Accidentally destroyed production database on first day of a job, how screwed am I?

I just read a post on reddit titled: Accidentally destroyed production database on first day of a job, and was told to leave, on top of this I was told by the CTO that they need to get legal involved, how screwed am I?

TL;DR

  • Guy get a document detailing how to setup a local development environment.
  • Guy sets up a development database
  • Guy runs a tool that performs tests on the application. accidentally, pointed the tool against the production database.
    • The credentials for the production database were in the development document
    • The tool clears the database between tests
  • Guy gets fired

I’m completely pissed! The guy made an honest mistake that can happen to anyone, and gets fired!

Read More

Peculiar uses for python's 'else' keyword

I’ve been asked by a few people recently to explain the different uses for the else keyword in python.
python, for a reasons I do not understand, decided to overload the else keyword in ways most people never think of.

The spec isn’t too friendly to beginners either. This is a partial piece of the python grammar specification, for symbols that accept the else keyword, as it is read by the parser generator and used to parse Python source files:

if_stmt: 'if' test ':' suite ('elif' test ':' suite)* ['else' ':' suite]
while_stmt: 'while' test ':' suite ['else' ':' suite]
for_stmt: 'for' exprlist 'in' testlist ':' suite ['else' ':' suite]
try_stmt: ('try' ':' suite
((except_clause ':' suite)+
['else' ':' suite]
['finally' ':' suite] |
'finally' ':' suite))
test: or_test ['if' or_test 'else' test] | lambdef

That’s kind of cryptic, right?

This blog post is primarily aimed at beginners, and covers:

The post has no ordering. You can pick-n-choose the ones you’re not familiar with.

Read More

The Mighty Dictionary

One of pythons strongest built-in data type is the dictionary. You can find it everywhere - from a simple key-value store, to a piece of a complex data structure, and all the way down to one of the basic building block of python’s attribute access mechanism.

It’s probably one of the most important data structures in python, and as such, one needs to understand it.

Read More

How does printf really work?

printf is magical. Did you ever stop and ask yourself how it works?

Contrary to most functions, it accepts a variable number of arguments, and somehow transforms them into a formatted string! The GNU code of printf is pretty simple:

printf (const char *format, ...) {
va_list arg;
int done;
va_start (arg, format);
done = vfprintf (stdout, format, arg);
va_end (arg);
return done;
}

if you look closely, it uses a weird ... syntax, performs a couple of va_ calls and one vfprint call.

to understand printf, we first need to understand how va_ works, then move to printf.

If you’re ready for some hard-core c and assembly, start by reading how va_ works!

Read More

May 2017 Major Outage

The blog suffered a major outage today - it was offline for around six hours. It took me around 90 minutes to get it working once I had time to do so.

Why

A few days ago I created a new droplet for a homebrew scraping project I’ve been working on lately.

Today I decided its time to throw it, and pressed the big, red, destroy button. Then I noticed I deleted the wrong droplet and accidentally deleted my blog!

Disaster Recovery Plan

I had daily backups setup already (remember Poor mans daily blog backups?) which were almost up to date.

All I needed to do is to add a few updates to the latest post. Fortunately, every time I post to LinkedIn, they cache my posts at “oded-ninja.cdn.ampproject.org/c/s/oded.ninja/…”

Up until now I kind of hated that cache. Every time I updated a blog post, it took forever to refresh, which was a real pain. Only this time I was actually grateful that cache existed.

Anyway, have you ever heard of the AMP Project?

The AMP Project is an open-source initiative aiming to make the web better for all. The project enables the creation of websites and ads that are consistently fast, beautiful and high-performing across devices and distribution platforms.

Ghost has pre-baked AMP support, Which I’ve set up to automatically redirect mobile clients.

Snapshots

DigitalOcean provide a droplet snapshot service for only 20% of the cost of the virtual server.

The problem is that snapshots wouldn’t help me at this point, because they get deleted with the droplet. Good thing I created that backup service.

Restore

I forked Ghost a few months ago, and instead of testing my changes on production, I put all my configuration in a private git repository.

That proved really useful for local testing, but especially for restoration. I had a habit of checking changes on up-to-date backups, which meant I restored the blog locally every few days.

Plan Execution

  1. Create a new Droplet
  2. Create new Read-only Deploy Keys
  3. Clone the repository, and build it.
  4. Restore the backup from Google Drive
  5. Pause Cloudflare
  6. Check the website is working
  7. Setup Lets Encrypt
  8. Resume Cloudflare
  9. Re-create my Keybase website proof.

Issues I Encountered

  1. I forgot to update the new droplet’s IP at namecheap, my DNS provider.
  2. When checking the website, before turning on SSL, I kept getting redirected to the https endpoint. That’s because it was saved in the browsers HSTS set. Fix? clear my browser’s HSTS settings
  3. Chrome has an internal DNS cache which needed to be refreshed. Fix? flush DNS records and sockets at chrome://net-internals/#dns and chrome://net-internals/#sockets respectively.
  4. I didn’t read the Lets Encrypt setup instructions thoroughly and got blocked for an hour after several failed attempts to set it up. Conclusion? RTFM!
  5. I forgot to update my website proof on Keybase.

Lessons Learned

First of all, DON’T PRESS THE BIG, RED, DESTROY BUTTON BEFORE MAKING SURE YOU ARE REMOVING THE RIGHT DROPLET!

Second, I need to make a few adjustments -

  • Enhance my backup script to include nginx’s configuration as well.
  • Setup a mechanism to perform backup after every update, or at least reduce the interval between backups.
  • Automate recovery steps, or at least document them. When I’m under pressure (or drunk), I forget steps :|

Conspiracy Theory: Intel's AMT Vulnerability & The Ken Thomson Hack

Around two weeks ago Intel announced a critical privilege escalation bug that was laying around its Active Management Technology (AMT) login page for the past seven years. The exploit allows a remote attacker to take control of vulnerable devices with ease.

I’ve read many posts that mock the programmer who introduced it, and the (lacking) testing framework and processes to make sure such things never happen.

But, what if no one made a mistake, and the whole thing is a result of an elaborate hack?

  • How much can you trust software?
  • Have you ever checked the validity of the sources your acquire your software from?
  • Can you trust your own code? Have you ever checked the tooling that compiles or runs it?

In 1984, Ken Thompson, a known figure in the hacker community and one of the authors of UNIX, proposed we can’t. In his remarkable paper, Reflections On Trusting Trust, Ken outlines a hack that many considers the worst hack imaginable: The Ken Thomson Hack.

This blog post is a bit long (but worth it!) and made out of three parts:

  1. The AMT Vulnerability
  2. The Ken Thomson Hack
  3. How 1 & 2 lead to a mega conspiracy

! Disclaimer: The conspiracy theory is completely made up.

Interested? Awesome. Start by reading about the AMT vulnerability.

Read More

Ultimate Guide to Winning a Hackathon

I keep running into people that tell me they’re unqualified to go to Hackathons, because their coding skills aren’t good enough. This post is for everyone who wants to win a Hackathon, and specifically to people who avoid them.

I recently participated and won the biggest Hackathon in Israel. I love Hackathons, and I love winning too. Getting a cash reward is fun, but not as much as winning!

After reading the above, you probably think I’m extremely competitive and cocky, but your’e missing the point - my definition for winning a Hackathon is probably different than yours.

Read More