ChrisMerlo.net

I’ve been meaning to write this post for a long time, but I never take the time to do it.  I was reminded about this game once again today, and since I have the time, I have decided not to put it off any more.

The weirdest Mets game I’ve ever attended took place on August 23rd, 2009.  What was so weird about it?  Well,

• DJ AM (who I admit I’d never heard of) threw out the first pitch, in what would be his last public appearance before his untimely death five days later.
• Pedro Martinez, who was a beloved Met for four years, was the visiting Phillies’ starting pitcher after the Mets essentially ignored him during the off-season.
• Pedro would have his first at-bat before he threw his first pitch.
• Oliver Perez gave up six runs in the first inning.  (If you know anything about Perez, that part isn’t so weird.)  Not only did he not get out of the first inning, he was pulled during Pedro Martinez’ at-bat with a 3-0 count.  Nelson Figueroa would come in and finish the at-bat, striking Pedro out to end the inning.
• Mets center fielder Angel Pagan hit an inside-the-park home run and a traditional home run.
• Mets right fielder Jeff Francoeur caught a ball hit by Phillies second baseman Eric Bruntlett in shallow right in the top of the 9th that the first base umpire initially ruled a trap.  The umps got together to discuss it, and wound up overturning the first base umpire’s initial ruling, making the third out in the inning.
• Bruntlett would get his revenge on Francoeur in the bottom of the ninth when, down by two runs, with two runners on and no outs, Francoeur lined out to Bruntlett, who then stepped on second and tagged out Daniel Murphy, who was on the back end of an attempted double steal.  Bruntlett therefore ended the game with an unassisted triple play — only the 15th in the history of Major League Baseball, the second ever to end a game, and the first ever to end a National League game.  Had Bruntlett been standing literally anywhere else in the stadium, that ball would have gone through for a hit, and the Mets would have scored one run and likely two to tie the game.  See for yourself:  Eric Bruntlett\’s Unassisted Triple Play (YouTube)

Pedro Martinez, in his first game against the Mets since May 28, 1997, won for the first time as a Mets opponent since April 26, 1997.  Perez took the loss in, if I remember correctly, what would turn out to be his last appearance for the Mets that season.  That was a long drive home.

Jack’s First Celebrity Sighting!, originally uploaded by cmerlo441.

Jack’s day care center held an ice cream social yesterday, and Elmo showed up. Pretty cool. (Also, I just discovered that Flickr and WordPress have automatic API talk-to-each-other-ness which I’m trying out for the first time presently. Which was a good excuse to post this photo.)

Not a lot of time to blog lately, mostly due to this handsome lad:

Jack + birthday cake = photo op

:)

At the February LIPHP meeting, Blake Cornell presented a very informative talk about penetration testing. For those of us who have been creating applications for a while — especially web applications, which was the focus of Blake’s talk — there were a few “oh yeah” moments and a couple of “oh crap, I better fix that” moments. But anybody who has never really done serious application programming may have felt intimidated. Also, while parts of Blake’s talk were web-app specific, there were some ideas that are useful for any application developer, even the novices.

This post, then, is an attempt to rephrase Blake’s most important points, in a way that hopefully any programmer will be able to understand, and in a way that should be useful to all application developers. I will be leaving out the really super-technical, database-specific stuff, and help programmers set a couple of important, attainable goals.

What is Penetration Testing?

Why was Blake’s talk so important and informative? What was he trying to get us to do? In short, any application programmer needs to be sure that the application only exposes the right data to the right user. I shouldn’t be able to update your Facebook status from my computer any more than I should be able to see your account balance by using the ATM. The way we determine whether an unauthorized user can see data he or she shouldn’t see is through penetration testing — the act of trying to break into your own application, or trying to get at sensitive data through means other than what the application developers intended.

Think Like The Attacker

As I thought about Blake’s talk on the drive home, I realized that none of us will write a secure application by accident. Application security happens by design. Programmers who create secure applications, then, must always be mindful that careless coding — especially in the absence of good testing — can and usually does result in unprivileged access. I realized that even I needed to adopt a new philosophy while designing, coding, testing, and maintaining. I realized that I need to think like the bad guy, and anticipate what attacks might occur, so that I can defend against them. If you can think like your application’s attackers, then you’re probably already one step ahead of the game.

Don’t Give Away Free Data

Blake brought a large arsenal of technological weaponry to the LIPHP meeting. He had all manner of JavaScript pausers, and POST data manglers, and all kinds of other stuff, meant to confuse web servers into doing what Blake wants, instead of what the web application programmers wanted. But the most important tool Blake brought was his common sense. Attackers will try to glean any information they can from your application, so don’t give them any.

Blake provided a few examples of how a careless application developer can give away data without even realizing he or she did so. Imagine attempting to log into your Twitter account. You type your username and password into the fields provided, and you see a message that says something like “Wrong password. Please try again.” You might appreciate how helpful this message is, since now you know what to fix, and you can successfully log in.

However, if this were the case with Twitter (it’s not, thankfully), then the application developer seriously needs to learn how to think like the attacker instead of like the client’s friend. Sure, it’s nice to give the user that hint. But what if the user typing your username and password into the site wasn’t you? That attacker has now verified that your username exists in the system. (“OK, but everyone knows my Twitter username already.” Fine. Let’s say this is your bank’s web site.) From there, the attacker only needs an educated guess (“He was married on September 9th…”) or a little social engineering (“Hi, this is Chris from Citibank calling. I noticed some unusual activity on your Mastercard over the past couple of weeks, that I’d like to verify. Could you give me your username and password, so we can fix this up?”) — or maybe a keylogger, or a shoulder surfer — to gain unauthorized access to your data.

The Solution

Here’s why I entitiled this post “Low-Tech Application Security.” The fix to this problem is very easy, and it doesn’t require any more purely technical programming knowledge than what got you in this mess in the first place. Just change the error message. Instead of saying “Wrong password”, use the same error message for right username/wrong password as you do for wrong username; something like “Invalid Username/Password Combination” will do. This message has the intended effect on a real user; he’s going to type his username more carefully the second time, and if the password is really wrong, he’s going to take a minute and figure out what’s happening. (“Oh, I used the other password on this account.”) Plus, this message has the intended effect on the attacker, who has now learned absolutely nothing about your system.

What Next?

I’m hoping this discussion will help a couple of you shore up your applications, and make them more secure.  I also hope to write more in this space about how to design applications — especially web applications — the right way.  But there are certainly a ton of other resources out there you can take advantage of to keep learning about security and application design (and please add more in the comments).  Also, find a local user’s group, and join the e-mail list or show up at a meeting, where you are sure to learn a thing or two about programming.  For instance, I will be presenting my application PHProf at LIPHP‘s March meeting.

Why haven’t I wriiten a single post to this blog in six months? Well, primarily laziness, but I’m pretty good at coming up with excuses, so here’s a partial list of preferred answers to that question:

• I’ve been raising a baby
• I taught a bunch of extra classes in the fall semester
• I’ve been diligently updating Twitter (and therefore Facebook), so it’s not like I haven’t been on the Internet
• I’m still the captain of my firehouse
• The band still isn’t done recording
• I didn’t have a car from October through New Years’
• I was in despair over the Mets’ awful 2009 season, and the Giants’ season didn’t perk me up any

So, as you can plainly see, there were lots of reasons I’ll describe as “good” for not blogging all this time. But, whatever the reason, I’ve missed it, and my writing skills have suffered as a result. I have a lot less schoolwork to do this semester, we’ll finish our album soon, and I’m going out as captain in April (right after Jack turns 1), so hopefully things will pick up around here.

There are some topics I hope to cover soon:

• Are there really “good numbers” to have in your football pool?
• What are some of the more awesome technological tools that I’m using, that you should be using?
• What’s it like to record an album by yourselves with just a MacBook Pro?

Ok, yeah, that last list is meant as a reminder to myself, but hopefully it’ll keep me in some of your RSS readers. :)

How to correctly diagram an expletive-laden sentence.  Added bonus: this writer hates Van Morrison, too!  http://languagelog.ldc.upenn.edu/nll/?p=1608 (Language NSFW)

On September 30, 2005, still unmarried and childless, I felt absolutely no guilt in asserting that picking up my brand new MINI Cooper was the greatest thing to happen to me (possibly tied with earning a Master’s Degree and playing music in front of 600 people).

Small Cars Only

Now, nearly four years later, removing the statuses “unmarried” and “childless” have eclipsed that day, but I still love my car more than any non-carbon-based things in my life.  (My Fender basses are made of wood…)  But this lease will be ending soon.  About 2,000 miles too late, as it turns out:

50,000 Miles

The guy came today to perform the end-of-lease inspection.  (So soon?)  Come February, when Carrie goes back to work, it’s going to be my job to drive Jack to day care, and I just can’t see myself getting that baby seat in and out of the MINI every day.  So, at least temporarily, my MINI-driving days are going to come to an end; and, finally, I can sense that day drawing near.  And, still, that new-MINI-owner feeling hasn’t gone away.  It’s an awesome car, and I am still thinking about getting another one when Jack gets bigger.

For now, though, it’s time to choose a new ride.  My criteria are fairly specific:  I need a car that comes in a manual transmission, with a factory-installed iPod dock connector, that I can get Jack in and out of fairly easily, and that doesn’t suck.  I am down to about three choices — the VW GTI, the VW Jetta, and the Subaru Impreza wagon.  I test drove a GTI the other day, and I don’t think I’m going to like the other two even remotely as much.  For a non-MINI, I really like the handling, acceleration, and style.  It’s got a lot more horsepower, though not quite the same suspension.  The radio, etc. is nicely laid out — the newer MINI interior is quite a step back from the styling in my ’06, in my opinion — and looks nice and modern.  Yes, I’m still going to drive the other two, but I feel like I’ve decided already.  The only potential factor to keep me out of it will be the price.  Cross your fingers for me.  :)

Just because these pictures are great:

Jack The Bee

Hey, thanks for visiting the new digs.  Check out that vanity URL.  Fancy, huh?

OK, really, what am I doing starting a new blog site?  Well, I’ve been using my band’s page as my own personal blog for a long time.  Mostly, this hasn’t been a big deal, as the band hasn’t been doing a lot lately, other than hanging out and drinking beer.  But now that we’ve been gigging somewhat regularly, and getting ready to record our first album, I felt that my personal posts should have their own place.  There have been quite a few things that I have held back from posting, because I knew they didn’t fit with the spirit of the band’s page, and I just don’t want those sort of restrictions on myself.

Plus, now I have my own name in a domain name.  Come on, admit it, that’s pretty cool.  Now you want one too, don’t you?

I figure, given the awesome new URL, and the lack of mention of the band, or my firehouse, or my job, or really anything except for me, I can stretch out, post what I want, and not have to answer to anyone.  That’s the plan.  So, look forward to lots more posts about those lousy Mets who I love so much, and the Giants, and whatever else happens to cross my mind.  You must be so excited.

Don’t forget to find the “Register” link, type away freely in the comments boxen, love up the RSS feed, and share with your friends and enemies.  Thanks!

-c