In the second case, I wasn’t actually buying the product so I didn’t bother trying to argue with them about it. I also didn’t have time to spend an hour arguing with bored store representatives to get them to understand why it was a problem.
The first problem is actually less problematic than the second one since in the first case, you know that they got the boxes in so there must be a way to get them out. And they had the correct price tags in place. The second one, however, probably has legal implications given that they are advertising two different sale prices for the same item. I wonder how often that particular error pops up (listing the total saving as though it is for each item).
Anyway, the moral of this story is that you should pay attention to price signs in stores. There’s a good chance I could have got that “2 for $3” item for the actual price of “2 for $2.66” which is what it would have to be to save 34¢ on each of the pair.
The other moral is for people who are stocking shelves and people who decide what the shelf layout should be. Make sure you put items on shelves where they can be properly accessed. There’s nothing more annoying that wanting to buy an item and having to solve a puzzle in order to get it off the shelf. That means the shelf needs to have front clearance to easily remove the item from the shelf, including any rotation that would typically occur and space for the customer’s hands. That means you can’t put a six pack of soda bottles on a shelf that has just a couple of millimetres clearance, either, but even that is better than the nonsense depicted above with the cat litter.
Welp, that’s all for now, folks.
Probably nobody is really aware of the recently discovered security flaw in the WordPress core. (See https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/ for the official word on the matter.) This flaw affects the wpdb object’s prepare() method and allows for potential SQL injection attacks. Of course, that raises an important question: why are we still getting these types of vulnerabilities in projects like WordPress? Well, I have an opinion on that. Obviously.
Anyway, you can see the technical details of the vulnerability over here. That link goes into more detail than you ever wanted on how the vulnerability works, why it’s a problem, and why it’s due to a fundamental flaw in the API design.
I don’t have anyting of substance to add to that analysis. However, I do want to say the following:
- This is not due to WordPress’s use of PHP. Using another language but implementing things in any substantially similar way would have exactly the same problems.
- This type of problem is not restricted to WordPress. Other high profile projects have been hit with similar API and/or implementation flaws.
- Proper implementation which does proper input validation can help but will not fix fundamental API design flaws.
- Incompetent or ignorant coders will find ways to implement security problems no matter how good your API is. However, that’s no excuse to just throw your hands up and say, “What’s the point?”.
- Even where backwards compatibility is important, it is still possible to implement and deploy a new saner API and then deprecate the old problematic one. Every project with dodgy APIs like the one in this instance should be doing the same thing.
- Rolling your own database abstraction layer is a dumb idea. Especially if the language environment you are using provides one that is reasonably good.
That’s about all I have to say on this matter at this time. I do encourage you to read the detail link above and understand it. It will give you some good insight on how not to design APIs with an eye toward database APIs.