I would rather be unemployed than forced to write code in PHP

My blog currently uses WordPress. I’ve written numerous times about the various PHP based attacks I see every day because of the stupid security mistakes PHP programmers make. I’ve also made a few changes to the WordPress software to make it saner about handling and logging requests. Thus I knew PHP was awful from my own limited interaction with it. Then I came across this article: PHP: a fractal of bad design. This one point from that article should be enough to result in a death sentence for the language:

PHP’s one unique operator is @ (actually borrowed from DOS), which silences errors.

Holy shit! The developer(s) of PHP remind me of a coworker in my first post college job. He thought he could design and implement a new language. Yet he had no idea what the computer science terms “parser”, “lexical analysis”, “tokenizer” etc. meant. I suspect he would be welcomed by the PHP community.

Twitter needs to hire a competent software engineer to fix their web crawler

This evening I posted an article about an Indiana State Police trooper who uses his position of power to proselytize to motorists he stops. That resulted in Twitter crawling my web server. Which would be fine but the first four requests, in a 715 ms interval, were GET /robots.txt. Every single request request came from the same address. Every single response was a HTTP 200 status that included the contents of the robots.txt file. Every single response took less than one 1 ms. What the fuck? How hard is it to avoid duplicate requests from a queue (hint: it’s pretty fucking easy)?

I went to the Twitter web page in the hope of finding an email address or web form where I could provide some constructive feedback regarding their web crawler. If it exists I couldn’t find it after searching for nearly ten minutes.

VPS/cloud provider soladrive.com has no working abuse or support email

Today my server was attacked by a server owned by soladrive.com; specifically IP addr (which is also owned by quadranet.com). I sent a report of the attack to abuse@soladrive.com. That email was rejected with this text:

  pipe to |/home/sola/public_html/support/pipe/pipe.php
    generated by abuse@soladrive.com
    local delivery failed

I then forwarded that to support@soladrive.com — the address I found on their web page. That also bounced with the same error. WTF! Why would anyone use a VPS provider without a working abuse email address? Oh, right. They use companies like this because they don’t give a shit about security or abuse from their network.

Shortly after writing the above text I sent an email to sales@soladrive.com which is also on their public web page as a point of contact. It too bounced with the same error. Jebus H Christus. The people running Soladrive.com appear to be morons.

Lunarpages.com is clueless regarding reports of abuse from its servers @lunarpages

This afternoon my web server was attacked by a server owned by lunarpages.com. I sent an email to their abuse address, hostmaster@lunarpages.com, as listed in their WhoIs data. My abuse report did not bounce but I did get the following reply:

Subject: Domain Name Not Hosted

Your message with the subject attack on my system from HTTP 400 (probe-for-revslider-plugin) for GET /2015/05/new-malware-user-agent-value-jorgee/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php was not processed by our system, because we aren't hosting any of the email addresses it was addressed to: hostmaster@lunarpages.com abuse@lunarmania.com.

Please ensure you have the correct email address in your message.

So I went to their web page. You’ll notice that nowhere on that page is there a link for reporting abuse. The closest thing to it is “Submit a Ticket” under the “Support” menu pulldown at the top of the page. That option takes you to a web form asking for your Lunarpages account credentials.

Holy shit! I just found a cloud services/web hosting provider that is even more clueless than OVH.

The humiliation of 9th grade student Ahmed Mohamed

The title of this article deliberately mirrors that of Dr. Jerry Coyne’s article at Why Evolution Is True. I agree with Dr. Coyne that we have created a society in which “infractions” that three decades ago when I was in primary school would have been ignored or, at most, resulted in a lecture about how to behave now result in police arrest. This is both counterproductive and idiotic.

We have to stop thinking in terms of “security at all costs”. I’m tired of taking off my shoes when flying. I’m tired of taking off my belt when reporting for jury duty at the San Jose Federal court. Which happened two years ago and will likely be repeated when I report for jury duty again this coming monday.

Below is the mail I sent to the Irving, TX police department prior to reading Dr. Coynes article.

from:   Kurtis Rader 
to:     lboyd@cityofirving.org, bredburn@cityofirving.org, jspivey@cityofirving.org, bjolley@cityofirving.org
date:   Fri, Sep 18, 2015 at 6:31 PM
subject:        the arrest of 9th grade student Ahmed Mohamed

I'm a 54 year old white male software engineer who grew up in a middle class suburban family that attended a Protestant church. In other words I'm a member of a demographic you could reasonably expect to support you. Yet every time I read about incidents like the arrest of 9th grade student Ahmed Mohamed I become more firmly convinced the police cannot be trusted to exercise good judgement and it is reasonable for me and my neighbors to fear an encounter with the police.

In my opinion the officers involved in that incident are not competent to issue parking tickets let alone arrest people. And your department's defense that

    “It could reasonably be mistaken as a device if left in a bathroom or under a car. The concern was, what was this thing built for? Do we take him into custody?”

and that you

    wanted "a broader explanation" from the teen

is absurd. Hang your heads in shame.

P.S., I'm also appalled at the behavior of the school staff. Your officers should have defused the situation (pun intended) instead of escalating tensions. Get a fucking grip.

P.S., I’ve included the “religion” tag on this post because I strongly suspect that the skin color and name of the student, suggesting he is a Muslim, was a factor in how he was treated. I have no love for Islam. As an atheist I dislike all religions. Nonetheless I feel it is wrong to discriminate against a person solely due to the religion you believe they adhere to.

Nine months after I called WranglerStar an asshole for proselytizing in the wrong context another Christian berates me

Nine months ago I commented on a YouTube video and wrote a blog article about a hyper religious individual who can’t resist proselytizing in the wrong context (i.e., an ostensibly secular YouTube video). Yesterday someone named “Tommy Rad” replied to my comment. A full month since the previous reply.

Devout Christians, and highly religious people in general, just cannot let criticism of their beliefs pass without a comment. I stopped responding to those replies to my comment long ago but this most recent reply was too good to ignore. What follows are the statements from Tommy Rad with my replies.

“Well it IS his YT channel”.

Thanks for that information. I thought this channel was owned by the Freedom From Religion Foundation (http://ffrf.org). I completely missed the blindingly obvious fact that Cody created this channel to publish videos he creates under the pseudonym Wranglerstar. </eyeroll>

“did you send letters to CBS, NBC back in the day when they would sign-off with a prayer at midnight?”

I was born in 1961. I’ve seen plenty of broadcast TV sign-offs and never once saw a prayer. But then I grew up in Portland, OR where religion isn’t a big part of life for most people. I don’t doubt that specific stations may have done so (especially in the “bible belt”) but it was clearly not a uniform policy of NBC, CBS, ABC. And, yes, if I saw any channel that is not explicitly religious (e.g., TBS) in nature do what you describe I would complain to that station.

“The world has become a cesspit under the philosophy of secularism at the reins of the ‘progressives’.”

Really? That will come as quite a surprise to most European countries; especially the Scandinavian countries. Even in the USA measures of societal health show that the most religious states have the most problems (teen pregnancy, drug use, crime, poverty, etc.).

“Have you heard the utterly disgusting, life-hating vitriol coming from the lips of your secular 3rd-wave feminists?”

No, I haven’t. Perhaps you can provide some examples.

“Good job my friend, good job.”

Thank you. It is good for our future that people are abandoning religion in favor of secularism and humanist values.

70 years ago the nuclear nightmare begins

The following movie came to my attention thanks to Phil Plait’s Bad Astronomy blog. Since today is the 70th anniversary of America’s bombing of Hiroshima the following video showing when and where nuclear explosions have occurred from 1945 to 1998 is relevant and sobering.

I was born in 1961 and remember “duck and cover” drills at school. When going shopping at the local mall or department store meant looking for the nuclear civil defense fallout shelter signs indicated you should go in the event of a nuclear explosion. I didn’t know anyone who had a bomb shelter in their back yard but it was certainly discussed and magazines like Popular Mechanics had articles about building one. So when I watch todays GOP representatives argue against the Obama administration’s Iran nuclear agreement I think about stuffing the lot of them into a suburban backyard bomb shelter without food or water and padlocking the door.

Craniosacral Therapy and Whole Foods

Today I visited the newest Whole Foods store in San Jose on The Alameda Ave. just outside of downtown San Jose. This is what I saw across the street:

Cranial Sacral Therapy

The sign reads “Cranial Sacral Therapy Center“. A form of alternative medicine that is only slightly less ridiculous than Homeopathy. Note that this therapy is more commonly known as “Craniosacral”. See Quackwatch and Science Based Medicine for just two takedowns of this horse shit.

What does this have to do with Whole Foods? The target demographic of Whole Foods are the type of people who will pay outrageous prices for products labeled “holistic”, “organic”, etcetera. The typical Whole Foods store has a couple of aisles devoted to selling homeopathic preparations, herbs (for medicinal not cooking purposes), and items like bee pollen. None of which do a single thing to improve your health. So the presence of a clinic that sells a nonsense treatment across the street from a Whole Foods store is pure marketing genius on the part of the owners of that enterprise as they are targeting the same demographic.

P.S., Prior to today it’s been over a year since I’ve been inside a “Whole Paycheck” store. I was in the mood for some decent coleslaw and macaroni salad without going to the trouble of making it myself. I spent $20 and left with a couple of pounds of food. They were charging $3 for a donut and $1 for a single cookie even when buying them in boxes containing six cookies! Not exactly a bargain and why I won’t be buying from Whole Foods again anytime soon. The quality is very good but the prices aren’t just high they’re outrageous.

Read this article at Daily Kos about the results of an investigation that found Whole Foods is systemically ripping off its customers by overcharging for products that they package and sell by weight.

Also, as a result of writing this article I finally took the trouble to search for recipes to make my own “Whole Foods broccoli crunch” salad. A pound of broccoli crowns is currently selling for $1.29 per pound at my local Sprouts supermarket. Factor in a few raisins, sunflower seeds, red onion, bacon, and dressing ingredients and it costs me roughly $3.60/lb to make it myself. My local Whole Foods charges $9.99/lb. Whole Foods charges that much because it is what they think the market will bear. Not because it represents a reasonable profit. Can you say “rip-off”?

How Christians and Atheists respond to (perceived) persecution

Apparently the following image is making the rounds on Facebook:

Christian persecution complex

It’s sad that devout followers of a religion (not just Christians but also Jews, Muslims, Hindus, etc.) tend to be so deeply indoctrinated their minds are closed to new evidence. It’s hard to believe that someone cannot even imagine evidence that would change their mind. They have their fingers in their ears and their heads buried in the sand while saying “la-la-la I can’t hear you”.

This image succinctly captures the atheist viewpoint:

atheist persecution

P.S., I use the word “persecution” deliberately. The feeling of being persecuted, even in a country like the USA where Christians wield enormous power, is seemingly unique to Christians.

New, in your face, malware attacks me: /Ringing.at.your.dorbell!

Once in a great while I see a novel piece of malware. Novel in the sense that it is particularly stupid in its behavior and tells us the author is an egotistical asshole.

This week it is malware written by someone who can’t resist announcing in big bold letters that they are up to no good. Specifically, the malware makes HTTP attacks with the first request being “GET /Ringing.at.your.dorbell! HTTP/1.0“. Yes, that’s “dorbell” not “doorbell”. That plus the odd grammar implies this is a non-native speaker of English. The user-agents I’ve seen are “x00_-gawa.sa.pilipinas.2015” and “CVE-2014-6271 ;)“.

As is typical for these morons the malware fails to include a Host header. Which isn’t mandatory for a HTTP/1.0 request but has been standard practice for a decade since it is necessary for virtual hosts to function properly. The absence of a host header is something I use to decide the request is from malware since no legitimate browser or web crawler written in the past decade would omit it.

Note that this is fundamentally a shellshock attack. You can read about how I block such attacks here.

Update 2015-05-19: I feel compelled to note that this particular malware may have more than one signature. The first couple of attacks looked a lot like typical shellshock attacks. For example, here are the HTTP headers from the first attack I logged (this is from the request that followed the GET /Ringing.at.your.dorbell! request):

Cache-Control: no-cache
Connection: close
Pragma: no-cache
Cookie: () { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`
Referer: http://google.com/search?q=2+guys+1+horse
User-Agent: () { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`
Test: () { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`

That was my basis for asserting that this is fundamentally a shellshock attack. However, the next attack was not of the shellshock variety. For example, I then saw this in the HTTP headers in a request for URI /Diagnostics.asp:

Cookie: Greetz to M, st0n3d, Jorgee, CoLdZeRo, and Tomato lol!

That cookie was not in the original “Ringing.at.your.dorbell” shellshock attacks that caught my attention. So is the malware mutating or is someone else hijacking the signature of the original attack?

Update 2015-07-11: Prior to today I hadn’t seen an attack from this particular malware in nearly two months. Today I saw two attacks, both with the same pattern:

1) First request was “GET /Ringing.at.your.dorbell!“.
2) Second request was “GET /“.
3) Third request was “GET /Diagnostics.asp“.

The cookie this time was slightly different: “Cookie: Greetz to M, st0n3d, Jorgee, CoLdZeRo and justa“. Notice the replacement of “Tomato lol!” from the earlier attack with “justa“. As before there is no Host header and the referer value is “http://google.com/search?q=2+guys+1+horse“.

So it appears this malware is active again and that explains why I’ve seen a huge spike in the number of people reading this particular article recently.