getluky.net

Every few years, a malicious email nearly gets past my years of automatic defenses and skepticism about stuff I get in my inbox. Today, I was one click away from getting owned. I’ll write about it to make sure my readers don’t also fall for the scam.

I got an email in my inbox with the subject line “CNN.com Daily Top 10″. I’m a CNN reader, and I imagine so are a large proportion of Internet users. In the email, there are a bunch of broken images and links that look pretty normal as far as HTML email newsletters go, especially considering the couple of years behind the curve that CNN has typically been.

Email as it appeared in my inbox

The payload wasn’t in the email itself - the email contained links to “Top 10 stories” and “Top 10 videos”, and of course, your eyes skip past all the other stuff to the content, and if you just glance, these look mostly plausible, or at least resemble the schlock that makes up news entertainment these days. The kicker is that the top video is really disturbing - “US Beef Unsafe for Consumption”. If you’ve fallen for everything else so far (again, not a big stretch, there aren’t attachments or weird spam-like bits of language, and the style is on par for the subject), then you’ll click on the link.

This is what you see when you get there. The js pops up after load.

The link takes you to a CNN Video lookalike page with a flash widget which pops up a Flash upgrade request. Again, this is something your average Internet user is used to seeing and consenting to without thinking. If you hit Cancel (which I did, as I often find this annoying enough to give up and not bother watching the video content), then it puts you in a loop with another error message until you hit OK. Internet users are used to poorly written javascript doing this kind of thing, so they might consent as well just to break the loop.

Behaves kinda like an idiotic website bug, so you might ignore this too.

Once you hit OK, if you’re using FF it’ll prompt you to download a file called getflashupdate.exe, which looks pretty normal as well.

If you’re like me, you just got here because you’re annoyed and want to jump out of the seemingly benign javascript alert box loop. However, I finally noticed one (of many, to be sure) small clues that revealed the nature of the scam. The URL of the download surely wasn’t CNN’s. Once I hit cancel, the flash widget told me that I was using Flash Player 0.

Flash installers tend to screw up pretty often, so once again the scam tries to imitate known behavior.

Altogether, there were numerous cues that I could have observed at any time to figure out what was happening. For one, the From: email address was fake looking. The URL’s in the javascript alert boxes were also fake. The URL’s for every story in the mail were identical. I know that I’ve viewed Flash media before without trouble.

However, for all the cues that were available, the writer of this exploit put in an amount of effort into crafting an authentic-feeling damnit-I-have-to-upgrade-Flash-again experience for an average Internet user that nearly fooled me. If it hadn’t been for my tendency to give up on content rather than install yet another Flash upgrade, I might have been caught hook, line, and sinker.

The owner of the website appears to be Brazilian, and the content looks fairly authentic, so I suspect this is an owned webserver in Brazil being repurposed to distribute a rootkit.

The last time I got nabbed was by the “I Love You” virus, which just happened to come from the name of my favorite Aunt, so it was pretty unlucky for me. Sure, I should have known better, but i’m a human, and we’re all susceptible to these kinds of attacks. I guess every time the attackers advance in their approach, we become better in our defense. It’s just too bad that they’re the ones in the natural position to change where the battlefront lies.

One of my least favorite parts of working in the software industry was the inevitable backlash involving various parties making smug remarks about how it’s all been done before.

I think we can partially blame the braindead mentality of DRY criticism, where people get a Pavlovian kick out of trying to identify places where other people are messing up because, obviously, they are just repeating work that has already been done.

We can also partially blame the exploited patent system for enabling a view where software concepts can be claimed for power and profit. Some people in large corporations take this view inside the company, where they are likely to feel slighted if a new product seems to be close to some idea that they remember thinking about or being in a meeting about five years ago. Some people make it their full-time job to seek out people who are working on ideas similar to their own and harass them until they get their perceived due.

In software, there’s really no way to earn knowledge without writing code yourself. So please give people a break when they’re jumping through well-worn hoops, oblivious to existing codebases or ideas.

If you’re not looking back at your old code or approaches with some sense of embarrassment at improvements missed, then you haven’t grown as a creator since then. To think that previous work is unimpeachable is awfully haughty, and is a good sign that you’ve become a Crusty Old Dude(ette), or some weird profit-mongering litigator.

So, instead of hopping on the Done It Before, Stupid bandwagon, what would be more helpful?

• Use the socratic method (ask questions) about specific technical challenges that were particularly challenging to previous attempts at a problem set.
• Contribute old test suites, datasets, or programs if they’re close enough to help ensure that any new solutions get written as efficiently (or more efficiently) than old ones.
• Check out the new approaches with an open mind and try to find out what’s substantially different or new about it.

Anyway, that’s my little rant about people who claim D.I.B.S. (nudge nudge, wink wink) on ideas.

I really enjoyed this Dadhacker post. I got confused by all the other comments so far, so I’m going to ignore them and just mention the point that I think resonates with me.

Whenever I have some really hard problems in my mental heap, i probably spend a ratio of 4:1 subconscious processing to conscious processing. That’s kinda how I justify all the time I spend running around the web, doodling, woolgathering, drawing out ideas on paper, etc. Most days when I was forced to do this, I would pick one or two small bugs to fix so i’d at least have something to talk about at the daily meeting. It’s more or less impossible to tell everyone what my subconscious has been working on the last day. At the least, I always felt somewhat intellectually dishonest when trying to report activities that have their roots in some portion of creativity as well as mechanical work.

The main benefit of talking regularly is available if um, you talk regularly, but I think the main appeal of Scrumjax is to have stuff to report up a chain in a medium to large sized group of programmers that don’t really talk with each other naturally.

I’ve known my share of sysadmins who held some measure of belief that the more secrets they kept to themselves, the more secure their job was. It’s a belief held amongst a good portion of bad sysadmins, and unfortunately for them, it usually restricts their career more than it ever helps. Clinging desperately to power, a bad sysadmin like this will hoard information like Gollum to the Ring, and attempt to undermine anyone knowledgeable who comes near.

A disgruntled city computer engineer has virtually commandeered San Francisco’s new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday. [...] Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn’t work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said.

- SFGate

This guy has taken his particular brand of sysadmin paranoia all the way to jail. If I were a betting man, I’d say that there’s no way this kind of person was intelligent enough to truly do enough to lock everyone else out, and someone with some real skills will actually resolve the predicament for the city in no time.

How does someone like this get so far into a position of power?

Typically, it’s by becoming a false prophet of IT, filling the ears of superiors and colleagues with bullshit simply because they don’t know any better. If a guy like this gets in a company at the ground floor, how is a nontechnical person going to realize that the sysadmin who seems so smart is really stunting the growth of the firm? I’ve even seen cases where sysadmins just flat-out lie about their work and spray a fusillade of jargon anytime they’re questioned about it. This tends to fool the below-average CTO and technical boss as well.

The unfortunate truth is that once someone like this gets power, it’s essentially poison for the entire technical side of the company. To make things worse, the kind of person that would hire someone like this is your average non-technical entrepreneur, who is impressed by jargon and confidence and might not know the difference. So i’ll go over my personal spotting guide to good and bad sysadmins below.

In my consulting and work history, i’ve come across the Bad Sysadmin personality type more times than I’d like. The typical signs are refusal to document work, an excessive amount of jargon, hiding for large amounts of time in obscure projects, and a tendency to look at people as either allies or enemies. A huge indicator is a refusal to verify backups (usually it’s because they lied about making them). These people tend to cost more to a company than they’re worth for the rudimentary technical skills they can employ. Many of them are completely incompetent, and they use these techniques as a smokescreen to hide their deficiencies. Generally, the Bad Sysadmin will be incomprehensible to the average person, mostly because they have no true interest in sharing knowledge. Instead, they prefer to wield their limited knowledge as a weapon in order to appear infallible, instead of using their actual work to justify their existence.

A Good Sysadmin, on the other hand, will be happy to verify or give an update on their work for you. In fact, they’ll be thrilled that anyone’s actually interested in what they do at all. They’ll have strong attention to detail, and a desire to keep things well-organized and documented for their own reference and for others. They’ll typically try to avoid jargon, and will try to explain things in layman’s terms. They might be very proud of things that nobody else understands, but if someone genuinely is interested, they will make the effort to translate. If they don’t know how to do something, they’ll go Google it instead of trying to bullshit you. They won’t be overtly political, instead hoping for someone above to help them with their career. Generally, these sysadmins tend to be deeply involved with their work, and unfortunately are usually less visible in an organization than the noisy, political type. It’s not uncommon to find one Good Sysadmin quietly doing all the work in a group of Bad or just plain Incompetent Sysadmins.

I’ve seen too many of the bad ones, and too few of the good ones in my career. If you’re in a position of technical responsibility, please make sure to cultivate your own sniff test for Bad Sysadmins. It could save you from a long period of IT hell.

It’s a fairly frequent experience for everyone to come across an existing application of an idea they’ve had on the backburner for a while. However, it’s pretty rare to find one done so thoroughly and well that it’s just completely unnecessary to go and do it yourself.

FlashcardExchange does a lot of cool stuff that I wanted to build myself in a flashcard application. Among them are shortcut keys for navigating through decks of cards quickly, special self-testing systems such as incorrectly-answered only and even the Leitner file technique, and most importantly, the ability to share and search through existing sets of cards.

Really, the only thing in my vision that isn’t present on this or the other flashcard sites is the strong subdivision of flashcard sets by college or school class. However, I can see how making the site appeal more to generic collections of knowledge is particularly helpful in making it useful to the general public. Kudos to Culley Harrelson and FlashcardExchange for a job well done!

Except for the ridiculous domain name, everything else about The Fall was incredible. Thanks to Neil for the recommendation. I had an inkling that i’d love it when I saw the trailer; i’m a sucker for heavily stylized dream sequences. I kept getting more and more engrossed in the film as I was watching it, and I came away extremely impressed with the realization of this plot.

Trying not to spoil the movie is difficult; the basic premise is that a young girl with a broken arm befriends an injured man in a hospital, and he recounts an epic tale to her about several travelers throughout the film. Her imagination is rendered vividly with gorgeous, thrilling dream sequences, and reality and imagination blend in the way that reminds the audience of the vastly different world we inhabited as children.

The dream story is designed so colorfully and beautifully that it’s hard to describe. The most strikingly rendered details were those which were re-imagined from the viewpoint of the imagination of a child only partially familiar with the world of adults and the English language. In one scene, a group of secondary characters is said to have been found tortured and hung (oh yeah, this movie can be pretty dark). In the dream sequence, they are found roped together attached to the ceiling, hanging from the waist down as part of a macabre chandelier.

The darkness of this movie does not belie its inspiring effect on the audience that makes it through. This is a movie that makes you wonder if the creators have gone too far; placing a child in a role where she must deal with darkness in a way that is completely out of bounds for the moral preferences of modern America. Although this tack may have been responsible for its lack of widespread distribution, I believe the underlying message is surprising; that the imagination and love of a child is stronger than the darkness of growing up. And with that, I believe that I should give you my recommendation to go see this movie in the theaters before it is gone.

I’ve been having very odd intermittent problems with the Lift-Master garage door opener where I live. On the occasional hot afternoon, it has refused to close. It would click several times, and sometimes pop down and up. However, the problem invariably resolved itself after a half hour or so, which led me to believe that yet another deity of mischief had found his way to my dwelling. At first, I thought it was an overheating issue. I also found some clues in a forum, but they all sounded so complex. I read in the FAQ that the behavior is normal IF an obstruction is detected in the path of the sensors.

I looked into them, and had some trouble seeing one of the LED’s, because it was so bright, but sure enough, it looked fine. There were some spiderwebs near the sensors, so I swept those up, but no dice. Hmm… intermittent problem, behavior is similar to a sensor detecting an obstruction, and it only happened so far on hot summer afternoons.

A head-slapping realization came to me quickly, and I turned around to confirm the hunch. That LED that I couldn’t see because it was so bright happened to be in the direct path of the fiendishly aligned afternoon sun. At this precise time of day, that LED was just as bathed in direct sunlight as the sensor was. To test my theory, I stood outside the garage, blocked the sunlight with my silhouette, and hit the remote. The door closed with satisfaction. Or, more likely, I imagine that the door closed with contempt, as I walked away in satisfaction. It was kind of an Indiana Jones moment, realizing that fate has conspired to make an unusual alignment of cosmic rays interfere in your life in a very surreal way.

This post is a question addressed to the Rails folks who read this blog:

In the event that you were asked for help to work on a legacy Rails project from a while back (say, the pre-1.2 days), how would you even begin to find out how to port the thing to a modern version? What are the compelling reasons to do so? I’m not really a Rails or Ruby developer by trade, so basic advice is still appreciated.

If the decision is made to just stay with the legacy version to keep it quick, I guess there’s no real way to get any documentation from a specific version? If so, that seems to be a real drag on maintainability of real-world projects that get built and left alone for a while.

Disclaimer: I really know nothing about marketing. This is some simple woolgathering by a curious tyro.

For a while now, this post by Scott Ruthfield has had me pondering how a company makes it customers feel like its products are living, adapting, and growing things. Scott observed something in friends’ attitudes about the iPhone which he describes as an "implied upgrade". He and his friends who bought iPhones believed and expected that they would be upgraded as time went on, despite all experience to the contrary with other cell phones bought from other companies.

When I talked to others, they were sure of it too. They were waiting for the announcements of this or that new feature, and we all assumed that our phones would get it. Why did we all think our phones would be upgraded? Something “told” us that. Maybe it was the unconscious reaction to the iPod firmware update process inside iTunes; maybe it was a belief that Apple “got it”; maybe since this was more like a computer and computers get free upgrades… but they don’t. For some reason, we believed in an upgrade.

In light of his interesting observation, i’ve been trying to understand how a company like Apple can release a product without having to promise future upgrades, or detail all of its features exhaustively in advance, yet we expect that when we purchase the product, we’ll get everything we’ve seen in the commercials, and more. I would definitely characterize Apple’s products as somewhat mythical, in that its customers seem to propagate its perception in a way that goes beyond what the company actually states. I think that this is sometimes referred to as the “reality distortion field” around Apple.

Now, the reason I dredge this up is because i’m personally interested in seeing whether there is a viable alternative to focusing on promotional channels when considering how to market a new product. I’ve seen marketing plans that list conference blitzes, promotional clothing and accessories, mainstream media promotion, etc., all in attempt to show to upper management that someone, somewhere is thinking about marketing. I guess the rationale behind that is that it actually seems like marketing effort, but I always get the ugly feeling that concentrating on distribution of a message without worrying about the message is a giant waste of time.

Maybe it’s my lack of experience with this sort of thing, but i’d like to see marketing plans that spend all their time talking about the way in which you mention, discuss, present, or show off a product that treat it more like a mythological creature than a piece of static hardware or software. A good part of the equation is possibly to create well-designed, well-implemented products, and continually improve and upgrade them in a timely manner, and sometimes for free. But in addition to that, there may be a special way to treat product development and marketing in a company that asks consumers to plunk down a big wad of cash without worrying too much about the next model down the line.

This was annoying, but understandable. The tutorial “patch” to the Sun J2EE-1.4 tutorial, distributed by JBoss.org, is difficult to find [it's a zip inside a zip, here], and also needs some additions to its classpath to get a correct compile.

For the good of the internet, here’s what to do:

• Unzip the startguide40.zip package.
• Move jbossj2ee-src.zip into the j2eetutorial directory.
• Chdir into that dir.
• Unzip the jbossj2ee-src.zip.
• After it’s unzipped, edit jboss-build.properties, and put the location of your jboss install in jboss.home
• Go to examples/bank/.
• Edit jboss-build.xml, and modify the build.classpath to appear as follows:

   
    <path id="build.classpath">
        <path refid="client.classpath"/>
  <fileset dir="${jboss.server}/lib/">
            <include name="javax.servlet*.jar"/>
            <include name="jboss-j2ee.jar"/>
            <include name="servlet-api.jar"/>
            <include name="jsp-api.jar"/>
        </fileset>
    </path>

• Edit src/com/jboss/ebank/WSClient.java, and look for the import lines re: ServiceFactoryImpl and ServiceImpl. Modify them to look as follows:

    import org.jboss.ws.core.jaxrpc.client.ServiceFactoryImpl;
    import org.jboss.ws.core.jaxrpc.client.ServiceImpl;

After that, hopefully the instructions will work. My understanding is that versions of JBoss-4.2X are backportings of popular 5.X features, and they’ve probably ceased updating the Getting Started guides while work is prioritized on the 5.X branch. No harm done, I suppose.