Author: Lisa

Fortify on Demand Remediation – XSS Reflected

This vulnerability occurs when you accept user input and then use that input in output. The solution is to sanitize the input. The filter_var or filter_input functions can be used with a variety of sanitize filters.

As an example, code to accept what should be an integer value from user input:

     $iVariable = $_POST['someUserInput'];

Becomes code that removes all characters except for digits (and + or – signs) from the input:

     $iVariable = filter_input(INPUT_POST, 'someUserInput', FILTER_SANITIZE_NUMBER_INT);

Minimum wage profit sharing experiment

A pizza joint shared its profits with its employees and that meant the employees made $78 an hour. I’m curious if the pizzeria used a realistic calculation for profit. If so? This makes the “I cannot afford to increase my starting pay rate to attract employees, the problem is the gov’t is making people all lazy and stuff” argument clearly disingenuous.

Profits are what you make after paying for the business’s expenses — so the ingredients, power, water, advertising, insurance, employee benefits, real estate, business loans, taxes, and such are all taken out before you call it a profit. Good accounting includes future predictable expenses as well — the facility is going to require occasional sprucing up, maintenance expenses pop up, at some point they’ll need to replace the pizza oven or refrigeration units. Just like a personal budget should include “replacement car, every 10 years, that means I need to accrue $5 a day to fund that replacement” … these expenses should be estimated out and included in the net/profit calculations. It’s possible they used a far simpler algorithm for computing profits — net proceeds minus food cost (which is something most restaurants track very well) … which would render my calculations here meaningless. But I’m going to assume “profits” actually means profits in the accounting sense.

In a lot of businesses, the owner takes a salary too — no idea if owner, well, takes a salary in the first place but if they took their salary out before calculating the daily profit. I am going to assume the owner’s salary was not already deducted. Then $78 an hour isn’t sustainable because the owner needs to eat too, but the owner could take $50 an hour per employee and still pay everyone $28 an hour.

Not that the owner gets $50 an hour for being open, but $50 a man-hour worked by any employee. Think about that for a minute — say they’ve got three people doing prep from 1P-3P and five people working when open from 3p-10p, then thee people staying on for close from 10-11P … that’s 44 man-hours worked that the owner’s keeping at $50 a man-hour. Owner keeps $2,200 each day, plus has his business has all of its expenses covered. For each of the 300 days a year they are open (since they’re open 7 days a week, this is a low estimate too), that’s $660,000.

Say I’m overestimating the owner’s share a lot — let’s cut that in half. Maybe they did the profit sharing on an unusually profitable day. Maybe they did it on a weekend day where they’re open a few more hours. Let’s say the owner can keep $1,000 a day . That means the owner pays the staff $28 an hour, pays for all of the business expenses, *and* has absolute minimum $300,000 in profit.

Fortify on Demand Remediation – Introduction

The company for which I work signed a contract with some vendor for cloud-based static code analysis. We ran our biggest project through it and saw just shy of ten thousand vulnerabilities. Now … when an application sits out on the Internet, I get that a million people are going to try to exploit whatever they can in order to compromise your site. When the app is only available internally? I fully support firing anyone who plays hacker against their employer’s tools. When a tool is an automation that no one can access outside of the local host? Lazy, insecure code isn’t anywhere near the same problem it is for user-accessible sites. But the policy is the policy, so any code that gets deployed needs to pass the scan — which means no vulnerabilities identified.

Some vulnerabilities have obvious solutions — SQL injection is one. It’s a commonly known problem — a techy joke is that you’ll name your kid “SomeName’;DROP TABLE STUDENTS; … and most database platforms support parameterized statements to mitigate the vulnerability.

Some vulnerabilities are really a “don’t do that!” problem — as an example, we were updating the server and had a page with info(); on it. Don’t do that! I had some error_log lines that output user info that would be called when the process failed (“Failed to add ecckt $iCircuitID to work order $iWorkOrderID for user $strUserID with $curlError from the web server and $curlRepsonse from the web service”). I liked having the log in place so, when a user rang up with a problem, I had the info available to see what went wrong. The expedient thing to do here, though, was just comment those error_log lines out. I can uncomment the line and have the user try it again. Then checkout back to the commented out iteration of the file when we’re done troubleshooting.

Some, though … static code analysis tools don’t always understand that a problem is sorted when the solution doesn’t match one of their list of ‘approved’ methods. I liken this to early MS MCSE tests — there was a pseudo-GUI that asked you to share out a printer from a server. You had to click the exact right series of places in the pseudo-GUI to answer the question correctly. Shortcut keys were not implemented. Command line solutions were wrong.

So I’ve started documenting the solutions we find that pass the Fortify on Demand scan for everything identified in our scans — hopefully letting the next teams that use the static scanner avoid the trial-and-error we’ve gone through to find an acceptable solution.

Freedom!!?

About a year ago, my boss observed that this entire pandemic sitch is just a nightmare for those with analytical thought processes.. Engineering, science, analytic types. Mathematically? The country was basically in a worse place when the health orders were lifted than it was when the orders were put in place last year. That was astonishing to me. And kind of like the anti-environmentalists who don’t seem to realize they need to drink the water and breath the air … even if you’re vaccinated and have a very good probability of avoiding hospitalization? Getting sick for a week sucks. It sucked ten years ago, it’ll suck ten years from now. But, if you can mitigate your risk of feeling like an elephant is roosting on your chest for a week … what’s the reasonable thought process that leads to someone saying “I’m going to show how very free I am by getting painfully ill”?!

I mean, there are plenty of ways to partake in your American Freedoms that aren’t painful illness. Head out to the range, rent a gun for a few hours, and fire off a couple dozen 50 caliber rounds. Publish a rant against whatever part of government irked you this week. Spend the weekend attending church services for ten different religions. Hell, marvel at the fact there’s not an uninvited soldier camped out in your spare bedroom and that the cops aren’t rifling through your belongings. And that just covers the first five articles in the bill of rights.

In fact …

Article Way to enjoy it
I Spend a weekend attending services for a dozen different churches (synagogs, mosques, etc)
II Hire a gun at a range and spend the afternoon popping off 50-cal rounds
III Marvel at how your spare bedroom is not occupied by an uninvited soldier
IV Notice how the police are not rifling through your personal belongings just because they can
V, VI, VII, VIII Don’t know that I’d commit a crime just to enjoy my right not to provide evidence against myself, be subjected to cruel or unusual pubishment, or experience a speedy, public trial … but you do you.
IX Go to work?
X Oooh, experience all of the things your state does control — maybe hang at the DMV and renew your license
XI Umm … well Michigan hasn’t sued Ohio today. Does that count?
XII Well, you cannot be part of the electoral college … but you CAN vote
XII No more slaves
XIV The state isn’t depriving me of life, liberty and such.
XV My rights aren’t being abridged because of my race
XVI Taxes were withheld from my paycheque this week. Yeah!???
XVII My state has tw senators
XVIII Grab a pint!
XIX I’m a woman, and I can vote!
XX Watch the certification of the election
XXI Grab another pint!

Sustainability and meat

I’ve seen a lot of info on the incredible (bad) environmental impact of meat production — the amount of land and water it takes to grow a cow is staggering. Something like 77% of the world’s land that is used for agriculture is used to graze livestock. Lamb/mutton, beef, and cheese (mostly cows still) top the list of inefficient ways to produce a gram of protein. I see plant-based fake meat (Beyond, Impossible, etc) marketing toward this — a lower impact way to enjoy a burger. I’d like to see more focus on using existing food sources to reduce the amount of meat contained in meals — rewriting recipes to reduce meat consumption.

I make a lot of meals where meat is a small component of the dish — additions instead of subtractions from the normal recipe. Enhancements instead of restrictions. Turkey burgers with lots of spinach, some feta, and garlic. Stroganoff with three different types of mushrooms, plenty of onions, and a bit of beef. Tacos and wraps loaded with rice, beans, tomatoes, onions, avocado, cheese, grilled corn, and a little grilled chicken. Sloppy joe sandwiches where half of the ground beef is replaced with red lentils. Pasta salad that’s more salad than pasta with a little bit of diced pepperoni. We have completely vegetarian meals, and I use the Beyond/Impossible substitutes to make meatball subs or sausage pizza. That all balances out the grilled steak or rack of ribs some other day.

New Hatchling Countdown

One of our chickens, Astra, has become broody. We had been getting her out of the nest once a day to eat/drink/defecate and collecting the eggs. But it’s getting on in the year, and we wanted to raise more broilers. We decided to take this opportunity to hatch some new chickens — not all 100% American Bresse, but still chickens. It seems like the chickens have a really cool agreement that she’s in charge of incubating eggs. She sits on the nest all day, but seemingly gets up and allows other chickens to lay eggs that she’ll keep safe.

Anya counted 12 eggs under Astra — 2 from Sunshine (Buff Orpington), 4 from Queenington (Green Queen), and 6 from the Bresse. She’s got each egg marked so we can collect any newly laid eggs … and we should have new chicks in about 21 days — around August 3rd. We’re bringing her food and water a few times a day, so (hopefully) she’ll stay healthy over the next couple of weeks.

Towel Money

People seem to assume the fact you’ve managed to amass money to be a fact that vouches for you … like you cannot be inept / senseless / bad at managing money because, look at that, you’ve got money. Doesn’t matter if you inherited (and subsequently lost much of) a bigger load of money, managed to injure yourself in some stunningly original way that requires some company to fork over millions, tripped over your untied shoelaces and discovered the lost Civil War gold. You have money, so you’re awesome at life.
It makes me think of the towel in the Hitchhiker’s Guide series — encounter someone while you’re wandering and, if they’ve managed to keep track of something so trivial as their towel, then they’ve obviously got it together.

Docker and Windows — Unable to Allocate Port

On the most recent iteration of Windows (20H2 build 19042.1052) and Docker Desktop (20.10.7 built Wed Jun 2 11:54:58 2021), I found myself unable to launch my Oracle container. The error indicated that the binding was forbidden.

 

C:\WINDOWS\system32>docker start oracleDB
Error response from daemon: Ports are not available: listen tcp 0.0.0.0:1521: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
Error: failed to start containers: oracleDB

Forbidden by whom?! Windows, it seems. Checking excluded ports using netsh:

netsh int ipv4 show excludedportrange protocol=tcp

Shows that there are all sorts of ports being forbidden — Hyper-V is grabbing a lot of ports when it starts. To avoid that, you’ve got to add a manual excluded port for the one you want to use.

To reserve the port for your own use, disable Hyper-V (reboot), add a port exclusion, and enable Hyper-V (reboot)

REM Disable Hyper-V
dism.exe /Online /Disable-Feature:Microsoft-Hyper-V 
REM REBOOT ... then add an exclusion for the Oracle DB Port
netsh int ipv4 add excludedportrange protocol=tcp startport=1521 numberofports=1 
dism.exe /Online /Enable-Feature:Microsoft-Hyper-V /All
REM REBOOT again

Now 1521 is reserved for Oracle

ADO – Migrating a Repository to Azure Repos (and keeping your commit history)

The most direct way to migrate a repo into Azure Repos is to create a new, blank repository. This may mean making a new project. From the organization’s main page, click “New project”

Or it may mean making a new repo in an existing project. From an existing repo, click the drown-down next to the repo name and select “New repository”

Name the repository but don’t add a README. We want a blank repo

Note the URL to the repository – in this case, it’s https://ado0255@dev.azure.com/ado0255/History%20Test/_git/Another%20History%20Test

Find the URL for your existing Git repo – if you cd into the project’s folder and run “git remote -v”, you will get a list of the repos. Make a new folder somewhere – this is a temporary staging area to move the data from your existing repo over to the new Azure Repo. Change directories into your new folder. Run git clone –mirror URLToOldRepo

You will see data being downloaded from your git server.

Change directories into the folder that just got downloaded. You won’t see your code like you normally do when you clone a git repo. You’re looking at the underlying git stuff that makes up the repo. You’re code is all in there, as are all of the branches and commit history.

Now add the new Azure Repo as a remote – in this case, I’m naming the remote “ado”. Then run “git push ado –all” to push everything up to the new Azure Repo.

Stuff will transfer – you may be prompted to log into your ADO repository first. Eventually, you’ll see new branches being created on the remote and the process will complete.

Refreshing the Azure Repo, you’ll now see the files.

Selecting “Commits” will display the commit history.

Anyone else using the repo will need to add the new remote. Use “git remote rm origin” to remove the existing origin, then use “git remote add origin url” to add the new Azure Repo as origin.

ADO – Cleaning up test repos and projects

I find the process to delete repositories and projects to be nonintuitive. Since I create a lot of projects and repos for testing and documentation, it’s nice to be able to clean them up when I’m done!

To delete an Azure Repo, navigate to a repo and select the drop-down next to the repo name. Select “Manage repositories”

With your mouse over a repository, there’s a hamburger menu at the right-hand side of the listing. Click it and select “Delete”

You’ll need to type the repository’s full name to activate the delete button.

To delete a project, go to the organization’s home page and select “Organization Settings” from the lower left-hand corner of the screen.

Select “Projects” from the left-hand navigation bar

With your mouse over the project listing, you’ll have a hamburger menu. Click it and select “Delete Project”

You’ll need to type the project name to activate the delete button.