Tag Archives: Security

MoMo All-Hands: Day 1

A Delicious Flight

After waking up, cleaning up, and eating, I was more or less ready to go. Blake was stopping by around 11:30AM with the airport taxi, and I had about an hour to myself. I decided that now would be a wonderful opportunity to purchase some flying snacks from the nearby convenience store.

Moments later, I was browsing the shelves. I grabbed some granola bars, and some raisins. On my way out, I saw some flatbread, and was immediately reminded of the time that my friend Doug offered me some flatbread with roasted red pepper hummus on it. And I remembered that it was delicious. Immediately, I was hit by a craving, grabbed the flatbread, and went to go find the hummus.

Eventually, I zeroed in on the hummus section. Unfortunately, the tub of roasted red pepper hummus that I found was about the right size for a whole family, and I thought that’d be a bit of a waste (since I wasn’t sure I’d be able to refridgerate it upon landing). So I dug around in the shelves until I found a smaller tub, grabbed it, paid, and left.

Now, I know what you’re thinking: “Mike – this minutia is really of no interest to me. Am I really going to have to hear about the food you bought and ate? Is this how these posts are going to go?”. Just rest assured, I’m bringing this up for a reason. The hummus comes into play later.

Blake arrived, I hopped into the car, and we were off. We compared snacks: Blake was packing some awesome-looking homemade banana bread with chocolate chips.

It was going to be a delicious flight.

A Newbie Goes Through Security

It’d been a little while since I’d been through airport security, and I had forgotten some of the moves. I did my best to follow Blake’s example – I pulled out my laptop to be screened independently. I tossed down my jacket. I lined it all up all neat and tidy for the little luggage car-wash to scan it.

Soon, it was my turn to walk through the metal detector. In front of me, Blake had sailed through and was already getting his stuff off of the conveyer belt.

I walked through the gate. BEEP BEEP BEEP BEEP.

“Sir, do you have anything in your pockets?”

Oh yeah. I had everything in my pockets. Wallet, keys, cell-phone, belt, watch, I’d forgotten all of it. So there I am, scrambling to void my pockets of their contents, and tossing them into a little bowl to be scanned.

Security was not impressed.

After an extremely thorough wand-scanning, I was eventually let through. I gathered my stuff up, and hurried over to Blake.

The Storage Seat

We reached our terminal without incident. We had an hour to kill before boarding, and chatted about the upcoming meeting, science fiction, Ricky Gervais, video games. Boarding was a piece of cake.

Although we had booked our tickets seperately, somehow, our seats were in the same row. There was a lone seat in between us. The plane filled up…and filled up…and the seat remained empty. Suddenly it dawned on me: Blake and I were probably about to get a free storage seat between us. Awesome-sauce.

I became so excited about the middle seat that I was starting to sweat everytime someone else came onto the plane. One or two stragglers would saunter on, and I was sure the jig was up. But somehow, someway, it didn’t happen. The storage seat was saved. It immediately became home to a host of overflow items.

Take-off

It was at this point that the captain came on the horn to tell us that there was a problem. During the safety check, he found out his oxygen mask wasn’t working. Maintenance would be sending a part over, and it’d take somewhere around 30 minutes to get it all sorted.

30 minutes later, we were underway, and hurtling down the tarmac. Eventually, the seatbelt sign was turned off. I reached for my book. It was going to be a long flight (approx 6 hours).

That’s when the flight attendant announced that the water wasn’t running in the front bathroom. So we were down to one bathroom. The girl across the aisle from me groaned audibly.

Moments later, we found out that our in-flight movies were not working. The same girl groaned even louder, whipped out her cellphone, and began texting furiously. I was reminded of this Louis C.K. bit on Conan…

It was an uneventful flight. Blake and I chatted a bit, and then I read, and he listened to music. There was a Mythbusters marathon on the on-board television, so that was entertaining. I learned today that if a diver in one of those old-school scuba suits is down 300 feet, and suddenly has his air supply cut off…the waterpressure is strong enough to compress all of his organs into his helmet like a human meatball. Gross. Thanks Mythbusters.

Landing, and the Hummus Incident

Landing was no biggie. The captain came on the horn again to tell us that they had to cut power the plane in order to get the bridge attached to us. As the lights went out, I could see the light of a cellphone illuminate the face of the girl across the aisle. Texting commenced at a furious pace. I don’t think she was very happy with the flight.

Next, Blake and I meandered our way to U.S. security and customs. Along the way, we helped a mother and daughter find their New Zealand flight. While in the line-up, I realized that I was still carrying a bottle of water that I’d purchased in the Toronto airport. And it was still more or less full.

To avoid embarrassment, I chugged it back. The whole half-litre. Dazed from over-hydration, I tossed all of my gear, pockets and all, upon the security conveyor belt like a boss. I was determined to do this like a pro, and gave Blake the “I know what I’m doing this time” eyebrows.

Shoeless, beltless, pockets emptied, I passed through the metal detector like a marathon runner at the end of a race. Not a sound from the machine. It was glorious.

“Step over this way, sir”.

I was suddenly redirected to security, and told to empty my backpack.

As the security guard rummaged, my hummus fell out, and wobbled onto the table.

Suddenly, all eyes went to the hummus.

“Sir, what is this?”

“It’s hummus.”

“No, it’s not.” I looked closer. Damn it, I’d been duped by similar packaging. It was full-blown dip, not hummus. So much for healthy snacking.

“Oh, sorry, it’s dip. Not hummus. Dip.”

Pause.

“Sir, I’m going to have to ask you to stay right here.”

I had started to sweat a little. Meanwhile, Blake was getting his shoes on, and was eyeing me curiously.

“It’s the hummus,” I said. He mouthed “Oh”.

3 or 4 minutes later, I was shuttled over to an official looking desk, where an official looking guard was presiding over my very fraudulant hummus.

“I thought it was hummus. You can keep the dip. I don’t want to the dip. You can have the dip.” I kept saying. I was worried that they thought I’d lied to them while calling it hummus. Or was there some sort of dip embargo? What the hell was going on?

“I don’t want the dip,” the tired looking employee said to me. He had a thousand-yard stare going on. This guy was not a fan of his job – at least not today.

“Your boarding pass says that you came in from Toronto. They should have stopped it at security over there”. He jabbed a finger at the dip. “This is over 50 millilitres of liquid. They shouldn’t have let it through.”

I made a weak attempt at humor by mentioning that the dip wasn’t exactly a liquid, and was more like handcream. He didn’t seem amused. I cut the crap and shut my mouth.

He then spent 5 minutes collecting all of my personal identification, and taking photos of me with the security camera. He assured me that I wasn’t in trouble, and that, in fact, Toronto airport security was in trouble. I remarked that I hoped nobody was going to lose their job over this. He grunted, handed me my boarding pass, and wished me a good day.

Dip-less, I walked back to Blake, gathered up all of my stuff, and we started walking towards our departure gate.

A Chance Encounter

We had stopped by a Tim Hortons to grab some food, when Blake nudged me.

“Come this way,” he said. I followed him back to the Tim Hortons line-up

“Mike Conley, meet David Ascher. David Ascher, meet Mike Conley.”

So it turned out that David Ascher, CEO of Mozilla Messaging, and my new boss, was taking the same flight with his wife. We said hello, and chatted a bit, and then headed towards our gate.

Huh. What were the chances?

We boarded without incident. Blake and I weren’t sitting together on this flight – I was sitting next to some charming older ladies who were slamming back the in-flight alcohol like it was going out of style.

In Hawaii

It was a hard leg of the flight. After approximately forever, we landed. This was at about 10PM Hawaii time, or 3AM Toronto time. At this point, I’d been awake for about 19 hours. I was exhausted, groggy, and probably dehydrated.

A section of the airport terminal had no windows. It was warm out, but not uncomfortably so. It was a bit humid. I saw palm trees in the shadows.

Eventually, David, his wife, Blake and myself were able to hail a cab. We whisked through the Hawaiian night. I remember thinking that the outside part Hawaii we were driving through seemed like an interesting mix of industrial and tourist. Kind of like if Niagara Falls and Hamilton were smashed together.

Finally, we pulled up to our hotel. After checking in, my body had pretty much given up.

It’s funny how 19 hours of just sitting still in a chair will exhaust you.

Before reaching the elevators, we ran into a few more members of the team who’d arrived before us. There were quick introductions (too quick – I’d have to ask for names again later on), and then we were up to our rooms.

Inside my room, I dumped by bag, plugged in my laptop, and sent a few e-mails to let people know I had arrived safely. I prepared for bed.

As I rummaged through my luggage, something was bugging me…

“Hm…let’s see…shorts, pants, underwear, shirts…”

My eyes went wide.

No socks.

I hadn’t brought socks.

Click here to go to Part 2.

Click here to go back to the introduction.

A Sobering Post About Code Review From Microsoft

It’s easy to get on the code review band-wagon, and tout it as the “silver bullet” for bugs, or the key to developing awesome, elegant software, etc. It’s easy to get carried away, and forget that code review should probably be accompanied by rigorous testing, static analysis, and security integration from day one.

While the purpose of this blog post by Shawn Hernan from Microsoft may be to attack or question the merits of open source software, I see it as an interesting discussion on the role of code review in software engineering and how it relates to writing secure code.

Insert your own joke about Microsoft security here. I, personally, think their IE team should read Shawn’s post.

Particularly interesting is one of the comments to the post by “danclarke_2000”:

I think another point is diminishing returns of code review.. Each extra code review brings less value than the preeding; review comments can already be known and awaiting action, not important enough to change etc

having extra eyes reviewing code means generating extra code review output. Here is the true cost, all the code review comments of the many eyes have to pass through the bottleneck of the few people who have authority to make changes. As each extra review has less value, processing the extra reviews has a higher and higher opportunity cost.

Sound kind of familiar?

Anyhow, Hernan’s post is an interesting read. Click here to check it out.

UPDATE:

Here’s a quote from Joshua Bloch of Google on a similar topic:

…We programmers need all the help we can get, and we should never assume otherwise. Careful design is great. Testing is great. Formal methods are great. Code reviews are great. Static analysis is great. But none of these things alone are sufficient to eliminate bugs: They will always be with us. A bug can exist for half a century despite our best efforts to exterminate it. We must program carefully, defensively, and remain ever vigilant.

Read the entire post here.

Fiddling Around with Skype

As I said last week, I’ve been working with a partner (Mohammad Jalali) on a project for our networks course.

The idea: given an arbitrary IP and port number, we want to find a way of determining whether or not there is an FTP server, an HTTP server, or a Skype node on the other side. FTP and HTTP are trivial – those protocols essentially announce themselves to the world.

Skype clients, on the other hand, act a little more strangely. Skype goes out of its way to hide its traffic – from straight-up encryption, down to making their client executable really hard to reverse engineer. Because of this, Skype has been an interesting challenge to the hacker community.

Anyhow, my partner and I have learned a few interesting things about Skype – and in particular, we’ve found a reliable way to determine whether or not Skype is running behind an arbitrary IP and port. Cool.

Fact 1: Skype pretends to be an HTTP server

I’m serious, it does. Using Wireshark, we noticed that both UDP and TCP packets were being sent to one particular port. Pretty funny behavior…so, we took a closer look. And this is what we found. Pop open your Skype client, connect to the network, then use nmap to find the ports that Skype is using:

$>nmap localhost -p10000-50000

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-01 20:33 EST
Interesting ports on localhost (127.0.0.1):
Not shown: 39999 closed ports
PORT STATE SERVICE
48915/tcp open unknown

Ok, cool – there’s something at 48915, and it looks like it accepts TCP connections. Pop open Telnet, connect to it, and feed it an HTTP request:

$>telnet localhost 48915 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET / HTTP/1.1 HTTP/1.0 404 Not Found Connection closed by foreign host.
Ok, we got an HTTP response – looks like there’s an HTTP server back there, right?

Wrong. Reconnect, and send it some garbage:

$>telnet localhost 48915 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. thisissomegarbagetextthatisnotanHTTPrequest ��Nun��2�=��1��N$O/(�� u.)(yy�g��$ ș�oT�b렑�-z#x�&��[P��\��(yVO��

See all of those funny characters down at the bottom? That’s what I got back. In the words of Obi-Wan Kenobi…that’s no HTTP server…it’s a space station (Skype node).

So we’ve learned something here – Skype opens a port, and “spoofs” an HTTP server. We can easily check for this – just write a script that connects to a port, spews some garbage, and check to see if we got binary garbage back.

It’s so easy, that someone else has already done it. Remember that nmap tool we used earlier? Somebody over in that camp wrote a script for the Nmap Scripting Engine that runs this exact analysis on some ip/port. Don’t believe me? Read the script yourself! We stumbled upon that script while trying to figure out what Skype was doing with the spoofed HTTP server.
And sure enough:
$>nmap localhost -p48915 --script skype.nse Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-01 20:45 EST Interesting ports on localhost (127.0.0.1): PORT STATE SERVICE 48915/tcp open skype2

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

Hmph. So much for cutting edge, never-been-done research. Go figure.

Fact 2: Given some UDP packets, Skype echos back a predictable pattern

For this part, we’re pretty sure no one else has tried this.

While connected to Skype, we recorded some packets with tcpdump. We wrote a script that loaded up those packets, and could “replay” the packet payloads to an arbitrary IP and port.

So, we played some packets against an IP/port with Skype behind it. Most of the time, we got TCP packets with RST flags (which is TCP’s way of telling us to “shut yer trap”). But wayyyy down in the middle, there was a section of UDP packets that actually got a response:

From Misc Blog Images

192.168.0.19 was the computer we were playing the packets from, and 192.168.0.14 was the computer with Skype running on it. See those UDP packets that are getting echoed back? That’s the interesting part…instead of just shutting us down with RST’s, Skype appears to be saying something back.

So, is there a pattern in all of this? Actually yes. We isolated 4 of those UDP packets, and repeatedly fired them at the same IP/Port on the computer running Skype, and we found a pattern.

The pattern: the first two bytes that are sent in our UDP packets are echo’d back to us in the first two bytes of the UDP packets that come back.

So, for example, one UDP payload we sent looked like this:
92 40 02 a1 66 65 ea 0d 8c 82 c3 0c 27 cd c5 e7 4e 78 fe a1 50 a6
And we got back:
92 40 17 c0 a8 00 13 74 a0 41 f0
See that common 92 40? Bingo. 😉

And it’s pretty consistent – if we repeat the same UDP packet, we get (almost) the same response.

92 40 67 c0 a8 00 13 11 00 10 4f

And if we repeat again…

92 40 37 c0 a8 00 13 68 08 43 3a

92, 40, and c0, a8, 00, 13. Nice! Looks like a fingerprint to me!

Except…

Except, remember, we already found a way of determining whether or not Skype was running behind a given IP/port. This last finding was just bonus. My partner and I aren’t sure if our instructor is going to let us stay with this topic, seeing as how it’s pretty much been solved by other people before. We’ve only got 2 weeks before this project is due, so…if we get another project, let’s hope it’s relatively simple. Push come to shove, we could always try to fingerprint a different protocol…maybe BitTorrent clients.

Either way, working on this stuff has been pretty cool…and it let me try out some pretty neat tools that are usually reserved for the people with coloured hats (and no, I didn’t mean Red Hat):

nmap: port scanner that can also do service/os fingerprinting
Scapy: sculpt, gut, spoof, manipulate, and send packets – the power of C, with the simplicity of Python! We used Scapy as a library while writing our scripts. Lots of potential with this tool. Feel like poisoning an ARP cache? Scapy is for you!
Wireshark: a network student’s best friend.

Click here to check out Mohammad’s blog post about this project.

Poland – Part 10: Journey To Krakow, Wawel Hill, and The Dragon

June 23, 5:10AM

At 5:10AM, a huge clap of thunder woke us all with a start. Groaning, moaning, and uttering expletives… we tried to go back to sleep, but the thunder storm and heavy rain raged all around us.

And then, eventually, the storm moved off…finally, we could sleep…

…but before it could happen, one by one, our alarm clocks started to go off. It was time to leave.

Grumbling, lights flicked on, and we headed to the washrooms and showers…

6:12AM

A few people reported that there was some food missing from the hostel kitchen. Tom and Tara reported half a carton of chocolate milk had been pilfered, and half of Linn’s salami was missing.

Apparently, some of the guests thought we wouldn’t mind sharing. Or there was a mix up.

Either way, it didn’t improve anyone’s mood.

Not long after, we packed up our stuff, got on the bus, and left Wroclaw for Krakow.

10:27AM

We had been on the bus for a few hours, and I had been trying (unsuccessfully) to take a nap. I eventually gave up, and I joined in with a bunch of the group who were quizzing each other on Canadian provinces and U.S. states.

It turns out that I know relatively little about Canadian provinces, and next to nothing about U.S. states. Hmph.

Eventually, we pulled over at a rest stop. I took the opportunity to try some of the local junk food, and purchased two chocolate bars – a “Corny Big” and a “3Bit”. They tasted better than they sound.

Tamara also took the opportunity to tell us how the rest of the trip was going to work. She also lightly condemned the last hostel, which was clearly not to her liking.

While talking about the rest of the trip, she mentioned that she had arranged for us to visit Auschwitz for the next morning. The group got quiet. Tamara also said that she had left open the possibility of visiting the Wieliczka Salt Mines after Auschwitz, but that it would really depend on our mood. We would probably be upset after Auschwitz, and would want to go home and rest.

12:30PM

We arrived at the hostel around 11:30PM, and man, what a difference! The place was absolutely spartan, the rooms were gorgeous, the views were incredible… we were quite happy, as you can see:

[simage=381,288]
[simage=382,288]
[simage=385,288]

Yes, it was a welcome change. In case you’re interested, the hostel was called “Cracow Hostel Apartment“. You can see more photos of the place if you click these words – but having been there, it’s pretty clear that these photos try to make the rooms seem bigger with lens effects.

So we had nice rooms. But guess what?

Peter got the pent house! The lucky guy got the hostel apartment! The room was incredible! It was too bad we were only staying a few nights.

The hostel was particularly awesome because it was in the Market Square. Here are a few shots of the view from the common room window:

[simage=392,288]
[simage=393,288]
[simage=394,288]

Wow! (Looks a lot like Wroclaw, doesn’t it? That’s what I thought, too.)

If it isn’t clear from the photos, it was still drizzling out. But that didn’t mean we weren’t starving. After unpacking and cleaning up, we hit the pavement to try to find some lunch.

[simage=396,288]

1:06PM

This was lunch:

[simage=397,288]

And this was where we ate it:

[simage=398,288]

The place was called Chimera. Interesting concept for a restaurant.

1:41PM

After leaving the restaurant, Tamara took us on a walking tour of the surrounding area:

[simage=399,288]
[simage=400,288]
[simage=402,288]
[simage=403,288]

The rain had stopped, and the air was left dripping with humidity.

We stopped by a church called Bazylika Sw Franciszka Z Asyzku XIII W. Hm. Maybe I wasn’t hearing right, but apparently there was some stained-glass work by Adam Mickiewicz there…

Here are some shots from the church. Not the greatest shots I’ve ever taken, but hey – it was dark in there:

[simage=408,288]
[simage=410,288]
[simage=412,288]
[simage=415,288]
[simage=416,288]

I don’t know if Mickiewicz did the stained-glass – regardless, here’s a shot of one of the pieces:

[simage=414,288]

2:07PM

We left the church, and meandered through the streets.

[simage=427,288]

Eventually, we found ourselves at an outcropping called Wawel – home of Wawel Castle, which was to be our next stop.

[simage=421,288]
[simage=428,288]

Here’s a window dog we saw on our way to the castle ramp. It breaks the narrative, but I can’t resist:

[simage=423,288]

And while I’m breaking narrative, here’s Alex posing in front of a Bauhaus poster:

[simage=425,288]

…and eventually, we found ourselves climbing the ramp up to Wawel Castle:

[simage=429,288]
[simage=433,288]

Here’s a view from one of the castle turrets:

[simage=435,288]

At the castle gate, we bought tickets to enter, and to see the “Dragon’s Den” underneath the castle grounds. We were stoked.

2:45PM – Wawel Castle

High security. Metal detectors. Armed guards. This place wasn’t taking any chances. There was a very strict code of conduct in there – no sitting, no leaning on walls, keep quiet, and absolutely no pictures. So I just took notes.

So I can’t show you what it was like inside, but I can try to describe it:

It was a museum. Stone and hardwood floors. Quiet like a tomb. Marble staircases. Wooden cabinets, uncomfortable looking wooden chairs, wooden tables…tapestries, beds. Old paintings.

Tamara told us a story about how when the Germans invaded, relics and artifacts were smuggled out of Europe. It turns out that some relics from Wawel Castle eventually found themselves holed up with a cloister of nuns in Canada. Go figure.

Everything was ornate, and gold rimmed. Even the ceilings were covered in gold.

Oh the hell with it – so I couldn’t take any photos: that doesn’t mean I can’t scrape some from off the Internet. Here’s what I was seeing, care of this website:

[simage=626,288]
[simage=628,288]
[simage=629,288]
[simage=630,288]
[simage=631,288]
[simage=632,288]
[simage=633,288]
[simage=634,288]
[simage=635,288]
[simage=636,288]
[simage=637,288]
[simage=638,288]
[simage=639,288]

There, that’s better. I’ve always been a visual kind of guy.

Check out the ceiling on this room:

[simage=627,288]

You probably can just barely see them, but those are human heads carved and painted into the ceiling. Just staring down. And one has his mouth gagged. It was creepy. Apparently, those heads were carved by Sebastian Tauerbach back in the 1500s.

3:55PM

The castle wasn’t the only thing on Wawel Hill. Inevitably, there was a church – Wawel Cathedral.

So, interesting theatre connection with Wawel Cathedral:

There was a theatre artist who wanted to do a show in the cathedral. His idea for the play: that all of the tapestries and statues would come to life on the night before Easter to demonstrate the resurrection of Christ. It was like Night at the Museum, but with 100% more Jesus.

Anyhow, that play was called Akropolis, and would eventually be staged by Jerzy Grotowski in the 1960’s. Grotowki’s spin on it was to stage it in Auschwitz instead of the Wawel Cathedral.

Anyhow, Grotowki’s Akropolis caused ripples in the theatre world, and was a shining example of the “poor theatre” that he was striving to achieve.

For the people who don’t study drama, Grotowski, Poor Theater, and Akropolis are a pretty big deal. I’ve seen a taping of Akropolis a few times…it’s one of the few recordings of Grotowski’s work.

Anyhow, that’s the connection. We were inside the cathedral where that whole thing began.

4:02PM

Walking through the cathedral. Once again, I couldn’t take any photos.

Description: high ceilings, gold, tapestries, stained glass. Gothic architecture. Gold alter. Chandaliers. Ornate, dark woodwork. Coffins and tombs. Sarcophagi.

There was a narrow, claustrophobic staircase that led up to the cathedral bell tower. It was windy up there, and the bells were absolutely massive. Huge cast-iron things. Mother of all bells. I couldn’t help myself – I whipped out my camera like a gunslinger, and snuck a shot:

[simage=449,288]

Yeah, I know – doesn’t look that impressive. It’s due to lack of size reference points. You’ve just got to trust me.

There were tombs in the basement. Thick marble slabs, stone… there were some disturbingly small sarcophagi too.

The tombs got more modern the farther through we went – towards the end, we saw tombs with the occupants’ firearms strapped to the wall.

Maybe I’ve seen too many Indiana Jones movies, but I couldn’t help feeling that there were probably secret passages all over the place.

4:30PM

Finally, we got out of the catacombs into the fresh air. We hung around outside, and waited for stragglers. I took the opportunity to take a photo of some kids who were clearly disobeying the “don’t step on the grass” rule:

[simage=452,288]

Thunder rumbled in the distance.

4:50PM

Remember the Dragon’s Den? That was our last stop on Wawel. We took a narrow, twisty flight of stairs down…down…deep…down…wayyyyy down into the cave beneath the castle.

It was…a cave. Kinda underwhelming, but I don’t know what we were expecting. A real dragon?

The lighting conditions weren’t ideal, so here are my crappy photos of the cave:

[simage=456,288]
[simage=457,288]
[simage=458,288]

And here’s Tom filling up the cave with some dragon presence:

[simage=461,288]

We eventually left the cave. We took the time to sit, rest our legs, and stare up at this dragon monument that was outside the exit:

[simage=467,288]

The Dragon

Now, I don’t know how the rumour got started, but apparently, every hour, that dragon was supposed to breathe fire. So the bunch of us stuck around for about 15 minutes, waiting for the fireball.

Evidently, the group of us make enough of a crowd to cause other people to wonder what’s going on, because more people from off the street started joining our group, staring up at the dragon, waiting.

And then the hour came…and went…and nothing happened.

Jiv went to talk to a local street vendor. It went something like this:

Jiv: Isn’t this thing supposed to breathe fire every hour?

Vendor: [Look of confusion]

Jiv: [Mimes breathing fire, and points at dragon]

Vendor: [Shakes head vigorously]

Disappointed, the crowd dispersed.

[simage=469,288]

5:35PM

Tamara had led us into the Jewish Quarter of Krakow.

[simage=471,288]

The storm was really threatening now – dark clouds, and rumbling that was closer than before.

[simage=472,288]

Rain started to fall. It was time to get indoors. As a torrent of rain started to come down, we found a restaurant, and took shelter.

And then it started to hail for a bit. Strange.

6:52PM

The restaurant we had chosen was pretty fancy. I ordered what eventually turned out to be chicken shish kabab. For the price…not that great. But whatever, we were inside and dry. And I was full.

The group was pretty tired at this point. The lack of sleep from the night before, and the long tour of the day had worn us out. After we had finished eating, Tamara told us that we had the rest of the day to ourselves.

A pack of us left the restaurant to explore the Jewish Quarter. Eventually, we found ourselves back in the Market Square, where I promptly ordered myself a lemon sorbet. I missed the ice cream from Wroclaw, but the lemon sorbet was amazing. Sonia took the opportunity to buy some zapiekanka.

Have I told you about zapiekanka? I don’t think I have. Polish equivalent to a hot dog. Long half of a baguette, topped with melted cheese and mushrooms, and a long strip of ketchup. I liked ’em.

Some of us went back to the hostel. I hung around the Market Square for a little bit and snapped a few photos:

[simage=475,288]

Here’s Adam Mickiewicz again! What a guy!

[simage=477,288]

And a giant head:

[simage=478,288]

The very center of the Market Square was a…market. Lots of little booths selling trinkets. Religious figurines…amber… a high number of chess boards, which I found strange.

[simage=479,288]

And wouldn’t you know it, I also found some miniature copies of those creepy head sculptures that I’d seen in Wawel Castle!

[simage=481,288]

At this point, I was pretty tuckered out. I walked back to the hostel, and eventually went to sleep.

We would be getting up early the next day to go to Auschwitz.

Click here to go to Part 11: Journey into Auschwitz, and Adventuring Alone in Krakow

Click here to go back to Part 9: The Halfway Point

SQL Injection Prevention in PHP – Tip 1

It’s amazing – I’ve been going around, Googling for anything with “index.php?id=”…and that’s really all it takes. Now, granted, SQL Injection isn’t new, and a lot of the top hits have taken some steps to protect themselves, but if you go deep – like, Google search page 23 deep – you’ll find ones that break if you put a semi-colon after the id # – and if it breaks, it’s vulnerable.

So, here’s my first tip on preventing SQL Injection – when you’re asking for an ID number, make sure it’s a number, and nothing else. Also consider using prepared statements – database wrappers like MDB2 for PHP make this easy.

Check this out – this might be how I would have done it 3 years ago:

<?php
  //Assume we're already connected to a MySQL database...
  $id = $_GET['id'];

  $result = mysql_query('SELECT * from pages where id='.$id);
  if (!$result) {
     die('Invalid query: ' . mysql_error());
  }
  ... //Code to print out my result to the page
?>

I’d do it this way now:

Note: My use of MDB2 might be a little rusty – I haven’t tested this code, and I usually compose RowDataGateway objects with MDB2 to represent my data. So pay more attention to the structure than the actual syntax.

<?php
  require 'View.php';
  require 'MDB2.php';  //An excellent DB layer from the PEAR libs

  //Code to set $mdb2 as our DB connection variable
  //See http://pear.php.net/package/MDB2 for details
  $id = $_GET['id'];

  try {
    if(!is_int($id)) {
      //ID wasn't an int, it's no good, let's bail
      throw new Exception('Could not recognize the id that you passed');
    }
    //ID was an int, let's see if we can find the record
    $sql = 'SELECT * from pages where id=:id";
    $statement = $mdb2->prepare($sql);
    $statement->bindParam('id', $id);
    $result = $statement->execute();
    if(PEAR::isError($result)) {
      //Uh oh - our result was an error on the PEAR library level
      throw new Exception('There was an error communicating with the database');
    }
    //Insert the database result into the view, render, and die.
    $content = new View('templates/page.tpl', array('page' => $result->fetchOne()));
    $content->render();
    die;
  }
  catch(Exception $e) {
    //We must have caught an exception - put this into our
    //error page template with the error message, render, die.
    $content = new View('templates/error.tpl', array('message' => $e->getMessage()));
    $content->render();
    die;
  }
?>

Yes, it’s quite a bit more code. But I feel safer just looking at it.
Did I miss anything on this? Please post a comment if you notice that I’ve left a gaping hole. Learning is good.

A Blog by Mike Conley

The personal blog of a Toronto based software mechanic, musician, sound designer, and theatre enthusiast.