Fixing “full path disclosure” issues

Whether you’re running a web service or a blog, you should always keep your software fully patched to prevent attacks and minimize your attack surface. Another smart step is to prevent full path disclosures. For example, if your blog or service throws an error like

“Warning: require(ABSPATHwp-includes/load.php) [function.require]: failed to open stream: No such file or directory in /home/horace/public_html/wp-settings.php on line 21”

then by noting the full pathname from that error, an attacker could reasonably infer that your username is “horace” and use that try to guess your password. It’s not the end of the world if your attacker has that information, but why not make an attack as hard as possible?

For WordPress, here’s a couple ways to prevent full path disclosure vulnerabilities:
– In a php.ini file, you can add a line like “display_errors = off” (without the quotes).
– In an .htaccess file, you can add a line that says “php_flag display_errors off” (without the quotes).

It sounds like the php.ini approach might be slightly better, because some web hosts run PHP in CGI mode which might not allow php_flag or php_value directives in .htaccess files.

After you’ve made this change, php errors shouldn’t be shown to web clients. If you’re developing live code on a PHP installation, that can make debugging slightly less easy. But if you’re running (say) a blog, it’s probably better to turn off display errors for a little extra protection against attacking hackers.

Lessons learned from the early days of Google

Earlier this month I did a talk at the University of North Carolina at Chapel Hill about lessons learned from the early days of Google. The video is now online and watchable, or you can watch it on YouTube:

We did the talk in a pretty large room, and the camera at the back of the room couldn’t easily record me and the slides at the same time. So here are the slides to go along with the talk:

Or you can view the slides at this link.

I believe all the pictures should be covered either by license or fair use (the talk was free), but let me know if you see anything that you believe is problematic. I hope you enjoy the talk!

My two favorite books of 2014

I’d like to mention two books that stood out for me in 2014:

Nonfiction: The First 20 Minutes. Gretchen Reynolds is a New York Times columnist who distills health and exercise research down to practical, readable advice. I’ve never dog-eared as many pages in a book as The First 20 Minutes. Reynolds writes about why you might want to brush your teeth standing on one foot, work out before eating breakfast, and how pickle juice might help with cramps. Should you get a cortisone shot? Does it help to believe in luck? Does long-distance running make your knees less healthy? Is chocolate milk a good recovery drink? Read the book and find out.

Whether you’re a couch potato or a ultramarathoner, you’ll probably learn something interesting and helpful from Reynolds’ book. Reynolds also writes with the easy readability of a seasoned newspaper columnist, and each chapter ends with bite-sized summaries of what the current scientific research recommends. My only nitpick is that I wish Reynolds had included footnotes pointing to the original research for people who want to dig deeper.

Fiction: As I’ve written before, The Martian describes an astronaut stranded on Mars who needs to figure out how to survive and get home with minimal supplies. Some of the science gets detailed, but the book builds to a very successful ending in my opinion.

What was the single best fiction or nonfiction book you read in 2014?

Fun mosaic effect with Go

A few months ago I saw a cool mosaic effect in a Wired ad for CA Technologies. Here’s what part of the ad looked like:

Photomosaic of people in an office

I liked the ad, so I wondered how they did it. Can you see out how to create a similar effect? Take a minute to figure it out as an exercise.

Here’s what I came up with: divide the image into tiles. For each tile, compute an average overall color for that tile. Then go back and blend every pixel in that tile with the average color. So if a tile is partly dark and partly blue, the average color is a dark blue, so the blue in that tile becomes even darker. I like that the effect is pretty simple once you figure out how to do it.

Of course, once I had an idea of how to do it, I wanted to write some code and see whether I could recreate the effect. Go has good libraries for handling images and I’ve been meaning to try Go. I ended up with about 70 lines of moderately-ghastly Go code that did the job.

For this Creative Commons image (thanks Fuelrefuel/Wikimedia Commons!)

Photo of people in an office

I ended up with a photomosaic like this:

Photomosaic of people in an office

As far as I can tell, that’s pretty much the same filter that ran in the ad. Here’s another example. First, a picture of me:

Matt Cutts

and here’s the resulting mosaic’ed image:

Matt Cutts in mosaic form

That’s all the interesting stuff. You can stop reading now.

This part is boring. Really. No need to keep reading. The code I came up with is really ugly, but the pseudo-code is pretty simple:

- Read the picture into a go image
- Number of horizontal tiles = image_width / desired_tile_width
- Number of vertical tiles = image_height / desired_tile_height
- Loop through tiles with nested vertical and horizontal for loops
- For each tile, loop over the tile's pixels to compute average RGB values
- Loop over the tile's pixels again & set new_color = (avg_color+curr_color)/2
- Write the image out as a new picture

That’s it! I wanted a quick and dirty test, so I didn’t worry about things like the leftover pixels if the tiles didn’t evenly divide the image.

Let’s see, what else. Things I liked about Go:
– It’s super-easy to read and write images, so I could concentrate on the fun stuff.
– I like that documentation like this gives a clear, easy way to set up your environment. The golang tour is great too. And installing Go on Ubuntu is easy: “sudo apt-get install golang” and you’re done.
– The language makes a lot of sense to me, in a C kind of way.

Some things didn’t make as much sense to me, or at least I need to do more reading:
– My initial program just read a JPEG and wrote it back out, and the output image was considerably dimmer. I was just using default encoding values, so maybe some gamma values got left out, but it was a little weird. I was expecting read->decode->encode->write to be a no-op.
– When I read the JPEG into an image and tried to write directly to that image, Go gave me an error. That was a little strange. I ended up copying the JPEG to a new image and then I could write.
– In the spirit of just doing stuff without reading the documentation, it seemed like Go images stored their At() component colors with 16 bits of range (from 0..65536). But when I wanted to write colors with Set() it seemed like Go wanted 8 bits in the example I found. So for a while I was casting stuff with (uint8) and getting totally random bits written into the image. That also generated a fun image:

Random mosaic from converting a 16 bit-range color to uint8

but it took me a few minutes to figure out what was going on. I’m sure some reading would clear things up, but.. who cares? I was also doing some weird float arithmetic to compute color averages. This was just quick/dirty code, and I can read more about the nitty gritty later. As soon as I got the effect I wanted, I rapidly lost interest. I even hard-coded image filenames because I couldn’t be bothered to search for go command-line flag info. All in good fun.
– Arrays and slices are cool, but allocating 2D arrays and slices seems a little verbose.
– I like that Go’s designers have opinions and enforce them, at least 99% of the time. When you’re hacking ugly code, it was annoying to get the “you didn’t use this variable” errors. But I understand the rationale and it’s probably a good idea for writing Real Code that’s not intended to be thrown away.
– I was all set to grouse about go fmt’s enforced indentations/spacing, but it actually looks pretty reasonable. Basically, each indent is a tab. Then if you’re a 3 or 4 space indent kind of guy, you can configure your editor like vim or emacs to change how the tab width is displayed.

Historically, Python is my language of choice to knock out a quick script thing–I love Python dictionaries. But with Go’s speed, support for dictionaries/maps, and capability to do HTTP servers very easily, I might end up switching to Go. I think I’ll use Go for my next little fun project.

Added: Thanks to Tom Madams who whipped a prototype of this filter in video using Shadertoy!

An investment reading list

If you’ve read Scott Adams’ financial advice and my financial tips in case you win a startup lottery, then you might be interested in a few more pointers to good resources. Some web pages and books:

Don’t Play the Losers’ Game, by Henry Blodget. This is a short, accessible piece that explains why picking individual stocks on Wall Street is a bad idea for almost anyone.

– Website: the Bogleheads forum. An incredibly smart group of people who like to discuss investing, finance, and money. Their investment philosophy page is pure financial wisdom distilled.

A Random Walk Down Wall Street, by Burton Malkiel. This book is remarkably readable, though it can be dense at times. If you believe you can pick individual stocks with enough success to beat a diversified portfolio of low-cost index funds, this is the book you should read to throw a wet blanket on that belief.

The Lazy Person’s Guide to Investing, by Paul B. Farrell. This book will show you how to outperform the majority of active money managers in just 15 minutes a year. This book is seriously good. If I had to recommend only a single book, this book might win: it’s a breeze to read, but it imparts nearly as much wisdom as much denser tomes.

– This is a great description of how Google tried to educate and protect its employees before Google’s IPO. You’ll get most of the idea from the first page. How can you not love an article where a financial advisor admits “We work in the most overcompensated industry in the country”?

The Wall Street Self-Defense Manual, by Henry Blodget. In many ways, this book is a deeper version of Blodget’s article that I linked to above. This book is short, readable, and packed with most of the advice that you need to know.

– If you’re ready to go deeper, consider The Four Pillars of Investing, by William Bernstein. You might also check out Bernstein’s The Intelligent Asset Allocator.

Rich Dad, Poor Dad, by Robert Kiyosaki. This book has its flaws, but it’s very readable and could be good for teenagers or college students. The book uses stories to discuss the goal of financial independence via assets that produce money. I grew up in a family focused on academia, so this book was a good wake-up call that a lot of people care about money, not just getting a Ph.D.

Money and Wall Street stories, color, and culture

– Realistically, I’d recommend almost anything that Michael Lewis has ever written. His most recent book is Flash Boys and I enjoyed that story. But I also enjoyed Liar’s Poker, The Big Short, and Boomerang.

A few more to consider:
– Perfectly Legal (rich people get away with lots of tax loopholes)
– Confessions of a Tax Collector (a tale from inside the IRS when the IRS had more teeth)

There’s also a whole sub-genre of books about rich people:
– Richistan (pretty entertaining)
– The Millionaire Next Door (most millionaires are cheap!)
– Rich Like Them (mostly a bunch of anecdotes from interviews)

Stock Options

Consider Your Options, by Kaye A. Thomas. If you’re joining a startup that offers stock options, I strongly recommend that you study this book from cover to cover. It can help you avoid a lot of treacherous mistakes. If you don’t put in the time to understand your stock options, you might regret it later. Thomas also has a good book called Capital Gains, Minimal Taxes that covers the mechanics of a lot of tax issues and logistics for investors.

– I really recommend Consider Your Options as the definitive work, but An Engineer’s Guide to Silicon Valley Startups, by Piaw Na is very accessible. This book also covers a wide range of skills that you might need if you want to join a startup. Disclosure: I know Piaw from his time at Google.

– I have used Stock Options: An Authoritative Guide to Incentive and Nonqualified Stock Options as a reference for at least one complicated situation.

– Want to understand stock options at a basic level? Stock Options for Dummies isn’t too bad.


– This won’t be popular, but I just don’t find John C. Bogle’s books very readable. I agree with him about lots of things, but his books like Don’t Count on it! just didn’t grab me.

– Hedgehogging, by Barton Biggs. I’m not even going to link to this book–that’s how angry this book made me. Biggs actually writes stuff like this: “My real theory is that the investment superstars have some special magic with markets that enables them almost intuitively to do the right things most of the time.” What hogwash.

Elsewhere in the book (which lists a copyright date of 2006), Biggs quotes someone who accurately identifies the housing bubble: “another bubble is about to burst. Existing home prices have been rising 7% to 8% a year, financed by Fannie and Freddie.” Then Biggs goes on scoff at the guy, like “Look at this dork, predicting a major depression due to a housing bubble in the next three years.” The Wikipedia page on Biggs reports that Biggs’ hedge fund was blindsided by the subsequent global financial crisis. If you want a snapshot of how Wall Street can suck, then you might want to read this book.

– I’m not a big fan of Jim Cramer. If you want to watch Cramer for entertainment that’s great, but exercise caution on his advice.

– Beating the Street, by Peter Lynch. I just don’t think this book has aged very well. You can pick up most of what you need from other books. The advice to “invest in what you know” can be good. However, it also risks becoming “invest in what’s familiar” instead of doing your homework.

So those are some books and websites that I’ve liked or disliked. How about you–what books about investing, money, or finance would you add to the list?