Fixing “full path disclosure” issues

Whether you’re running a web service or a blog, you should always keep your software fully patched to prevent attacks and minimize your attack surface. Another smart step is to prevent full path disclosures. For example, if your blog or service throws an error like

“Warning: require(ABSPATHwp-includes/load.php) [function.require]: failed to open stream: No such file or directory in /home/horace/public_html/wp-settings.php on line 21″

then by noting the full pathname from that error, an attacker could reasonably infer that your username is “horace” and use that try to guess your password. It’s not the end of the world if your attacker has that information, but why not make an attack as hard as possible?

For WordPress, here’s a couple ways to prevent full path disclosure vulnerabilities:
– In a php.ini file, you can add a line like “display_errors = off” (without the quotes).
– In an .htaccess file, you can add a line that says “php_flag display_errors off” (without the quotes).

It sounds like the php.ini approach might be slightly better, because some web hosts run PHP in CGI mode which might not allow php_flag or php_value directives in .htaccess files.

After you’ve made this change, php errors shouldn’t be shown to web clients. If you’re developing live code on a PHP installation, that can make debugging slightly less easy. But if you’re running (say) a blog, it’s probably better to turn off display errors for a little extra protection against attacking hackers.

Fun mosaic effect with Go

A few months ago I saw a cool mosaic effect in a Wired ad for CA Technologies. Here’s what part of the ad looked like:

Photomosaic of people in an office

I liked the ad, so I wondered how they did it. Can you see out how to create a similar effect? Take a minute to figure it out as an exercise.

Here’s what I came up with: divide the image into tiles. For each tile, compute an average overall color for that tile. Then go back and blend every pixel in that tile with the average color. So if a tile is partly dark and partly blue, the average color is a dark blue, so the blue in that tile becomes even darker. I like that the effect is pretty simple once you figure out how to do it.

Of course, once I had an idea of how to do it, I wanted to write some code and see whether I could recreate the effect. Go has good libraries for handling images and I’ve been meaning to try Go. I ended up with about 70 lines of moderately-ghastly Go code that did the job.

For this Creative Commons image (thanks Fuelrefuel/Wikimedia Commons!)

Photo of people in an office

I ended up with a photomosaic like this:

Photomosaic of people in an office

As far as I can tell, that’s pretty much the same filter that ran in the ad. Here’s another example. First, a picture of me:

Matt Cutts

and here’s the resulting mosaic’ed image:

Matt Cutts in mosaic form

That’s all the interesting stuff. You can stop reading now.

This part is boring. Really. No need to keep reading. The code I came up with is really ugly, but the pseudo-code is pretty simple:


- Read the picture into a go image
- Number of horizontal tiles = image_width / desired_tile_width
- Number of vertical tiles = image_height / desired_tile_height
- Loop through tiles with nested vertical and horizontal for loops
- For each tile, loop over the tile's pixels to compute average RGB values
- Loop over the tile's pixels again & set new_color = (avg_color+curr_color)/2
- Write the image out as a new picture

That’s it! I wanted a quick and dirty test, so I didn’t worry about things like the leftover pixels if the tiles didn’t evenly divide the image.

Let’s see, what else. Things I liked about Go:
– It’s super-easy to read and write images, so I could concentrate on the fun stuff.
– I like that documentation like this gives a clear, easy way to set up your environment. The golang tour is great too. And installing Go on Ubuntu is easy: “sudo apt-get install golang” and you’re done.
– The language makes a lot of sense to me, in a C kind of way.

Some things didn’t make as much sense to me, or at least I need to do more reading:
– My initial program just read a JPEG and wrote it back out, and the output image was considerably dimmer. I was just using default encoding values, so maybe some gamma values got left out, but it was a little weird. I was expecting read->decode->encode->write to be a no-op.
– When I read the JPEG into an image and tried to write directly to that image, Go gave me an error. That was a little strange. I ended up copying the JPEG to a new image and then I could write.
– In the spirit of just doing stuff without reading the documentation, it seemed like Go images stored their At() component colors with 16 bits of range (from 0..65536). But when I wanted to write colors with Set() it seemed like Go wanted 8 bits in the example I found. So for a while I was casting stuff with (uint8) and getting totally random bits written into the image. That also generated a fun image:

Random mosaic from converting a 16 bit-range color to uint8

but it took me a few minutes to figure out what was going on. I’m sure some reading would clear things up, but.. who cares? I was also doing some weird float arithmetic to compute color averages. This was just quick/dirty code, and I can read more about the nitty gritty later. As soon as I got the effect I wanted, I rapidly lost interest. I even hard-coded image filenames because I couldn’t be bothered to search for go command-line flag info. All in good fun.
– Arrays and slices are cool, but allocating 2D arrays and slices seems a little verbose.
– I like that Go’s designers have opinions and enforce them, at least 99% of the time. When you’re hacking ugly code, it was annoying to get the “you didn’t use this variable” errors. But I understand the rationale and it’s probably a good idea for writing Real Code that’s not intended to be thrown away.
– I was all set to grouse about go fmt’s enforced indentations/spacing, but it actually looks pretty reasonable. Basically, each indent is a tab. Then if you’re a 3 or 4 space indent kind of guy, you can configure your editor like vim or emacs to change how the tab width is displayed.

Historically, Python is my language of choice to knock out a quick script thing–I love Python dictionaries. But with Go’s speed, support for dictionaries/maps, and capability to do HTTP servers very easily, I might end up switching to Go. I think I’ll use Go for my next little fun project.

Added: Thanks to Tom Madams who whipped a prototype of this filter in video using Shadertoy!

Scott Adams’ Financial Advice

A few years ago I read some short financial advice by Scott Adams, the author and creator of the Dilbert cartoon. It’s great advice–it’s perfect for 95% of Americans’ finances and investing. Without further ado, here is Dilbert’s One Page Personal Finance List:

  • Make a will.
  • Pay off your credit card balance.
  • Get term life insurance if you have a family to support.
  • Fund your company 401K to the maximum.
  • Fund your IRA to the maximum.
  • Buy a house if you want to live in a house and can afford it.
  • Put six months’ expenses in a money market account.
  • Take whatever is left over and invest it 70 percent in a stock index fund and 30 percent in a bond fund through any discount brokerage company and never touch it until retirement
  • If any of this confuses you, or you have something special going on (retirement, college planning, tax issue), hire a fee-based financial planner, not one who charges you a percentage of your portfolio.

This advice is completely spot on. I’m not going to add anything more in this post–this advice stands on its own incredibly well.

Thanks to Scott Adams for permission to reproduce this list. I read the advice in a book and at the time I couldn’t find it on the web. So in 2010 I emailed Mr. Adams and asked for permission to reproduce the advice, and he replied and said that was fine.

Some running tips

Before 2011, I had never run farther than eight miles. Then I found a program called USA FIT which helps runners across the country train up and run a marathon. My goal was to run one marathon and then stop, but I found some friendly folks and so I just kept running. It’s been wonderful.

If you’re able-bodied and in moderately good shape, it’s very doable to train and run a marathon. I’m just a regular guy–if anything, I’m a slower runner than most people. I’ll never place in the top three on a competitive race; heck, sometimes I’m happy to finish before the cutoff time. Yet I’ve run at least six marathons, plus a 50 mile run and a half Ironman triathlon. If I can do it, a lot of other people can too. Perhaps you’d like to run a marathon or half-marathon someday too?

In putting my time in, I’ve collected a few tips for running that I wish I’d known when I started. Warning: running is basically just you and your body, so some of this stuff will be about bodily functions. With that disclaimer in advance, here’s some things I’ve learned:

– Chafing sucks. Any time I’m running more than 5-6 miles, the friction of running can cause chafing. I recommend Body Glide for your thighs and Chamois Butt’r for your butt. You can use Body Glide for anything else that might chafe from friction, from nipples to the waistband of your running shorts. For a full marathon, consider using band-aids to protect your nipples if you’re a guy.

– Blisters suck. In 2010, I learned a secret that many hikers use to avoid blisters: wearing two layers of socks. A thin sock liner between you and regular/wool socks can help prevent hotspots and blisters. A company called Wrightsock makes socks with two layers built in. Over hundreds of miles of running wearing Wrightsocks, I’ve never gotten a blister. Your mileage may vary, of course, so do what works for you, but I love my Wrightsocks.

– It sucks to run well, then wait for a Porta Potty as you watch all the people passing you. Assuming you have a healthy gastrointestinal tract, consider taking an Imodium an hour before the race starts. Imodium is meant for diarrhea. It slows the muscles contracting the intestine, so it reduces bowel movement. Everybody is different, and you should do your own research into the issue. If you have any medical concerns at all, either talk to a doctor or don’t do it. Don’t hold me responsible if you try it. I’m just saying that it works well for lots of people.

– Friends rock. It’s so much easier to exercise if you find someone to do it with. That’s why I love USA FIT, but there’s plenty of other groups: Team in Training, or check with friends or your company. Getting up early on a Saturday morning is so much easier when you know that other friends are counting on you to join them.

– Music rocks. Running a race is a lot easier with music. I love these Sony headphones because they stay attached to your ears really well. By the way, it’s important not to start your race too fast. I normally listen to a podcast at the beginning of a race, then switch to high-energy music after the podcast is over.

– Don’t worry about your time. Regular people will never ask how fast you ran a marathon–only other runners will! Besides, even if you finish dead last in a marathon, you’re still doing better than folks who never trained for a race, and that’s the vast majority of people.

– As a slow runner, I like to start at the very back of the running pack. Then I get the thrill of passing people without as much dejection from when someone passes me. :)

– When I’m preparing for a race or a long run, I find it useful to make a checklist of things to bring with me. I use a Google Doc so I can scan my list quickly on my phone. For a long run, here’s my checklist: Body Glide, clothes (shoes, socks, shorts, shirt, hat), heart rate monitor, Fitbit, Garmin 620 watch, phone with tunes/podcasts, headphones, water bottle + gel or gummies for energy, Chamois Butt’r, and sunscreen. I’ll tweak that if I’m doing a run in cold weather or a really long run. I have a slightly longer list for races and triathlons. The point is that it’s easy to forget something unless you have a checklist.

– I really enjoy Fitbit and Strava as far as apps that encourage me to move more. Strava is also good for biking, not just running. Both apps include a social component where you can get your friends hooked as well.

Those are my running tips that might not be as obvious to someone who is just starting out. If you’re reading this and you’re a runner, are there good tips that you’d like to share? If so, please leave a comment!

Bluetooth garage door opener

Today I made a Bluetooth garage door opener. Now I can open my garage from my Android phone. There’s a short how-to YouTube video from Lou Prado. Lou also made a website btmate.com that has more information, and you can watch an earlier howto video as well.

The project itself was pretty simple:
– Acquire a Samsung HM1100 bluetooth headset (the Samsung HM1800 also works). You can buy these cheap from Fry’s or eBay. I got mine on eBay for $10-$15.
– Crack open the earpiece on the Bluetooth headset and solder one of the earpiece wires to the base pin of a transistor. Solder red and black wires to the other pins of the transistor.
– Connect the red and black wires to the garage door opener. It turns out that most garage door openers are built to allow easy insertion of wires, which is nice.

That’s more or less it. My soldering was ugly as sin–too ugly for me to even post a picture. And rather than leave the house for some heat shrink tubing, I just left bare wires on the transistor, but everything works fine.

Lou wrote a nice Android app that’s free to install and then pay-what-you-want for a license. Then it’s just a single button to open or close the garage door. In theory, I could use Tasker to open the garage door automatically when I get home.

It’s not quite as sexy as Brad Fitzpatrick’s Android garage door opener, but it was a fun little project for a day.

Update, February 12, 2015: I continue to use the GarageMate app to open my garage door, especially when I want to go biking without my keys. Here’s an extra tip so that you can open the garage door with different phones. All you have to do is pair the HM1100 headset with the phones you’d like to use, and install the GarageMate/GDMate app on each phone. Here were the steps I followed to add another phone:
– Get a ladder and climb up to the HM1100 headset in your garage.
– Turn the Bluetooth headset off and then on–this step might not be necessary.
– Press and hold long/middle button (opposite from the ear) for 3-4 seconds to enter pairing mode.
– Press the volume up button (it’s the volume button closest to USB power cord) and see two blinks of the blue led. This step enables pairing with multiple devices.
– Go into the new phone’s Bluetooth menu and pair with HM1100.
– Now go into BTMate/GarageMate app. You can reuse the license key from your old phone. On the new phone, choose the HM1100 as the currently selected receiver. I like to enable the following options: 1) starting the app automatically clicks to open the garage door, and 2) exit the app after it’s been idle for 10 seconds.

That’s it! Now you can open your garage door with multiple phones!

css.php