The humiliation of 9th grade student Ahmed Mohamed

The title of this article deliberately mirrors that of Dr. Jerry Coyne’s article at Why Evolution Is True. I agree with Dr. Coyne that we have created a society in which “infractions” that three decades ago when I was in primary school would have been ignored or, at most, resulted in a lecture about how to behave now result in police arrest. This is both counterproductive and idiotic.

We have to stop thinking in terms of “security at all costs”. I’m tired of taking off my shoes when flying. I’m tired of taking off my belt when reporting for jury duty at the San Jose Federal court. Which happened two years ago and will likely be repeated when I report for jury duty again this coming monday.

Below is the mail I sent to the Irving, TX police department prior to reading Dr. Coynes article.

from:   Kurtis Rader 
to:     lboyd@cityofirving.org, bredburn@cityofirving.org, jspivey@cityofirving.org, bjolley@cityofirving.org
date:   Fri, Sep 18, 2015 at 6:31 PM
subject:        the arrest of 9th grade student Ahmed Mohamed

I'm a 54 year old white male software engineer who grew up in a middle class suburban family that attended a Protestant church. In other words I'm a member of a demographic you could reasonably expect to support you. Yet every time I read about incidents like the arrest of 9th grade student Ahmed Mohamed I become more firmly convinced the police cannot be trusted to exercise good judgement and it is reasonable for me and my neighbors to fear an encounter with the police.

In my opinion the officers involved in that incident are not competent to issue parking tickets let alone arrest people. And your department's defense that

    “It could reasonably be mistaken as a device if left in a bathroom or under a car. The concern was, what was this thing built for? Do we take him into custody?”

and that you

    wanted "a broader explanation" from the teen

is absurd. Hang your heads in shame.

P.S., I'm also appalled at the behavior of the school staff. Your officers should have defused the situation (pun intended) instead of escalating tensions. Get a fucking grip.

P.S., I’ve included the “religion” tag on this post because I strongly suspect that the skin color and name of the student, suggesting he is a Muslim, was a factor in how he was treated. I have no love for Islam. As an atheist I dislike all religions. Nonetheless I feel it is wrong to discriminate against a person solely due to the religion you believe they adhere to.

I’m going to have to science the shit out of this!

I just watched the excellent movie “Black Mass” starring Johnny Depp as the criminal James “Whitey” Bulger. But the reason for this post isn’t to talk about that movie. It’s to talk about the second trailer, subtly different from the first, I saw for the movie “The Martian” in which Matt Damon’s character, Mark Watney, says “I’m going to have to science the shit out of this!” The book on which the movie is based is one of the few I gave a 5 out of 5 rating last year and will definitely read again. The two trailers I’ve seen give me hope the movie will be as good as the book.

Even if the movie is only almost as good as the book I hope it is seen by a large number of people who consider themselves religious. I want those people to think about the role religion and prayer played in the rescue of the eponymous character (i.e., none) and compare that to the role science and engineering played. I want them to think about the role religion has played in giving us the wonders we take for granted like the ability to talk with a family member in real-time thousands of miles away. Or be cured of an infection that just a hundred years ago would have meant a death sentence. Or give someone born deaf the ability to hear via a cochlear implant.

You’re welcome to your religious beliefs but I’ll take science any day of the week when it comes to making my life better.

Update 2015-10-02: I saw the movie this afternoon. I thoroughly enjoyed it and encourage everyone to see it. Having said that the book is better. But that is because I’m a geek who appreciated all of the science and engineering in the book which had to be left out of the movie to keep it to a reasonable length. Note that the science and engineering in the book can be appreciated by anyone who can add 2 + 2 and get 4.

What does “dog is my copilot” mean?

Today I noticed the search phrase “what does dog is my copilot mean” was used to reach my site. Since I titled my site “Dog Is My Copilot” I’m not surprised the person searching for an answer to that question clicked through to my site. But they were probably unsatisfied since I don’t explain what the term means (even to me). So I’m going to do so in this article.

I’m an atheist. So on one level it is an obvious satirical poke at the “God is my copilot” phrase used by so many Christians. If God is your copilot I don’t want to be anywhere near you when you’re driving. God has terrible aim and judgement for any supposedly omniscient omnipotent being. Please, do not let God tell you when to make a left turn.

On a more serious note the phrase means that canines are my non-human companions. The dogs in my life give me a reason to go for a walk around my neighborhood. I can count on my dogs to accept and reciprocate affection. They help me notice things that are important. Like that squirrel which is only two meters away and is probably very tasty. Cats (felids) are okay but I’ll always be a dog person.

To block or not to block stupid HTTP proxy software

A lot of HTTP proxy firewalls used by companies scan web pages (i.e., HTTP responses) received by users behind the firewall. That is reasonable as they have a legitimate need to protect their network from malware. What is not reasonable is that those proxy firewalls then pre-fetch any URL mentioned anywhere in the returned web page(s). Regardless of whether or not the human (and their browser) which made the original request would also request the URL.

This most often manifests itself via HTTP GET requests with a user-agent value of “Mozilla/4.0 (compatible;)” interspersed among other requests from the same source; albeit with a different user-agent value. Searching Google for “Mozilla/4.0 (compatible;)” returns several answers about that user-agent value. For example this one.

This behavior by HTTP proxy firewalls is extremely obnoxious. Not least because it makes reading and interpreting web server logs more difficult. It also adds load to a server (especially one running WordPress which relies heavily on PHP) that would not otherwise have to be handled.

Having said that I no longer blacklist based on that user-agent header. A careful review of my HTTP access logs showed that while it might have blocked a few instances of malware it was more often blocking access from proxy firewalls used by major corporations. So while I wish those companies would employ more intelligent proxy firewalls that don’t fetch URLs that are unlikely to be fetched by the people behind the firewall it isn’t worthwhile to penalize those companies by blacklisting their public addresses.

Why would malware issue a HTTP “POST /wp-config.php.back” request?

Once in a while I see malware attempt to issue HTTP POST requests to non-existent paths. Most often the malware is attempting to exploit a bug in a WordPress plugin that I don’t have installed. Sometimes the malware is clearly probing to see if software other than WordPress is running on my web server. For example, two months ago I saw a “POST /api/v1/config” request. But today I saw a truly bizarre attack.

A server at 81.177.32.187 in Russia, domain in-solve.ru, issued the following HTTP requests against my server today:

POST /wp-config.php.bak
POST /wp-config.php.swp
POST /.wp-config.php.swp

Even if there were a backup of the wp-config.php file (“.bak”) or a temporary (“.swp”) version of that file present why does the malware author think they can issue a POST request to those paths? The POST data for all three requests was identical:

<?xml version="1.0" encoding="iso-8859-1"?>\n<methodCall>\n <methodName>wp.getUsersBlogs</methodName>\n  <params>\n <param><value>alkoneron</value></param>\n <param><value>1234567890</value></param>\n  </params>\n</methodCall>

So this attack is clearly meant to be issued against /xmlrpc.php in an attempt to guess WordPress account credentials (an attack signature I see every day). I can’t help but wonder if a malware author was testing new code and inadvertently targeted my server when they meant to test it against their own server. Because I find it hard to believe that someone has a WordPress installation that allows issuing xmlrpc commands against backups of the WP config file.

P.S., I’ve changed the password value to a generic “1234567890” because the original value actually looks like it might be the correct password for user alkoneron. The password in my logs is a random string of letters and numbers 13 characters in length. It is not the typical generic password I see from malware which is using a brute-force dictionary attack.

New WordPress attack targeting the phpinfo() function

Are the authors of PHP and WordPress merely evil or Satan incarnate? That was the thought that crossed my mind (even though I’m an atheist) when I saw the most recent attack against my site. The attacker was in the Ukraine (country code UA) on domain hidehost.net at address 91.200.12.53. The attacker started with a “GET /” request. The subsequent requests were all POST to a /wp-includes/*.php path. Specifically these paths:

POST /wp-includes/class.wp-dependencies.php
POST /wp-includes/feed-rss2.php
POST /wp-includes/date.php
POST /wp-includes/pluggable-deprecated.php
POST /wp-includes/default-constants.php
POST /wp-includes/bookmark-template.php
POST /wp-includes/pluggable.php
POST /wp-includes/feed.php
POST /wp-includes/theme.php
POST /wp-includes/formatting.php

Each POST request had one line from the following list in the data portion of the request:

q01b955=phpinfo();
q044e97=phpinfo();
q6d8db6=phpinfo();
q791d24=phpinfo();
q82e86f=phpinfo();
q874478=phpinfo();
qb214de=phpinfo();
qcd4fab=phpinfo();
qeb2df4=phpinfo();

My WordPress v4.3 installation responded with a HTTP 200 (OK) status to each request. I manually executed each request and got the same 200 status but no output from the phpinfo() function. So I am reasonably confident the attacker did not get any useful data from my server. Specifically, no data other than that I have not been infected by malware (see the next paragraph).

Googling for “attack phpinfo” returns many results such as this one which explain why the ability to remotely invoke the phpinfo() function is a security risk. Googling for any of the tokens on the left-hand side of the above assignments returned nothing useful. Neither are those tokens base32 or base64 encoded values.

This suggests that this attacker is looking for sites that have been previously infected by malware. I’ve seen attacks in the past with seemingly nonsensical tokens. Careful analysis has suggested, if not proved, that each of those attacks is trying to detect, and presumably exploit, malware already present on the computer.

Should I be happy or sad that Chipotle is being sued for claiming to eliminate GMOs from its menu?

Back in May of 2015 I read an article on Mother Jones about Chipotle getting rid of GMOs. As a skeptic who has closely followed the science regarding genetic modification of food (or genetic engineering if you prefer) I recognized that Chipotle was cynically jumping on the anti-GMO bandwagon. And I wasn’t the only person to reach that conclusion as this article shows.

This is the message I sent to Chipotle via their web site:

Regarding your announcement to remove GMO ingredients from your menu: I won't eat again in your restaurants until you rescind that boneheaded decision. I expect a company with your values to not be driven by ignorant fear-mongering by people who think dihydrogen-monoxide is a deadly chemical because it sounds scary.

Their reply to me contained all of the usual tropes such as “there are many who disagree [that GMOs are safe]”. Their reply also focuses on the use of genetic engineering to make plants tolerant of glyphosate but only in a superficial manner. Their closing paragraph stresses that they have simply decided to “take a cautious approach to GMOs” and stress that many other companies such as Ben & Jerry’s are eliminating GMO ingredients from their products. In other words, “don’t hate us we’re just doing what every other money grubbing company thinks will boost profits”.

So I am happy to see Chipotle being sued over their bogus claim that they are in fact eliminating GMOs from their food. However, I am ambivalent because the person filing the lawsuit believes GMOs are a clear and present danger. So I can’t decide if I want them to win or lose the lawsuit. The plaintiff is a loon. The defendant is a cynical corporation. Both are working to make the future of the world bleaker.

I applaud Chipotle’s efforts to improve the treatment of the chicken, cows, and pigs that ultimately become the protein in the food they serve. But their stance on GMOs is not supported by science or an ethical evaluation of what is best for the future of every person living on this planet.

New malware with user-agent value: Parser::Template::Auto=CODE()

There is a new piece of malware attempting to guess WordPress account credentials. You can recognize it by its odd user-agent header. Here is the first one I saw:

Parser::Template::Auto=CODE(0xa1d5ff0)

All subsequent occurrences have been identical other than the hexadecimal value inside the parentheses.

The first incidence of this user-agent on my site occurred at 2015-09-02T07:35:06 UTC; that is, ten days ago. Since then I’ve seen at least 241 attacks with that signature (see note below). Googling for "Parser::Template::Auto=CODE" (including the quotes) returns a lot of hits from web log analysis tools. I didn’t see any predating the first instance I found in my logs. Which isn’t to say there aren’t any but it’s pretty clear this malware probably started attacking within a day or two of the first attack my system logged. Which is to say, around September 1st.

Of those 241 attacks the breakdown by country is

  46 NL
  43 FR
  34 US
  25 CH
  24 DE
  18 GB
  13 SE
  11 RO
   5 CZ
   3 LU
   3 CA
   2 UA
   2 RU
   2 PL
   2 MD
   2 FI
   2 BY
   1 SK
   1 HU
   1 ES
   1 AT

More interesting is that 218, 90%, of those 241 attacks originated from ToR exit nodes. The remaining 23, 10%, are probably ToR exit nodes since they originate from cloud hosting providers with known ToR exit nodes and whose reverse-DNS (rDNS) host names are generic (e.g., ovh.net addresses) or highly suggestive (e.g., privateinternetaccess.com).

Based on the double colons and CODE token I am confident this is from a Perl language module meant to convert templates into concrete text. Most likely the person using the module made a mistake in how they invoke the method thus causing the module to emit a diagnostic rather than the expected interpolated template. However, I did a bit of Googling and searching CPAN and could not find a published module with that signature. So another possibility is this is a module written by the malware author.

Note: I say “at least 241 attacks” because I installed the Mac OS X El Capitan “golden master” release during this period which resulted in my losing almost a full days worth of Apache logs.

P.S., The address 18.243.0.29 shows up in my logs with this attack signature. That address is owned by MiT and resolves to hostname zscore.mit.edu. That does not appear to be a known ToR exit node but MiT does have many known ToR exit nodes so I would not be surprised if this address was simply not yet classified as such.

Update 2015-09-15: Given that all the attacks appear to be originating from ToR exit nodes it occurs to me the strange user-agent header could be the result of ToR software anonymizing the request rather than a characteristic of the malware. In other words the odd HTTP user-agent header might be just an artifact of the malware using ToR to hide the origin of the attack and not a mistake on the part of the hacker.

Mac OS X El Capitan GM release deletes historical log files

I just installed the Mac OS X El Capitan “GM” (golden master) release. I was surprised to find doing so had deleted all the historical log files from my /var/log directory (e.g., /var/log/system.log.0.gz). I had been running the beta builds since they were announced. It is possible, in fact likely, that first beta build behaved the same way and I didn’t notice. Regardless it is pretty obnoxious for an operating system upgrade to delete files that cannot possibly impact the upgrade.

Not surprisingly, given how the /var/log directory was handled, the El Capitan GM release install also deleted every file in the /var/log/apache2 directory. The “upgrade” also replaced my custom /etc/apache2/httpd.conf with a generic config and didn’t even make a backup of the existing config. Jebus H. Christ on a pogo stick!

Thankfully I made a full backup using SuperDuper! before doing the upgrade so I only lost a couple of hours of Apache log data. I’m really disappointed that Apple doesn’t understand that deleting log files during an upgrade is stupid.

Nine months after I called WranglerStar an asshole for proselytizing in the wrong context another Christian berates me

Nine months ago I commented on a YouTube video and wrote a blog article about a hyper religious individual who can’t resist proselytizing in the wrong context (i.e., an ostensibly secular YouTube video). Yesterday someone named “Tommy Rad” replied to my comment. A full month since the previous reply.

Devout Christians, and highly religious people in general, just cannot let criticism of their beliefs pass without a comment. I stopped responding to those replies to my comment long ago but this most recent reply was too good to ignore. What follows are the statements from Tommy Rad with my replies.

“Well it IS his YT channel”.

Thanks for that information. I thought this channel was owned by the Freedom From Religion Foundation (http://ffrf.org). I completely missed the blindingly obvious fact that Cody created this channel to publish videos he creates under the pseudonym Wranglerstar. </eyeroll>

“did you send letters to CBS, NBC back in the day when they would sign-off with a prayer at midnight?”

I was born in 1961. I’ve seen plenty of broadcast TV sign-offs and never once saw a prayer. But then I grew up in Portland, OR where religion isn’t a big part of life for most people. I don’t doubt that specific stations may have done so (especially in the “bible belt”) but it was clearly not a uniform policy of NBC, CBS, ABC. And, yes, if I saw any channel that is not explicitly religious (e.g., TBS) in nature do what you describe I would complain to that station.

“The world has become a cesspit under the philosophy of secularism at the reins of the ‘progressives’.”

Really? That will come as quite a surprise to most European countries; especially the Scandinavian countries. Even in the USA measures of societal health show that the most religious states have the most problems (teen pregnancy, drug use, crime, poverty, etc.).

“Have you heard the utterly disgusting, life-hating vitriol coming from the lips of your secular 3rd-wave feminists?”

No, I haven’t. Perhaps you can provide some examples.

“Good job my friend, good job.”

Thank you. It is good for our future that people are abandoning religion in favor of secularism and humanist values.