Nature of Man

… nothing that happens to Man is ever natural …

There’s this meme going around the “nearby” blogs - you write about something, usually answering a set of questions, and then you “pass along the challenge” to N bloggers around you. Talk about exponential meme growth. Here’s the ball Frostie passed me:

Name three books …
1. … you have read most recently.
2. … you have bought most recently.
3. … you would reread again.

1.1. Strangers in Paradise, a comic series by Terry Moore. It is hard to describe this, I think it is revolutionary in the way people are portrayed in a comic book - realistic to the last detail in both character and appearance. The topics swing from the mundane to the extraordinary, but all confined in a believable frame. It has sex in it, but it’s not about sex. It has relationships, but it’s not about relationships. It has conspiracies, but it’s not about conspiracies. I can’t describe it in any other way, but here’s what Gaiman has to say about it:

What most people don’t know about love, sex, and relations with other human beings would fill a book. Strangers in Paradise is that book. I have long suspected that what people did in private was much funnier than it ever was erotic. Terry Moore obviously thinks so too.

It has 106 issues, so technically I have met the requirements, but I’ll go on because I’ve read other interesting stuff as well :)

1.2. Freakonomics. It’s a book on how economic incentives affect everything around us, and how data mining can reflect trends and truths which are not visible in any other light. A sample from the book: What The Bagel Man Saw. Other topics include insider information on a crack cocaine gang (aka “If drug sellers are so rich, why do they live with their mothers”) and how legalizing abortion put a stop on crime in the US. (Wikipedia has more on the subject)

1.3. Spook Country by William Gibson. Every book from this man is a gem, this one is no exception.

2. I don’t buy many paper books lately, and I can’t remember three books I’ve bought last. One is “The Big Fat Kill” by Frank Miller (yes, a comic translated in Bulgarian), but I can’t name any other. Probably Pratchett or Bulgarian sci-fi.

3. I love rereading, and I have clear winners for doing so. One: Pratchett is an author who can never be read just once. I reread all his books, and there is always half a dozen of them I haven’t read since more than a year, so I can’t really tire of it. Two: Bujold’s Miles Vorkossigan series. I have read pieces of it when it was partially published in Bulgarian, then after having collected the entire Miles universe in English, I have read it twice. Give me a year and I’ll do it again, I love the little bugger and his ways of dealing with trouble. Third: the early books of Neal Stephenson. Zodiac and The Big U are for me much greater than his later books. I would read Cryptonomicon again, but his other books are too commertial or tiresome (I couldn’t reach even the midpoint of that crap about Newton). As a last third option ;) , I’ll point Douglas Adams, another very rereadable author whom I haven’t read since several years. Ahh, Had I but world enough, and time …

I hereby pass the meme snowball to:
Lady Thistle
Firefox (Hey, how come you’re not in the sidebar? Fixed.)
and The Mountain King

I have started another blog, Codex Securitatis in which to write about security and Latin. Because I mostly suck at Latin, so I’ll stick to the security part.

Please update your links/bookmarks if you’re interested in the security content, or sigh in relief if you aren’t.

(In case you wonder, “incipitur” should mean “is started”, “codex”, meaning book, is the closest to “blog” I could think of, “securitatis” is “of security”, and “vale mundum” is the ubiquitous “hello world”)

“… Swift Death, I did but jest”

… and there are little more suited demonstrations than this account of a 1708 hoax (that’s way before the Internet, mind you), carried by (spoiler alert) Johnatan Swift (too late, you read it!).

Finally, [ John Partridge ] had succumbed to his fever at 7:05 PM—just four hours off the time predicted by Bickerstaff.

The news left London in a state of shock and wonder. At the same moment it had lost one of its oldest and most respected almanac writers, the city had gained what was surely the first indisputably genuine astrologer in history. The implications were staggering.

It’s likely that no one was as surprised to hear the news as John Partridge.

http://www.damninteresting.com/?p=955

This is even better than the fake volcano erruption story!

Much has been said about this brainfart of a feature, and attempts at reverting its behaviour are common for all php coders. Old versions of the php manual were giving this function in their “Best Practice” example:

1
2
3
4
5
6
7
8
9
10
11
12
13

// Quote variable to make safe
function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not integer
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

… which has apparently became a bad meme in more than one way. I have already mentioned (as many others did as well way before me) the blunder of using is_numeric(), but a more alarming mistake is the way magic quotes are handled. It isn’t bad just because it’s buggy, but because it gives a seriously flawed idea.

It is also bad, as it is (was) given as an example to newbies, and even after it was replaced in the manual, one can still see the meme “in the wild” in snippets posted on sites and fora. What’s worse, the manual didn’t explain what was wrong in the code before it was replaced; as I see it, maybe they still have no idea what wrongness they have been teaching.

So, after you’ve had a paragraph of reading time to think about it, do you see it? The bug lies in the assumption that the data that is given to quote_smart() comes from $_GET, $_POST, $_COOKIES, $_REQUEST, etc. If you pass something else (a constant string, a value from a file or database, etc.) containing slashes (for a superficial example, take a smb-style path: “\\host\share\file.ext”) and you have magic_quotes on, the function will blindly run stripslashes, and thus damage the string (“\hostsharefile.ext”).

The function also doesn’t check for the magic_quotes_sybase setting, which completely changes the way magic quotes are handled.

The correct way of negating magic_quotes is of course globally, at script startup, with proper setting checks and while keeping in mind that those arrays may contain other arrays.

But enough about the bug, it is something that happens with certain inputs under certain setups, and it damages the data in a way that doesn’t really affect the security. So what’s the big deal, is it worth writing so long a rant about it? I think so, and the reason lies in that implied assumption above, about where the data comes from. What it basically says is that input comes only from one of the input superglobal arrays, which is wrong. Input comes from all kinds of sources and you never know which of them may be under the control of an attacker.

So data coming from other places, take the database for example, gets labelled as “secure” in the mind of the coder, and he readily inserts it in a dynamic SQL query and thus second-order SQL injections are born. Such are the curses of bad memes, caveat coder.

I am pleased to announce that WASC has published a paper I wrote for the security articles project. The project is very nice, because all articles must pass through a critique and voting process by a peer group of security professionals (and I am proud to be among them when not wearing the hat of an author).

The Unexpected SQL Injection
(When Escaping Is Not Enough)

Abstract:
We will look at several scenarios under which SQL injection may occur, even though mysql_real_escape_string() has been used. There are two major steps at writing SQL injection resistant code: correct validation and escaping of input and proper use of the SQL syntax. Failure to comply with any of them may lead to compromise. Many of the specific issues are already known, but no single document mentions them all.
Although the examples are built on PHP/MySQL, the same principles apply to ASP/MSSQL and other combinations of languages and databases.

Full text: [HTML] [TXT] [ZIP (examples)]