TheJach.com

Jach's personal blog

(Largely containing a mind-dump to myselves: past, present, and future)
Current favorite quote: "Supposedly smart people are weirdly ignorant of Bayes' Rule." William B Vogt, 2010

Technical Debt is just messiness

It's the time of year for people to share their reframings of technical debt.

Yossi Kreinin has two takes I like, from https://twitter.com/YossiKreinin/status/1431748651571896320 and https://twitter.com/YossiKreinin/status/1341741855214546949 respectively.

Much of "technical debt" isn't - it wasn't done to ship quickly at the cost of more work in the future. It was just a shitty job that you're now stuck with, that never helped ship anything quickly. If programmers were plumbers, we'd spill shit all over your room & call it "debt"

See Full Post and Comments

Fixed an embarrassing security bug...

Earlier tonight I started getting some error emails as a result of some requests from 5.188.62.214 who started POSTing to /admin/post/new, which as revealed in my notes is the URL this blog uses when I submit a new post. I knew I had to deal with this immediately because the error message was PHP aborting because of an undefined index in a map -- the bot using that IP wasn't sending the expected new post form parameters.

This is odd to me since the HTML form is part of the response payload and all the needed inputs are in there, including one that the bot did send. That one ended up being the only type="hidden" one, too, which makes it more bizarre. It reminds me of some people filtering requests from dumb bots by setting a hidden input and then setting it to something else with JS, or unsetting it, and catching bots that aren't JS-aware. Apparently many still aren't. The bot also sent some parameters from other forms on the page, like the hidden sitesearch param for the google search box, and the pw param for the login form, with guesses as brilliant as 123456, admin, admin123, and gw44444 (what's that from? too many 4s...) -- with variants gw111111 and gw66666666.

But all that's beside the point, because what is an unauthenticated request doing getting this far into the handler of an admin page, which is supposed to be restricted to admin users (i.e. me)? And after a bit of investigation I found to my horror that a plain curl on that URL would serve the form...

See Full Post and Comments

Archives

All posts, ever (405)

RSS Feed: RSS FEED

Selected Posts

Thoughts on Writings on Lisp The Last Choice Jump Game As Interview Problem, Domain Solutions OOP in C with Function Pointers and Structs What is customer trust? Correlation is evidence of causation Absence of Evidence is Evidence of Absence Mesh Current Method A new favorite equation? Mindlessness Meditation Sephira Su Archives

Recent Posts

Japan Trip 4 and 5
2024-02-29
Possible errors and downtime
2024-01-18
Parting is such sweet sorrow
2024-01-14
Leaving a mark
2023-12-20
Keep saying no to unionizing tech
2023-11-21

Recent Comments

@ Anon October 31, 2023 Well, Sapphirus isby Anonymous on Furcadia is Dead
December 18, 2023 03:08 PM
At least this page will remain up. If the siteby Jach on Furcadia is Dead
November 03, 2023 09:35 AM
The forums were closed because Sapphirusby Anonymous on Furcadia is Dead
October 31, 2023 07:16 AM
Just a random internet user passing by. Iby Anonymous on Furcadia is Dead
October 05, 2023 07:04 AM
Welp, guess this thread is now dead. Kind ofby Anonymous on Furcadia is Dead
June 21, 2023 11:00 AM

Tag Cloud

aliens
 (1),

altruism

 (3),

Anarchy

 (14),
anime
 (2),

anti-anarchy

 (3),

artificial intelligence

 (9),
assembly
 (1),

atheism

 (9),
awesome
 (1),
bash
 (1),
basics
 (1),

bayes

 (8),

books

 (8),

business

 (3),

c

 (9),

c++

 (4),
cars
 (1),
circuit analysis
 (2),

clojure

 (13),
cloning
 (2),
cognition
 (2),
college
 (1),
comics
 (1),
computer engineering
 (2),
couchdb
 (1),

cryonics

 (3),
curl
 (1),

daily life

 (15),

databases

 (3),

debate

 (3),
demo
 (1),
design
 (1),
disaster
 (1),

economics

 (3),
evolution
 (2),

existentialism

 (3),
FFP Machine
 (1),

fiction

 (4),

flex

 (5),

fodder

 (31),

food

 (3),
forth
 (1),
FPGA
 (2),

free will

 (4),
french
 (1),
furcadia
 (1),
future
 (1),

games

 (6),
git
 (2),

government

 (33),
grammar
 (1),

hacking

 (3),
HDL
 (1),
hiring
 (2),
history
 (1),
immigration
 (1),

intellectual property

 (9),
italy
 (1),

japan

 (5),

java

 (5),

jMonkeyEngine

 (4),

language

 (5),

learning

 (5),

lisp

 (16),
LucidDB
 (1),
management
 (1),

math

 (25),

memo

 (8),
money
 (1),

morality

 (27),
music
 (1),

nanotech

 (3),
NaNoWriMo2009
 (2),

NaNoWriMo2010

 (3),
nature
 (2),
nim
 (2),
non-cooperation
 (1),

non-violence

 (12),

open source

 (5),
PARODPY
 (1),
patents
 (1),

personal

 (65),

philosophy

 (86),

php

 (9),

physics

 (3),

pithy

 (3),
poetry
 (1),
privacy
 (1),

probability

 (7),

programming

 (100),
psychology
 (2),

pygame

 (3),

python

 (14),
quality
 (1),
quotes
 (1),
race
 (1),

rant

 (33),
rap
 (1),

rationality

 (19),

religion

 (15),

religious thinking

 (4),
response
 (2),

reviews

 (6),
safety
 (1),

school

 (12),
science
 (1),
scifi
 (1),
scripting
 (1),

security

 (3),
services
 (1),
silly
 (2),

singularity

 (6),
soldiers
 (2),
song translation
 (1),
sql
 (1),
statistics
 (2),

stupidity

 (17),

taoism

 (5),
teaching
 (2),
technology
 (2),
testing
 (1),
The Void
 (1),

thought

 (42),
tip
 (2),

tips

 (13),

travel

 (6),

uberman

 (4),
unicode
 (1),
utility
 (2),

vim

 (3),
vtuber
 (2),
words
 (1),
work
 (2),
xml
 (1)

Better Websites

Overcoming Bias Dan Luu's Blog Coyo's Channel 🐺🐾 Hacker News Less Wrong Sequences Gwern's Essays Current Events Moldbug's Essays Paul Graham's Essays Ridiculous Fish Kim Øyhus's Home Page Paul Nylander's Web Site Evo Psych Articles Warp's Rants