Friday, 26 September 2014

Shellshocked vulnerability bigger than heartbleed - run the fix right now!

TL;DR: run apt-get update; apt-get upgrade

Right now

Then keep doing often over the next few days...

If you're on MacOS, here's a good guide on How to patch OSX in the wake of shellshock


"Remember Heartbleed? If you believe the hype today, Shellshock is in that league and with an equally awesome name albeit bereft of a cool logo (someone in the marketing department of these vulns needs to get on that). But in all seriousness, it does have the potential to be a biggie and as I did with Heartbleed, I wanted to put together something definitive both for me to get to grips with the situation and for others to dissect the hype from the true underlying risk."

Everything you need to know about the Shellshock Bash bug

"Which versions of Bash are affected?

The headlines state everything through 4.3 or in other words, about 25 years’ worth of Bash versions. Given everyone keeps comparing this to Heartbleed, consider that the impacted versions of OpenSSL spanned a mere two years which is a drop in the ocean compared to Shellshock. Yes people upgrade their versions, but no they don’t do it consistently and whichever way you cut it, the breadth of at-risk machines is going to be significantly higher with Shellshock than what it was with Heartbleed.

But the risk may well extend beyond 4.3 as well. Already we’re seeing reports of patches not being entirely effective and given the speed with which they’re being rolled out, that’s not all that surprising. This is the sort of thing those impacted by it want to keep a very close eye on, not just “patch and forget”."

heroku are (at this time of writing) working to resolve it on their servers: heroku shellshocked status page

Wednesday, 24 September 2014

Classic: Why nerds are unpopular By Paul Graham

Why nerds are unpopular is one of Paul Graham's classic essays and well worth reading again. This essay made me re-evaluate my terrible memories of high-school (I think now I wouldn't have changed a thing); and will no doubt shape any recommendations I have for other young nerds who suffer the same terrible problems that come with massive unpopularity at school.

"When we were in junior high school, my friend Rich and I made a map of the school lunch tables according to popularity. This was easy to do, because kids only ate lunch with others of about the same popularity. We graded them from A to E. A tables were full of football players and cheerleaders and so on. E tables contained the kids with mild cases of Down's Syndrome, what in the language of the time we called "retards."
"We sat at a D table, as low as you could get without looking physically different. We were not being especially candid to grade ourselves as D. It would have taken a deliberate lie to say otherwise. Everyone in the school knew exactly how popular everyone else was, including us."

Thursday, 18 September 2014

Stone soup with elephants

Motivation can be a problem sometimes.

For example - some days I really just *don't* want to cook. I come home exhausted, and just wish that somebody else would make dinner for me instead... but if I don't do it... I'll be nibbling raw rice and feeling miserable.

Sometimes that calls for pizza... but too much of the unhealthy stuff and I could end up in a downward spiral that makes me feel even worse.

and sometimes I can use one of my motivation tricks to kickstart myself into something more healthy.

I'm sure you've heard the story of stone soup - where a hungry traveller starts with some water and stone, telling the villagers that she's making soup with the stone. They don't believe her, but she asks if they are willing to contribute a carrot here, some parsley there to add to this stone soup - in order to make it the best stone-soup possible, of course... and eventually they all end up eating a thick and tasty soup.

I like to use that story to tempt myself. In my case - I'll pull a jar of pasta sauce out of the cupboard - but its not quite enough on its own, so I figure "well, I'll just add a few vegies"... before I know it, I've cut up enough veggies to make another two meals... and put the pasta sauce bottle back in the cupboard unopened. Stone soup well in hand.

You see, really the trick is just to get started. I generally then find it's not as hard as I first thought.

So where's the IT angle? Well I have found that a lot of my past clients have let things slip... UI-bugs, code reviews, test suites... the usual.

of course, the first step is to recognise that there is a problem... but often they end up doing little more than that, and promising themselves that "we really need to do the Thing"... but it never goes beyond that.

Then they have a big meeting and tell all the developers that "the Thing is really number one priority now". But after the meeting, nothing on their end changes - all the other priorities are still there. Clients need to "just get this one thing fixed, and then you can start on the Thing"... "we just need a few more features to go out the door to keep our customers happy while we work on the Thing"....

and somehow no time actually gets allocated to the Thing.

Sometimes there's a big meeting where blame gets slung like mud "why didn't you work on the Thing? when we said it was priority number 1?"... but that doesn't change the fact that the Thing... really isn't a priority at all. if it was, you'd be allowed time to work on it, instead of all the other urgent things.

Luckily, the stone soup kicker can help here too. Say your Thing is to build a test suite. Your app has 100,000 lines of code... that's a big Thing. But it's not too hard to promise yourself "just write one test for one model"... and you get caught up in it and before you know it, you've cleared out the tests for a whole section of your app.

I think oftentimes the motivation problem is really that you're looking at a whole elephant, wondering how the hell you're going to eat it all... and have forgotten that the way to do it is "one bite at a time". Once you're elbow deep in solving a small piece - it's often easy to get so caught up in the details that they stop bothering you any more, and you can just get on with it.

So - whatever it is, however big it is... just get started. It doesn't have to be a large piece - just one wafer-thin bite...

Friday, 12 September 2014

Gotchas: rspec expect change gives: "nil is not a symbol"

*sigh* There's a small, but meaningful difference between:

   expect {
     my_thing.do_stuff
   }.to change(my_thing.my_value).to(some_value)

and

   expect {
     my_thing.do_stuff
   }.to change{my_thing.my_value}.to(some_value)

(note the braces on the last line...)

Saturday, 6 September 2014

gotchas: require/permitting an array of ids

This one got me the other day... it seems that sometimes the following won't work:

params.require(:my_thing).permit(:widget_ids)

When the set of ids is expected to be an array, instead use

params.require(:my_thing).permit(:widget_ids => [])