Legends of the Sun Pig

26 May – 3 June 2012:

• Oban in the sunshine
• Fish and chips in Oban…two days in a row
• Hiking up Beinn Lora on a hot, hot day. Picnic at the top, with simply astonishing views.
• The tour around Oban distillery. Oh, the smells!
• Lovely accomodation at Lagnakeil Lodges
• Sitting around in the quiet, reading books
• The power station under the mountain at Ben Cruachan
• Finally getting Alex & Fiona in to see The Avengers!
• Gorgeous lunch at the Plumed Horse; catching up with Tony and Ian
• Visiting Pulp Fiction on Bread Street for the first time
• The amazing Pine Lodge at Archerfield
• My first (half) round of golf in… four years? Let’s not talk about scores.
• Private in-house family dinner with a personal chef
• A mince pie and a fudge donut on Haddington High Street while watching the festival parade go by
• Watching the kids skate and ride about at Space in North Berwick
• Full Scottish breakfast whilst hung over

Best of all: spending so much time with my family.

Alex is doing a presentation (“spreekbeurt”) at school today, about dragons.

I’ve done plenty of presentations, academically, profesionally and recrationally. I’m the kind of person who sweats bullets over homework, stays up whole nights studying for exams, and freaks out at the idea of being unprepared. Abi’s the same.

So it’s hard for me when Alex shows a stubborn lack of interest in his own school work. When I offer to help, he gets grumpy and insists he can do it himself. When I ask him to turn off his game and actually do the work, he gets angry. I get annoyed at his attitude. Everyone is miserable.

I so want to help! I want him to do get good grades! I want him to impress his classmates with his mad PowerPoint skills, and encyclopedic knowledge of all things draconic! What can’t he just do what I’d do?

Oops.

“I want?” This isn’t about me. Every parent wants their child to work hard, to do their best, to excel. But what if they don’t? Disappointment? Scorn?

“Look” I said. “If you don’t spend more time on this presentation, you’re might fail. Is that what you want?”

“Well, live and learn!” Alex said defiantly.

He has the truth of it. This isn’t a doctoral thesis defense, or a speech at TED. It’s a five-to-ten minute classroom presentation at primary school. If he fumbles, all that will happen is that he’ll get a poor grade for this one thing. It won’t stop him from moving up to the next class after the summer. It won’t stop him from getting a job when he graduates. It won’t stop me loving him.

What is the lesson I want Alex to learn from this non-critical event, in the safe, nurturing environment of his primary school? Is it that he should live in constant fear of failure or poor performance, and that the only way to avoid it is to spend all his time trying to stop the hammer from falling? Or that failure (or even just imperfection) is part of life; that it is something he can deal with; that afterwards he can pick himself up and carry on?

Wouldn’t it be nice not to have to be the best to be recognized?

Not everyone can be the best in their chosen field. Not every child is above average. I don’t want to glorify failure or advocate laziness, but in the pursuit of excellence we should not vilify the ordinary.

As a tourist in Amsterdam, there’s a good chance you will arrive at Centraal Station, leave by the front, and spend most of your time in “the centre” — the concentric canals, bridges, merchant houses, cafés, museums, and sights make it a beautiful place to wander and cycle.

But if you want a slightly different view of the city, try heading out of the station in the opposite direction. Out the back is where you will find the river IJ (pronounce it “eye” or “aye”, and you’ll be close enough), and the ferries to take you to “Noord” (North).

With the exception of the green “Fast Fying Ferry” hydrofoil to IJmuiden, the passenger ferries across the river are completely free. No tickets, no hassle — you just walk on (bikes and scooters are allowed on board), and enjoy the ride. There are various routes, but the ones I take most often are the “short ferry” to Buiksloterweg and the “long ferry” to NDSM.

The short ferry runs at least every 10 minutes day and night, and the crossing only takes a few minutes. The Buiksloterweg is on the other side of the river, directly opposite the station. You can sit yourself down at the very pleasant Café De Pont for a drink or something to eat, and watch the river traffic go by, with a great view of the back of the station. Film (and architecture) buffs may also be interested in the newly opened Dutch Film Museum in the eye-opening EYE building.

The long ferry is my favourite, though. It leaves once every 30 minutes throughout the day (every 15 minutes during commute hours), and is a relaxing 12-minute trip a couple of kilometers down the IJ to the NDSM Werf, a former shipbuilding an industrial area that is gradually transforming into a hot spot for local festivals and fresh startups. The ferry docks right next to an abandoned Zulu-class Soviet submarine.

Right at the end of the NDSM ferry you can relax at the trendy IJkantine, or walk a bit further to hang out at the more funky and organic Noorderlicht. (Ask for a cup of fresh mint tea if you’re into that kind of thing.) Both places have outdoor seating with great views of the river if it’s a nice day. NDSM is also a good point for setting off on a cycle ride to the countryside North of the city: Het Twiske, a lovely nature reserve (with a windmill!), is just a few miles away.

NDSM is the home of the Pancake Boat: a small cruise ship that will take you on an hour-long trip up and down the IJ, while serving an all-you-can-eat pancake buffet. Great views of the city, and enough food to choke a horse; fun for all the family.

Late this afternoon, I happened to do a Google search for something I had written on my blog last year. The article came up in the search results, but when I clicked on it, I was redirected to a different site (a .ru domain). The target page didn’t load, though.

Primary investigative steps:

1. Try it again. Still happens.
2. Try search in a different browser. Still happens.
3. Shit, I’ve been hacked.
4. ssh to my server. Because I use Movable Type as my blog software, there are physical HTML files on disk for all my blog entries. Looking at the source code that should have been served up showed nothing unusual.
5. Examine the .htaccess file for my site. This is where the damage was being done. The .htaccess file controls things like redirects, and a bunch of code had been added to mine. Interestingly, it was checking the referer on each incoming HTTP request, and only redirecting viewers that had come from a search engine. If you typed “http://sunpig.com/martin” directly into the address bar of your browser, or if you arrived via a bookmark or a non-search engine link, you would be let in as normal. The hack was designed purely to bleed off search engine traffic.

Next step: find out when the damage was done, and how long this had been going on. The modified time on the .htaccess file was very recent – just an hour previously, in fact. It seemed unlikely that I had caught the hack so quickly after it had happened.

I logged in to my host’s control panel, and checked the account access logs. These logs showed that no-one but me had logged in to my account using ssh or the control panel in the last month. Good. I changed my account password anyway. I also notified my host, and told them what I’d found so far.

I used the unix find command to see what files had been changed in the last 7 days:

find . -mtime -7

This showed a bunch of files I knew I had changed or added myself, some log files that I would have expected to be changed, and also: a stack of .htaccess files where there should not have been any, a bunch of unfamiliar PHP files all called “pagenews.php”, and two “index.php” files that I shoud not have been altered in the last week.

Next, I identified all .htaccess files in my account, and all files called pagenews.php:

find . -name ".htaccess"
find . -name "pagenews.php"

Then I looked for common text signatures in the files, to see if there was anything else I was missing:

grep -r "on\.ru" .
grep -r "FilesMan" .

Okay, infection identified. I could clean up the affected files, but I still didn’t know how the attacker got in in the first place. Without knowing that, there would be nothing to stop them getting straight back in again.

The time stamps on all the affected files went back three days. Some were stamped today, some were stamped yesterday; only one dated back to Monday. I checked the Apache log files of web traffic, and found that yesterday’s time stamps matched up with unusual HTTP POST requests to the two index.php and pagenews.php files. Those files used some kind of obfuscation, so I couldn’t figure out what they were actually doing; but the fact that the file timestamps matched the web access logs, it seems like a reasonable assumption that those POST requests were actually writing files on my server.

However, the one index.php file with a timestamp of Monday didn’t have a matching entry in the HTTP logs. I checked the file permissions, and found that they were set to 666: readable and writeable by everyone on the server.

So my working theory was: at some point on Monday, a process owned by some other user on the same server process on the shared server discovered that I had an index.php file ripe for taking over. It injected the malicious code, but didn’t do anything else immediately. Then, on Tuesday, some other part of the attack kicked in, and started making HTTP requests to the infected PHP file. Because the affected PHP code is running under my account now, it’s free to muck around with other files that belong to me. So the infection spreads to other areas around my server…

Recovery steps:

• Remove the newly created pagenews.php files. Manually remove the infection code from the index.php files, and the .htaccess files. (The .htaccess files were modified, not overwritten. The malicious code was added to the start and end end of the file.)
• Lock down permissions on all files and folders in my account, so that no-one else on the shared server has permission to write to them.
• Remove unused code (old versions of Movable Type, Thinkup, lessn, inactive dev sites) to minimize attack surface for the future.

Upgrade to latest version of Movable Type (5.13)

To recursively apply 755 permissions to directories, and 644 permissions (read/write by me, read-only by others) to files:

find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

Steps for the future: run a scheduled backup job for static files on the server. I already use autoMySQLBackup for daily backups of the databases on the server, but clearly I need to consider the static files, too. Vasilis van Gemert has an example here: https://gist.github.com/2415901.

Lessons learned:

• If you’re running on a shared server, make sure that your files are not writeable by others on that server.
• Backups. It’s not a matter if if something goes wrong, it’s a matter of when. My home backup strategy is pretty solid; my server backups are still lacking.

I just finished reading Kate Grifin’s The Midnight Mayor, and last week I read Christopher Fowler’s Bryant & May Off The Rails. Both books are love letters to London. They revel in the thick layers of history, above ground and below. The city is a living thing, metaphorically for Arthur Bryant and John May, and literally for Matthew Swift, the protagonist of Kate Griffin’s series. In both cases, the city can be angered or appeased, coaxed and cajoled into giving up its secrets. Bryant and May, detectives, discover a vital clue in the different patterns of upholstery used on the Underground’s 12 lines; Matthew Swift, a sorcerer, uses the Underground’s terms and conditions of carriage as a powerful magical ward to defend himself.

I’ve never lived in London, only visited, and so I only know it through the eyes of a tourist. But my most vivid memories of the city are of walking through it, not of the shopping or glitzy attractions.

Walking around Covent Garden when Abi and I took the train down from Edinburgh on day in the late 90s, just to have lunch at Belgo’s, and coffee with James. Walking from my hotel near Victoria to the QEII conference centre in the mornings and back again in the evenings, in June 2006 for the @Media conference; a steady soundtrack of At War With The Mystics by The Flaming Lips on my iPod. Walking from Waterloo to the Tower with Abi & the kids, and Jules & Becca; deciding that we were too tired to visit, so camping out at a nearby Starbucks for a cool frappucino instead. Walking from Victoria to Southwark last September for lunch with Bora, because it was a glorious day, and I had the time; gazing up in awe at the Shard under construction.

I’m more than a little tempted to plan a holiday in London solely for the purpose of walking the city, North to South, East to West. Not planning for any stops along the way; just taking it as it comes. Getting underway before dawn, and watching the city come to life around me. Lunch from a sandwich shop, dinner from a chippie. I don’t know how far I’d get, or what I’d see; I don’t actually know the city that well; but that’s part of the point. To walk, to see, to be.