Websites and Insults

For the longest time, I was the webmaster for South London Liberal Synagogue. I took care of the site, kept it relatively up to date and provided a fair amount of technical support for the various editors of the site. I originally was asked to maintain an existing site, but with a new chair came a new brand for the place, and so came a new website (built on Bootstrap because I’m lazy and it’s easy to integrate with various things).

At it’s peak, I was spending up to 5 hours a week supporting the editors, updating the various extra tools I was using to keep it together (things like calendars etc.) and generally cleaning up after people. The site functioned well; loading times were under 3 seconds on slow connections and all pages were pretty easy to edit (a nice WYSIWYG editor). All in all, it was a good site and I was proud of it.

SLLS Site (mine)

My version of the SLLS website (26th Sept. 2016)

There was one small problem. The president. She did not like the new site. The old webmaster had been her grandson and she had almost total control over it. When I came in, all that power vanished. She hated that. At points, I was receiving up to 20 e-mails a week from her, demanding various things like ‘a return to top button’ or ‘a scrolling display of events’, even though we had a calendar for the latter, and return to top buttons are not seen anymore on the web (except for strange fringe cases).

Other than that, I liked the site, and nearly everyone else did. We gained a substantial number of members though it and countless visitors.

However, this ended quickly when our chair had to step back for personal reasons. Very quickly the president (who, in our constitution, holds no power and is merely a figurehead, but in reality everyone bows to because they are manipulative and horrid) takes control by manipulating the vice chair and most council members. They “decide” that the website was “not fit for purpose”, was “difficult to update” and “constantly a nightmare for users and editors”. I was not told any of this, but was just told “you are not needed”. The site was taken over by her son (who has no technical skill what-so-ever) and my site was stripped away.

I was gutted. What happened next makes it worse.

The new site was built on WordPress, with a theme that cost a lot of money (probably put on expenses, I will find out at the next AGM). All features that I was pestered for were missing. Almost all information had vanished overnight. It’s also a nightmare for anyone to get information put back up. It is mostly just a wall of text on one page.

new site

The new WordPress based website.

It gets worse.  Notice how my assets, that I took myself with my camera, and spent time creating, for the website, were stolen. No credit is given.  The site also takes over 10 seconds to load on average, with needless animations for images that just slow the site down and make it a poor end user experience.

What angers me more is the security behind it. It is terrible. I was asked by someone to test the security. I found an open login page, the ability to get the admin username in under 5 seconds and was going to work on getting the password, but was asked to stop there.

If anyone wishes to offer me jobs to make sites, I will more than oblige. Just contact me. I really do appreciate it. You can view and toy about with my version of the site here, on the Wayback Machine. Their current site is available here.

Lesson learned? Never let manipulative people get hold of any kind of significant position. It does not end well.

The Cloudbleed Problem

Recently (as of Feb. 24th), internet giant Cloudflare has experienced a bug that leaks users passwords, cookies, tokens, API keys and other rather sensitive information. So what happened?

Who are Cloudflare?

Cloudflare are a Content Delivery Network, internet security company and a distributed domain name server. It sits between the end user (you) and your favourite websites and services (e.g. Fitbit, Discord, Reddit) and protects them from DDoS attacks and other malicious attacks.

What happened?

As I said before, a bug was found in a couple of areas of Cloudflare’s code that allowed passwords, API keys and other sensitive information to be leaked. It was compared to the famous 2014 Heartbleed bug in the OpenSSL software library.

Who found it?

Luckily for us, the bug was found by someone on Google’s ‘Project Zero’. Tavis Ormandy discovered the bug after seeing multiple corrupted pages being returend by some of his HTTP requests that ran through Cloudflare’s system. Like a responsible and good person, he disclosed this immediately to Cloudflare, who went on to disable the affected services within 47 minutes of the issues being brought to light.

What was leaked?

Various things were leaked. We are not fully sure of what exactly has been leaked, but the following is a somewhat useful guide:

  • Passwords
  • API Keys
  • Cookies
  • Auth Tokens
  • Usernames
  • Private Messages

Has it been fixed?

Yes. Cloudflare was amazingly quick at fixing this. It took them 7 hours to complete it globally. Good job guys.

So what went wrong?

In one phrase. HTML Parsing. In a bit more complex, basically the HTML Parser was being updated. A bug meant that the server would have a buffer overflow and would read out unused/unallocated memory and dump it into the html file. This would result in (on occasion) sensitive information being dumped. Only 1 in 3,300,000 requests would actually cause this to happen, so it was a tiny number, but still a number.

Cloudflare have a nice rundown here.

Who was affected?

There is a GitHub Repo with the full list (its a 70mb txt file in a 22mb ZIP archive). There is also an excellent website called Does It Use Cloudflare? It does what it says on the tin.

Final Thoughts?

It worries me that this happened, however at least it was solved quickly. What annoys me more that Cloudflare fixed this, and when I presented a similar (but not as serious) issue to my school, they tried to throw me out.

#cloudbleed on Twitter is interesting too.

Anyway, see you soon. Also, check out Citation Needed Fan Edition.

The 2016 Programmer Survey!

I had the idea for this as I watched the analysis of the Nerdfightaria Survey. The basic concept is programmer answer the questions and we get an idea as to who here programs. Results will be published in January 2017 with an analysis and a raw spreadsheet.

ALL DATA IS COMPLETELY ANONYMOUS AND WILL BE AVAILABLE FOR DOWNLOAD IN JANUARY 2017.

Anyway, if you wish to answer the survey, click here: https://goo.gl/forms/HCfCtRe1kprUEhEI2

Thanks and have fun!

 

Video

Some Thoughts on App Creation

I am currently working on an app. Woah! I know right? Edgy af or whatever the cool kids say (I don’t care, I’m in it because).

However, when working on it, I thought of a video by Tom Scott and Matt Grey on their app, Emojli. It’s a lot of work! So here is the video, sit back, grab a cup of tea or a beer if that’s more your thing and enjoy!