Shared posts

07 May 06:17

A Hot Slice Of Justice Is Required

by Not Always Working
Coffee Shop | CA, USA

Years ago I worked at a popular chain coffee shop. I was born and raised and still live in one of the most expensive areas in the country. At the time I have gone back to college full-time, so I work full-time as well to try to keep up with my bills. Most of my coworkers are teenagers who live with their parents, with two other exceptions besides me. The company launches a new promotional program for a paid incentive card and offers a competition of sorts to try to sell memberships with cash prizes for the stores that sell the most in the district at the end of the introductory period.

To motivate us the store manager says if we win anything, the staff members will split any cash prize the store earns. My fellow rent-paying coworkers and I knew that money would go far for us, so we all hustled like crazy and sold memberships to as many customers as we could. Our store ends up coming in first in the district.. And then our manager says he has changed his mind about splitting the prize and will use the money to throw a staff pizza party instead.

The three of us who were counting on the cash were understandably pissed off, but given how we were all hand-to-mouth we weren’t about to turn down the free food. We weren’t any less pissed off when a few weeks later, the coworker who picked up the food told us what it had cost. Which made us realize that the manager had not in fact spent even close to the whole prize total on the ‘celebration,’ but pocketed almost half of it for himself.

The post A Hot Slice Of Justice Is Required appeared first on Bad customer service, stupid employees, bosses and co-workers - Not Always Working.

26 Jan 03:57

A Very Conflicting Sport

by Not Always Friendly
Sporting Event | Oakland, CA, USA

(My dad and I are attending an NBA game near our house. However, we are not rooting for the home team as we have moved from another city and are there to cheer on that city’s team. At this game, the arena is having a special event. If one of the home team’s players, who is famous for his three-point shots, makes a three-pointer, they will donate a malaria net to a country in need. Of course, I don’t want this player to make any shots because I want my team to win.)

Me: *as this player goes to make a three-pointer* “Come on, block it! Defense!”

(My team blocks him and my dad and I cheer.)

Me: “Um, Dad, I think we just cheered for a country not getting a malaria net…”

(For the rest of the game we felt really conflicted when that player took a shot.)

11 Jan 02:56

The Boss Doesn’t Give You Enough Credit

by Not Always Working
Hotel | China

(I have just started my professional career a few months ago and end up taking my first international work trip with my boss. He has been somewhat harsh with me about dotting all my i’s and crossing all my t’s leading up to this trip, but I have performed well throughout our work on this trip, and just the night before, over dinner, he said he was impressed with my performance. Over the course of the trip, I have been using my company card to pay for meals, transportation expenses, and other necessary things. The next morning we go to check out of our hotel.)

Clerk: “I’m sorry, ma’am, your card was declined.”

Me: “Can you please try it again?”

Clerk: “Of course… I’m sorry, it’s still coming back as declined.”

(I go grab my boss who is sitting in the lobby waiting for me to finish checking out.)

Me: “[Boss], my company card is coming up declined. I followed your instructions to make sure that my credit line was sufficient to pay for everything I needed on this trip. What should I do?”

Boss: “Well, why didn’t you have the finance department make sure your credit line was sufficient to cover this trip?”

Me: “I did do that. I emailed them exactly what you told me to with the details and cost of our trip, and called them to confirm that they received that and had extended my credit line properly. My card is still coming up declined. How do I handle this?”

Boss: “Well, just put it on a personal credit card and request reimbursement. They usually send checks for things you’ve paid for personally within 30 days, so you won’t have to pay any interest.”

Me: “I’m… I’m… sorry, sir, but we’ve been staying in this expensive hotel for 15 nights, and I simply don’t have that kind of credit available to me, even if I maxed out every one of my personal cards. I know that it’s the middle of the night in the U.S., but is there some emergency number I can call to get my company card fixed to work?”

Boss: “What do you mean you don’t have ‘that kind of credit’ available to you? It should only be around $6000. What, were you hitting the minibar too hard? Just put it on a personal card!”

Me: “Please don’t yell at me. I’m young and pretty much so broke, so I only have about $4000 total credit available on all of my personal cards. However, all of those charge international exchange fees, so it’s more like $3800-3900 before the cards will be declined. I’m sorry. I did what I was supposed to, but there is simply no way I can cover this without using my company card. Maybe we could try your company card?”

Boss: “Ugh, fine, I will pay your hotel bill, but don’t think this doesn’t reflect on your professionalism. What kind of professional doesn’t have personal cards that can cover a simple $6000 bill?”

(When we got back, it turned out our finance person *had* sent in the paperwork to increase my company card’s credit line, but instead of increasing my credit line by $4000, she increased it by $400. She was not penalized, and my boss held that over MY head for several years to come.)

12 Nov 08:14

Daily Sudoku - November 12 - Very Easy

BrainBashers Daily Sudoku

BrainBashers Sudoku

Complete the grid such that every row, every column, and the nine 3x3 blocks contain the digits from 1 to 9.

[Copyright: Kevin Stone]

09 Oct 07:25

Schlock Mercenary: October 9, 2015

by Howard Tayler
Schlock MercenaryFirstPreviousArchiveShop

10 Aug 00:46

Welcome to The Internet of Compromised Things

by Jeff Atwood

This post is a bit of a public service announcement, so I'll get right to the point:

Every time you use WiFi, ask yourself: could I be connecting to the Internet through a compromised router with malware?

It's becoming more and more common to see malware installed not at the server, desktop, laptop, or smartphone level, but at the router level. Routers have become quite capable, powerful little computers in their own right over the last 5 years, and that means they can, unfortunately, be harnessed to work against you.

I write about this because it recently happened to two people I know.

In both cases, they eventually determined the source of the problem was that the router they were connecting to the Internet through had been compromised.

This is way more evil genius than infecting a mere computer. If you can manage to systematically infect common home and business routers, you can potentially compromise every computer connected to them.

Hilarious meme images I am contractually obligated to add to each blog post aside, this is scary stuff and you should be scared.

Router malware is the ultimate man-in-the-middle attack. For all meaningful traffic sent through a compromised router that isn't HTTPS encrypted, it is 100% game over. The attacker will certainly be sending all that traffic somewhere they can sniff it for anything important: logins, passwords, credit card info, other personal or financial information. And they can direct you to phishing websites at will – if you think you're on the "real" login page for the banking site you use, think again.

Heck, even if you completely trust the person whose router you are using, they could be technically be doing this to you. But they probably aren't.

Probably.

In John's case, the attackers inserted annoying ads in all unencrypted web traffic, which is an obvious tell to a sophisticated user. But how exactly would the average user figure out where this junk is coming from (or worse, assume the regular web is just full of ad junk all the time), when even a technical guy like John – founder of the open source Ghost blogging software used on this very blog – was flummoxed?

But that's OK, we're smart users who would only access public WiFi using HTTPS websites, right? Sadly, even if the traffic is HTTPS encrypted, it can still be subverted! There's an extremely technical blow-by-blow analysis at Cryptostorm, but the TL;DR is this:

Compromised router answers DNS req for *.google.com to 3rd party with faked HTTPS cert, you download malware Chrome. Game over.

HTTPS certificate shenanigans. DNS and BGP manipulation. Very hairy stuff.

How is this possible? Let's start with the weakest link, your router. Or more specifically, the programmers responsible for coding the admin interface to your router.

They must be terribly incompetent coders to let your router get compromised over the Internet, since one of the major selling points of a router is to act as a basic firewall layer between the Internet and you… right?

In their defense, that part of a router generally works as advertised. More commonly, you aren't being attacked from the hardened outside. You're being attacked from the soft, creamy inside.

That's right, the calls are coming from inside your house!

By that I mean you'll visit a malicious website that scripts your own browser to access the web-based admin pages of your router, and reset (or use the default) admin passwords to reconfigure it.

Nasty, isn't it? They attack from the inside using your own browser. But that's not the only way.

  • Maybe you accidentally turned on remote administration, so your router can be modified from the outside.

  • Maybe you left your router's admin passwords at default.

  • Maybe there is a legitimate external exploit for your router and you're running a very old version of firmware.

  • Maybe your ISP provided your router and made a security error in the configuration of the device.

In addition to being kind of terrifying, this does not bode well for the Internet of Things.

Internet of Compromised Things, more like.

OK, so what can we do about this? There's no perfect answer; I think it has to be a defense in depth strategy.

Inside Your Home

Buy a new, quality router. You don't want a router that's years old and hasn't been updated. But on the other hand you also don't want something too new that hasn't been vetted for firmware and/or security issues in the real world.

Also, any router your ISP provides is going to be about as crappy and "recent" as the awful stereo system you get in a new car. So I say stick with well known consumer brands. There are some hardcore folks who think all consumer routers are trash, so YMMV.

I can recommend the Asus RT-AC87U – it did very well in the SmallNetBuilder tests, Asus is a respectable brand, it's been out a year, and for most people, this is probably an upgrade over what you currently have without being totally bleeding edge overkill. I know it is an upgrade for me.

(I am also eagerly awaiting Eero as a domestic best of breed device with amazing custom firmware, and have one pre-ordered, but it hasn't shipped yet.)

Download and install the latest firmware. Ideally, do this before connecting the device to the Internet. But if you connect and then immediately use the firmware auto-update feature, who am I to judge you.

Change the default admin passwords. Don't leave it at the documented defaults, because then it could be potentially scripted and accessed.

Turn off WPS. Turns out the Wi-Fi Protected Setup feature intended to make it "easy" to connect to a router by pressing a button or entering a PIN made it … a bit too easy. This is always on by default, so be sure to disable it.

Turn off uPNP. Since we're talking about attacks that come from "inside your house", uPNP offers zero protection as it has no method of authentication. If you need it for specific apps, you'll find out, and you can forward those ports manually as needed.

Make sure remote administration is turned off. I've never owned a router that had this on by default, but check just to be double plus sure.

For Wifi, turn on WPA2+AES and use a long, strong password. Again, I feel most modern routers get the defaults right these days, but just check. The password is your responsibility, and password strength matters tremendously for wireless security, so be sure to make it a long one – at least 20 characters with all the variability you can muster.

Pick a unique SSID. Default SSIDs just scream hack me, for I have all defaults and a clueless owner. And no, don't bother "hiding" your SSID, it's a waste of time.

Optional: use less congested channels for WiFi. The default is "auto", but you can sometimes get better performance by picking less used frequencies at the ends of the spectrum. As summarized by official ASUS support reps:

  • Set 2.4 GHz channel bandwidth to 40 MHz, and change the control channel to 1, 6 or 11.

  • Set 5 GHz channel bandwidth to 80 MHz, and change the control channel to 165 or 161.

Experts only: install an open source firmware. I discussed this a fair bit in Everyone Needs a Router, but you have to be very careful which router model you buy, and you'll probably need to stick with older models. There are several which are specifically sold to be friendly to open source firmware.

Outside Your Home

Well, this one is simple. Assume everything you do outside your home, on a remote network or over WiFi is being monitored by IBGs: Internet Bad Guys.

I know, kind of an oppressive way to voyage out into the world, but it's better to start out with a defensive mindset, because you could be connecting to anyone's compromised router or network out there.

But, good news. There are only two key things you need to remember once you're outside, facing down that fiery ball of hell in the sky and armies of IBGs.

  1. Never access anything but HTTPS websites.

    If it isn't available over HTTPS, don't go there!

    You might be OK with HTTP if you are not logging in to the website, just browsing it, but even then IBGs could inject malware in the page and potentially compromise your device. And never, ever enter anything over HTTP you aren't 100% comfortable with bad guys seeing and using against you somehow.

    We've made tremendous progress in HTTPS Everywhere over the last 5 years, and these days most major websites offer (or even better, force) HTTPS access. So if you just want to quickly check your GMail or Facebook or Twitter, you will be fine, because those services all force HTTPS.

  2. If you must access non-HTTPS websites, or you are not sure, always use a VPN.

    A VPN encrypts all your traffic, so you no longer have to worry about using HTTPS. You do have to worry about whether or not you trust your VPN provider, but that's a much longer discussion than I want to get into right now.

    It's a good idea to pick a go-to VPN provider so you have one ready and get used to how it works over time. Initially it will feel like a bunch of extra work, and it kinda is, but if you care about your security an encrypt-everything VPN is bedrock. And if you don't care about your security, well, why are you even reading this?

If it feels like these are both variants of the same rule, always strongly encrypt everything, you aren't wrong. That's the way things are headed. The math is as sound as it ever was – but unfortunately the people and devices, less so.

Be Safe Out There

Until I heard Damien's story and John's story, I had no idea router hardware could be such a huge point of compromise. I didn't realize that you could be innocently visiting a friend's house, and because he happens to be the parent of three teenage boys and the owner of an old, unsecured router that you connect to via WiFi … your life will suddenly get a lot more complicated.

As the amount of stuff we connect to the Internet grows, we have to understand that the Internet of Things is a bunch of tiny, powerful computers, too – and they need the same strong attention to security that our smartphones, laptops, and servers already enjoy.

[advertisement] At Stack Overflow, we help developers learn, share, and grow. Whether you’re looking for your next dream job or looking to build out your team, we've got your back.
09 Jul 02:08

Making A Very Sharp Point

by Not Always Related
Home | UT, USA

(My husband takes lunch to work most days, and keeps disposable utensils in his desk.)

Husband: “Sweetie, I need more silverware, but no more knives. I have like a hundred knives.”

Me: “That’s a lot of knives. You could kill a lot of people with those knives.”

Husband: “Yeah, like everyone at work. Not just the people in my office, but everyone in my whole building. That’s how many knives I have.”

15 Jun 02:36

A Walkthrough on Conditional Tags in WordPress: Series Finale

by Barış Ünver

It was a long run, but we finally got to the last part of the series. I hope it was a fun and educational journey and you enjoyed the series as much as I did.

What We Learned

The first part was about introducing Conditional Tags. In this part, we learned about what Conditional Tags are, how important they are for WordPress theme and plugin developers, and how to use Conditional Tags in WordPress development. In addition, I came up with five different example cases in which Conditional Tags come in handy.

In the following five tutorials, we went through 65 Conditional Tags in total. There were 66 documented Conditional Tags when I started and finished writing this series. One of them was a deprecated function (is_plugin_page()), so I wrote about 65 Conditional Tags, with descriptions, parameters and examples for some of them.

In the second part, we learned about the following Conditional Tags:

  • Checking whether we're on the "blog posts index page": is_home()
  • Checking whether the current theme is a child theme: is_child_theme()
  • Checking whether the post is in the given category: in_category()
  • Checking whether a "page template" is in use: is_page_template()
  • Checking whether the page is an archive page: is_archive()
  • Checking whether the page is a "date archives" page: is_date()
  • Checking whether the given widget is in use: is_active_widget()
  • Checking whether the page is a single blog post's page: is_single()
  • Checking whether the email address exists in the Users table: email_exists()
  • Checking whether the post type is hierarchical: is_post_type_hierarchical()
  • Checking whether the post is "sticky": is_sticky()
  • Checking whether the administration panel is being displayed: is_admin()
  • Checking whether the page is a "category archives" page: is_category()

In the third part, we went through these Conditional Tags:

  • Checking whether we're on the front page: is_front_page()
  • Checking whether the post has a thumbnail: has_post_thumbnail()
  • Checking whether the theme is using the "comments popup": is_comments_popup()
  • Checking whether the page is a 404 error page: is_404()
  • Checking whether the given taxonomy exists: taxonomy_exists()
  • Checking whether the page is the "search results" page: is_search()
  • Checking whether the page is a "tag archives" page: is_tag()
  • Checking whether the post has a custom excerpt: has_excerpt()
  • Checking whether it's the main query: is_main_query()
  • Checking whether the post has the given tag: has_tag()
  • Checking whether the blog is installed: is_blog_installed()
  • Checking whether the user is a "super admin": is_super_admin()
  • Checking whether the page is a "page" page: is_page()

In the fourth part, we checked out the following:

  • Checking whether the page is a "monthly archives" page: is_month()
  • Checking the current theme's features: current_theme_supports()
  • Checking whether the specified plugin is active: is_plugin_active()
  • Checking whether the URL is a local attachment: is_local_attachment()
  • Checking whether the page is a time-based archive page: is_time()
  • Checking whether the current locale is RTL: is_rtl()
  • Checking whether the page is a custom taxonomy's "archives" page: is_tax()
  • Checking whether the page is an attachment page: is_attachment()
  • Checking whether the given term exists: term_exists()
  • Checking whether the post has the given term: has_term()
  • Checking whether it's a trackback: is_trackback()
  • Checking whether "WordPress Multisite" is in use: is_multisite()
  • Checking whether the page is a post type(s) archive: is_post_type_archive()

In the fifth part, we examined these ones:

  • Checking whether the blog is the "main site" of the network: is_main_site()
  • Checking whether a menu location has an assigned menu: has_nav_menu()
  • Checking whether the specified plugin is active in multisite: is_plugin_active_for_network()
  • Checking whether comments are enabled: comments_open()
  • Checking whether a sidebar contains any widgets: is_dynamic_sidebar()
  • Checking whether there's more than one author in the blog: is_multi_author()
  • Checking whether pings are open: pings_open()
  • Checking whether a feed is being displayed: is_feed()
  • Checking whether the page is a "yearly archives" page: is_year()
  • Checking whether the visitor is a logged-in user: is_user_logged_in()
  • Checking whether the attachment is an image: wp_attachment_is_image()
  • Checking whether the given post type exists: post_type_exists()
  • Checking whether the current post is published on a new day: is_new_day()

And in the sixth part, we studied the following Conditional Tags:

  • Checking whether the page is either a blog post or a page: is_singular()
  • Checking whether the function is working in "the Loop": in_the_loop()
  • Checking whether the specified plugin is inactive: is_plugin_inactive()
  • Checking whether the page is an "author archives" page: is_author()
  • Checking whether we're on a paged "listing" page: is_paged()
  • Checking whether the WordPress Toolbar is being displayed: is_admin_bar_showing()
  • Checking whether the page is a "daily archives" page: is_day()
  • Checking whether the given sidebar is in use: is_active_sidebar()
  • Checking whether the given username exists in the Users table: username_exists()
  • Checking whether it's the "preview post" page: is_preview()
  • Checking the state of the given script: wp_script_is()
  • Checking the state of the given style: wp_style_is()
  • Checking whether the taxonomy is hierarchical: is_taxonomy_hierarchical()

Tiny Bonus Chapter: Three Plugins Making Use of Conditional Tags

In this "bonus chapter", we're going to look at three plugins that focus on using Conditional Tags. These plugins can be very, very powerful when you need them and if you use them right!

Widget Logic

Widget Logic

Downloaded nearly a million times and with a star rating of 4.3, Widget Logic is by far the most popular plugin that makes use of Conditional Tags. And it's not surprising that it's so popular, because it virtually keeps us from having to create separate sidebars for separate occasions. 

The logic of this plugin is simple: It places a little input under each widget in the Widgets page of your admin panel, so that you can type in Conditional Tags, just like when you write in your if statements. Be careful though: This plugin uses EVAL functions, which means that anyone who has access to Widget Logic inputs can write any kind of PHP code. Any kind. Be warned.

Script Logic

Script Logic

Just as Widget Logic handles widgets, Script Logic handles your JavaScript files—as long as you enqueue them with the wp_enqueue_script() function. It basically takes all the enqueued scripts and lets you add Conditional Tags to wrap the scripts and load them conditionally. This script also uses EVAL functions to work, so be careful.

Conditional Shortcodes

Remember the example we looked at for the is_feed() Conditional Tag? This plugin extends it to 19 Conditional Tags in total, including our example. Here's the list of Conditional Tags the plugin supports:

  • comments_open()
  • is_archive()
  • is_author()
  • is_category()
  • is_day()
  • is_feed()
  • is_front_page()
  • is_home()
  • is_month()
  • is_page()
  • is_page()
  • is_search()
  • is_single()
  • is_singular()
  • is_sticky()
  • is_tag()
  • is_tax()
  • is_time()
  • is_year()

The usage is just like any other shortcode: Put the Conditional Tag in square brackets and pass the parameters of the Conditional Tag as shortcode parameters. The plugin also has "else" shortcodes that you can use inside the listed shortcodes.

The End

As I said, this series was a long but fun journey for me. And I hoped you enjoyed it as much as I did.

If you have any questions, contributions or comments, shoot them below in the comments. And if you liked the series, don't forget to share it with your friends!

13 May 01:58

Stick It To The Calculation

by BD

(Electronics Store, Retail | Cleveland, OH, USA)

Electronics Store, Retail | Cleveland, OH, USA

(A customer calls into the store about a printing calculator he recently purchased. The calculator is AC adapter powered.)

Me: “Hello. How can I help you?”

Customer: “I just bought a calculator and the numbers won’t clear off the screen.”

Me: “Okay, why don’t you reset it using the reset button on the bottom of the calculator.”

Customer: “Okay, I reset it but the numbers are still on the display. Should I unplug the power?”

Me: “Go ahead and unplug the power and try resetting it again.”

Customer: “The numbers are still on the screen, that’s not working.”

Me: “Sir, what numbers are listed on the screen?”

Customer: “One through nine.”

Me: “…Sir, is it a sticker?”

Customer: “…Oh.”

20 Jan 02:23

Close Enough of the Day: Smog in Beijing Makes Seeing a Sunrise Only Possible on a Big Screen

Close Enough of the Day: Smog in Beijing Makes Seeing a Sunrise Only Possible on a Big Screen

According to Time World, China's capital city has reached a level of pollution where the only way to spot the sunrise is on a super-sized flatscreen. For those who would like to have an early-morning moment of inspiration, citizens of Beijing can gaze upon the city's LED screens to view the astronomical start to a new day.

Submitted by: Unknown (via Time World)