firehose

A clever but slightly aquaphobic English cocker spaniel named Jessers McGhee figured out how to use a blue inflatable raft to rescue his beloved tennis ball without having to jump into the pool. According to his human Chantille C, Jessers went from being a “fraidy cat” to a “smarty pants” because he “loves the pool but cant find the courage to jump on in”. While the method that Jessers used wasn’t unique, he certainly did it with style.

via Nothing To Do With Arbroath

Nendoroid Link’s Majora’s Mask accessories ⊟ 

I love the Red Potion and Goron Mask! When Good Smile releases the figure to Japan in January, it will also throw in the Kokiri sword, Hero’s Shield, Bunny Hood, Deku Mask, Zora Mask, Tatl, and Majora’s Mask. Both Good Smile and Play Asia are accepting preorders for these now, though I expect Amazon will eventually have them too. Thanks for the tip, Thomas P.!

PREORDER Zelda: Tri Force Heroes, Link Wind Waker Nendoroid

Reuters

Russia's Putin would consider meeting Obama at UN Reuters SEVASTOPOL, Crimea Russian President Vladimir Putin will attend next month's U.N. General Assembly in New York and would "consider constructively" any request for a meeting there with President Barack Obama, Russia's foreign minister said on ... Russia's Vladimir Putin takes dive in submersible, stirs up Ukrainian angerCNN Russia's Putin: Beware of foreign-funded sabotage in CrimeaWashington Post China, Russia to launch largest-ever joint navy exerciseWashington Times Sputnik International all 493 news articles »

Dear Jeff Bezos,

In a memo on Monday, you asked employees to write to you if they had any stories that were similar to those published in The New York Times’s now-controversial takedown of your company’s work management practices published Aug. 15. “The article doesn’t describe the Amazon I know or the caring Amazonians I work with every day,” you wrote. “But if you know of any stories like those reported, I want you to escalate to HR. You can also email me directly at jeff@amazon.com.”

Well, Jeff, as the spouse of a former Amazonian who worked at your company between 2007 and 2013, I thought I might take you up on your offer. Obviously, plenty of employees are very happy at Amazon, but don’t be so quick to dismiss The Times’ account: many scenarios and anecdotes detailed in the article hit very close to home. Amazon prides itself as a workplace that encourages a constant flow of feedback—even when that feedback may be difficult to hear. I hope you remember your own management principles when listening to my story.

We gave up our entire life when my husband got his job at your company. Leaving behind our friends and family—not to mention my own job—seemed a small price to pay for such an amazing opportunity. I wanted to move, and I was so proud of my husband getting hired at such a well-known, high-caliber company.

 Our first years at Amazon were heady and dazzling. It felt like our lives had leveled up. Our first years were heady and dazzling. We were moved into corporate housing with a waterfront view. Seattle was lonely, but exciting. It felt like our lives had leveled up.

But little by little, the shine wore off. My husband’s first team was responsible for managing shipping warehouse software. With warehouses around the globe, my husband would get paged to fix problems in China in the middle of the night, in the UK in the wee hours of the morning, and then in the Kentucky warehouse during work hours. During those weeks when he was “on call,” we would hunker down in our apartment, isolated, tethered to the laptop.

When his pager went off, he was expected to respond within 15 minutes or risk blowback or a call from a manager. If something came directly from you, Jeff, it was all hands on deck until that problem got figured out. No matter the emotional or physical toll.

Eventually, my husband’s team was whittled down to himself, his manager and just one other developer. This meant he was expected to be on-call every three weeks. “Our” all-time record was 64 different pages in one 24-hour span, mostly answered outside of business hours. As his one-woman pit crew, it was my responsibility to wake up when he was paged in the middle of the night, to pull over somewhere on the highway to find him WiFi if he was paged on the road, and to make sure that our lives never involved traveling anywhere more than 15 minutes from an internet connection.

Without children, this schedule was grueling. But when our girls were born, it became almost unbearable. Unable to take off more than two weeks after they arrived, I became like so many other quasi-single parents. (Today, the ridiculousness of this policy is compounded by the stories of other tech companies and their increasingly generous paternity leave.)

When our first daughter was about a month old, he was asked to go on a business trip. I imagine he could have turned that down, but I was insistent that he go so his managers not worry his home life was impacting his work ethic. This is the Amazon way, after all. It was one of the loneliest weeks of my life.

 My husband would get paged to fix problems in China in the middle of the night, in the UK in the wee hours of the morning, in Kentucky during work hours. Then there was the weekend trip we planned with my parents one summer, when we were forced to cancel our hotel room and come back a day early. Jeff, you wisely set it up so that Amazon freezes their code to provide a stable platform for customers during the busy retail holiday season. But by the midsummer “crunch time” life is put on hold.

When he returned that Monday, the writing was on the wall. Pulled into a meeting with his manager, my husband was told he was not making enough progress on his teams’ initiatives. Nevermind that he was no longer working with the boss who had hired him, or that the new management team had been shifting his priorities every two weeks. Expecting to become the sacrificial lamb used to explain the team’s lack of progress, he began to look for other positions immediately.

He had been under so much stress that after the meeting I asked him to go to therapy. Ironic, isn’t it, that we were able to afford such a good therapist because of Amazon?

I’m so thankful, Jeff, that you brought us to Seattle. We love this city, and its tech culture, so much. We gained so many things from the move out here—not the least of which was better career opportunities for both of us! But it’s hard to know if the six years we spent at your company were worth it.

If only you had asked for our feedback earlier, and responded with the same kind of intensity with which you expect your own employees to respond to yours.

Thanks,

Beth Anderson

Follow Beth on Twitter at @JadeEJF. We welcome your comments at ideas@qz.com.

cutawayworld.tumblr.com | image manipulated from original


cutawayworld.tumblr.com | image manipulated from original


cutawayworld.tumblr.com | image manipulated from original


cutawayworld.tumblr.com | image manipulated from original


cutawayworld.tumblr.com | image manipulated from original

Cutaway World

New York Times

Can Coffee Lower Risk of Colon Cancer's Return? Philly.com (HealthDay News) -- Colon cancer patients who regularly drink caffeinated coffee may be lowering their risk of tumor recurrence and death from the disease, new research suggests. But researchers added that it's premature to tell patients to drink ... Coffee could prevent colon cancer's recurrence: studyNew York Daily News Coffee linked to lower risk of colon cancer recurrenceCTV News all 215 news articles »

George Zimmerman is unloading a bunch of paintings that illustrate his take on the Confederate Flag controversy — and he's even offering a bonus prize to one lucky art collector.

Just months after giving raises to half a million US workers, Walmart says its profits have taken a major hit.

The company, which raised its minimum starting wage to $9.00 an hour in April and plans to raise it to $10 in 2016, said it has seen sales and customer experience improve. But paying workers more, increasing worker hours, and adding back positions like greeters and department heads contributed to an 8.2% decline in operating income from the year before.

On Tuesday (Aug. 18) the world’s largest retailer by revenue lowered its profit outlook for the year and said it would look to cut costs in its supply chain and other parts of its business. “We’re not done yet, this is a big investment,” CFO Charles Holley told reporters on a conference call.

Walmart isn’t alone.

Despite a failure to raise the federal minimum wage from $7.25, 29 states (and dozens of cities) have gone set their own minimum wages above the federal level as the US economy improves, the unemployment rate falls, and competition for workers heats up. Pay battles continue to sweep the country and “the magnitude of [labor pressures] has definitely gotten larger,” Noodles & Co. CFO Dave Boennighausen told analysts this month.

Major retailers and restaurant chains like Walmart, Gap, McDonald’s, Starbucks, and Ikea, as well as trucking companies, staffing services, and nursing homes, have followed suit by raising pay or putting in place their own minimum starting wages.

The move has been good for many workers, which have endured sluggish wage growth as American companies benefited from low-paid workers.

But the consequences of rising wages are quickly rippling across Corporate America: Those same diverse groups of companies are reporting plans to raise prices, slash workers, and move toward increased automation.

“Somewhere along the line, we’ve got to reflect those increased costs and increase the revenue from menu pricing,” said Ark Restauraunts CEO Michael Weinstein on an earnings conference call this month. “If you’re a purveyor selling us chicken, and if your minimum wages go up, you’re going to raise your prices to us, and we’re going to raise our prices to the customers.”

Ark, which operates restaurants like the Bryant Park Grill in New York and the Rustic Inn in Florida, said in some cases, it’s raised prices by 10% to 12%.

For Sally Beauty Supply, higher wages has meant raising prices on things like hair coloring and nail polish. At El Pollo Loco, it’s meant raising prices on value menus and introducing higher-priced items like carne asada. And at Wendy’s, higher wages mean a focus on installing more self-order kiosks and automating more restaurant kitchens.

As for Wendy’s franchisees, they are already looking at reducing overall staff and hours, in addition to raising prices, CEO Emil Brolick told analysts earlier this month.

“Unfortunately, we believe that some of these increases will clearly end up hurting the people that they’re intended to help,” Brolick said.

​Sometimes you need some greasy, fatty fast-food, and sometimes you need a drink. And sometimes, after a particularly terrible day, you need to indulge both vices at once. While many fast-food restaurants are still holding out against serving alcohol, there are a bunch of places that will serve you a cold beer with your burger. Here's where to indulge.

Great piece in Slate from Phyllis Rostykus!

In 1984 two male classmates and I were invited to dinner in Pasadena, California, to talk with the producers and director of a movie that was going to be set in a fictional version of our school, the California Institute of Technology. David Marvit, a senior at the time who consulted on the film, had asked for a girl for them to talk to, so there I was—wearing a sweater I’d knitted overnight the night before, my bangs cut straight across my forehead, and speaking in a voice that people still mistake for a child’s. They asked us about how things worked, what we did for fun, what our schedules were like. Eventually the conversation turned toward what it was like to be a female student in a school with a 7–1 ratio of men to women.

Read more.

morebuildingsandfood:

Assorted food & beverages from Ninja Baseball Bat Man, by Irem.

(arcade - 1993)

Gavin Escolar has designed jewelry pieces worth over a hundred thousand dollars. He’s also an Uber driver.

He started driving for the ride share platform a few years ago. At first, it was a way for him to make extra money as a struggling artist living in San Francisco, one of the most expensive cities in the world. But it didn’t take long for Escolar to discover the potential of having a 15-minute, exclusive audience with potential buyers for his jewelry.

“What better way to me to go around the most expensive and richest city in the country, showing them my expensive jewelry. If you can afford an Uber, you can afford a $100 piece of Gavin Escolar.”

Gavin’s jewelry business has boomed. Along with the media attention, he’s grown his fleet to include nine drivers, all selling his jewelry. Although, Escolar says, it can be hard balance being a good driver and a good salesperson.

“If I do a hard sell my rating goes down fast. If I talk to people in a friendly manner, my ratings still remain high and at the same time I procure more sales.”

It seems he’s hit that balance. Escolar made $252,000 last year between jewelry sales and the money he makes driving under Uber and Lyft. He says he holds a 4.89 driver rating.

Sometimes added functionality isn’t exactly functional. Sometimes, it’s more a sort of demonstration that something can be done, whether or not it’s actually a very good idea.

UK readers may not recognise the machine below, but those of you in the USA (as long as you’re of a certain vintage) will be familiar with it. It’s a TRS-80 model 100: an incredibly early (1983-ish) laptop-type computer, whose market was mostly in the US and Canada, made in partnership by Kyocera and Microsoft. The 8k version would set you back $1099, and the 24k version $1399 – an absolute ton of money in 1983, when we many of us at Pi Towers were either not born yet, or still at the corduroy dungarees and deelyboppers phase.

The TRS-80, rather amazingly, was a connected machine, with a built-in modem. It was a popular tool for journalists; you could save about eleven pages of text if you were out in the field, and send it over that modem to your editor using a program called TELCOM – an incredibly liberating technology at the time. It was pretty power-efficient as well; it took four AA batteries, which lasted for about 20 hours.

So what better for retro-hardware lovers than an internet-connected TRS-80 model 100? That’s exactly what Sean Gallagher from Ars Technica made.

I successfully logged in to Ars’ editorial IRC channel from the Model 100. And seeing as this machine first saw the market in 1983, it took a substantial amount of help: a Raspberry Pi, a little bit of BASIC code, and a hidden file from the website of a certain Eric S. Raymond.

Sean says that the TRS-80 is the last machine Bill Gates ever wrote a significant amount of code for, and that Gates has said it’s his favourite ever machine.

This is a really tricky problem to work your way around when you consider that modern websites don’t really work within a 40 columns by eight lines display; that the TRS-80 keyboard doesn’t have a | or pipe symbol; that you can’t load a TCP/IP stack onto the device; that Sean had to build his own null-modem cable – it’s a labour of love and an absolutely fascinating read. Head over to Ars Technica to read more about dragging 1980s hardware some of the way into the 21st century.

 

The post The TRS-80 model 100 goes online appeared first on Raspberry Pi.

Two American female soldiers have officially passed the “swamp phase” of training to graduate the country’s army ranger course, the US military announced today (Aug. 18).

“This course has proven that every Soldier, regardless of gender, can achieve his or her full potential. We owe Soldiers the opportunity to serve successfully in any position where they are qualified and capable, and we continue to look for ways to select, train, and retain the best Soldiers to meet our Nation’s needs,” army secretary John M. McHugh said in a statement.

Nineteen women and 381 men started the the Army’s premier combat leadership course known as the ranger course as Ranger Class 06-15 on April 20. Since then, 94 men have officially completed the swamp phase—which began on Aug. 1 in Eglin Air Force Base, Florida—alongside the two women, who will now go on to graduate and earn the ranger tab.

A graduation ceremony will be held on Aug. 21 at the army base in Fort Benning, Georgia.

The ranger tab unequivocally garners high respect in the American military world—only 3% of US army soldiers have it, according to Christian Science Monitor reporter Anna Mulrine, who covered this year’s ranger training and spoke with National Public Radio on Aug. 16.

But, as NPR’s Mulrine reported, for now the recognition is more symbolic than practical. The women will not be able to serve in the special operations branch of the rangers known as the Ranger Regiment, despite having earned the ranger qualification through the school.

Since 2013, the Pentagon has talked of plans to fully integrate women into front-line and special combat roles, including elite forces such as the army rangers, by 2016. Pentagon top officials are preparing to make final decisions about female combat roles amidst deadlines later this year, the Military Times reported in June.

“It begs the question, why can’t they be Rangers if they can go through this, you know, tremendously demanding 61-day school? The Pentagon has right now a de facto ban on women in combat in place. In January, it kind of flips on its head. And it becomes not, women can’t serve in combat, but they can unless you give us a good reason why they can’t. And that good reason needs to be based on scientific research,” Mulrine told NPR.

The US West squad purposefully lost to the weaker US Southwest, in an effort to keep the strong Central Iowa All-Stars from advancing to the semifinals.

Are you painting a series of Hubble watercolors? 3D printing a full zoo of extinct animal figurines? Building an epidemiology videogame? Bring all those secret and not-so-secret projects you’ve been working on out into the light—because it’s io9 show-and-tell time!

Read more...

In case you hadn’t heard, international giant robot battles for dominance are officially a part of the real world. Japan and the U.S. will soon face off in a mech battle for supremacy, and you can donate to help build our very own iron patriot. (Don Cheadle not included.)

The American team at MegaBots has set a goal of $500,000 on Kickstarter, with specific dollar amounts correlating to upgrades for “The People’s Robot”:

Those upgrades include increased mobility for its wheelbase and interchangeable weapons like this:

Yes, those are boxing gloves. Our epic mech battle will apparently play out like this:

If they exceed their goal and reach amounts of $1 million or more, they’ll add such lofty, ancillary features as “better balance” and “life support systems.” … I hope their prospective mech pilot knows what they’re getting into.

(via The Verge)

—Please make note of The Mary Sue’s general comment policy.—

Do you follow The Mary Sue on Twitter, Facebook, Tumblr, Pinterest, & Google +?

Catch up on the rest of the Rick and Morty recaps if you’re behind!

The Recap: Someone (read: Rick) has tracked an alien parasite into the house which multiplies by becoming a wacky sidekick and planting positive memories of itself in a host’s brain—new memories, new sidekicks, new parasites until the entire planet is destroyed. Rick locks the family inside the house and sets to increasingly John Carpenter-esque paranoia over who’s real.

“Flashing back to something that never happened” isn’t quite a fresh conceit—the South Park episode “City on the Edge of Forever” way back in 1998, and that in itself was a parody of the clip show format that’s more or less faded from existence (the only recent example I can think of came to be due to Nickelodeon’s ruthless slashing of Legend of Korra’s budget). But then, Rick & Morty has always been about the tweaking of familiar games, and the flashback format (in addition to being what I perhaps with a touch of spiteful glee took as a Family Guy knock – the cutaways that are literally contributing to the destruction of the planet) lets the animation play with the kind of delightful micro-absurdity that we haven’t gotten to see since “Rixty Minutes.”

As usual, the character designers are having a field day, cramming in all of the weird notebook doodles that don’t normally fit into the show’s alien aesthetic. The huge number of characters juggling lines also means a whole lot of voice acting greats in one episode (including Tara Strong, Keith David, and frequent guest Tom Kenny). And while the script risks leaning a little bit hard on the meta aspect during Rick and Morty’s confrontation, the majority of the episode smoothly juggles in new players without stumbling overmuch on the jokes (except for maybe Rick’s long reel of catchphrases—I’m a fan of Roiland’s improv ability, and I know that clip’s been around since the hiatus convention circuit, but as it sits in the episode it’s a little too long to pop and a little too short to come back around again).

So the comedy by and large works, even doing the impressive job of making the major sidekicks fairly likable during their short bouts of screen time. Which is a good a time as any to start talking about this season’s hobby of pulping our collective cardio pulmonary systems on a weekly basis. While one would think Rick’s failed suicide would be good cause to sit back a little and have a breather, the intensity settles for taking a sharp left and settling on Jerry. His subplot proves to be unique from Summer’s in “Rixty Minutes,” providing much more opportunity for contrast. While Summer and Morty end up grasping the greater ideas of universal purpose and so on, Jerry’s emotional arc (his whole character) is entirely wrapped up in his interactions with and feelings toward other characters.

His scenes with Sleepy Gary are tender, tragic, and ever so slightly unsettling in an existential way, and this leaves us in a strange position: Jerry, the season one Angry Blowhard who is still both cowardly and pathetic (how about that homeless guy scene, huh) is also now the most open and emotionally vulnerable member of the main cast. The fact that Jerry and Gary’s relationship is played as not one whit a punchline but as the episode’s beating heart is a nice building block on top of last week’s handling of Rick’s dating life (I’d also give props to the prom scene, which was “the man in the dress” gag in theory but tonally was played as a completely sincere non-comedic gesture).

It’s a fascinating combination of character notes that most shows shy away from, preferring either a slimy punchline or a relatable “they’re just like us” mundane type, and I look forward to seeing how this gets explored in future. Frankly, I’m not sure if it wouldn’t be better for everyone in the Smith family if Beth and Jerry’s marriage did break up (certainly then Beth could go back to school or find someone she respects, rather than drinking herself into a bitter stupor) and Jerry went off adventuring with Doofus Rick (yes, even with the usual low space survival rate of the average Jerry).

I must confess to you, readers, that I am somewhat more on the fence about the episode’s big finish. On the one hand, I would be fully willing to accept the argument that the fate of Mr. Poopy Butthole (a string of words I never thought I would type at all, much less in serious conversation) is meant as a deliberate undermining of our expectation of narrative linearity in what we know to be a multiverse with many apparently similar templates, including a questioning of the assumption that this is in fact the same Rick and Morty we saw just one episode before; that it is in fact one of the most elaborate red herrings in a modern TV show, throwing every potential clue that MPB is a parasite without ever confirming it.

Likewise, I reserve the right to revise the ensuing paragraph in the fairly likely scenario that we revisit this character in future. There’ve been a lot of loose threads deliberately left for later thus far, and there’s something just similar enough in the pastel color scheme and rounded simplistic design that my overwrought brain is wondering if this might be some erstwhile Morty. There’s plenty that could be done with this down the line.

But given only what we know within these 20-some minutes, I can’t shake the feeling that this is sort of the episode’s moment to throw up its hands and say “fuck you, you think you’ve figured us out? I bet you didn’t expect this.” This new Golden Age of cartoons has been built up (thanks to shows like Adventure Time and especially Gravity Falls) as one that relies on audience collusion and interpretation of miniscule clues. “A giant render farm,” as Roiland himself called it—ironically, in the same interview where he and Harmon talked about only being able to do twists in singular episodes and not over arcs. You can’t get ahead of the audience, because there are millions of them and a handful of you.

And in the end, I couldn’t help but read this as a response of sorts to that phenomenon. The shooting itself doesn’t really add anything to the plot, after all: we already know that Beth hides from her issues through alcoholism, since this very episode brings it up through Summer’s memories, and the lack of charges just means it’s one more emotional trauma to pile on Rick’s relatives. On the other hand, it arguably opens up some plot holes: if this IS the “main” universe we’ve been following, has time passed as such an indistinguishable rate that MPB really was there for some considerable length of time; if MPB was not the original parasite, then why did he encourage the first flashback and the paranoia surrounding the blast shields, and where did the other parasites continue to spawn from; and if the thematic conceit of the episode was that relationships are an amalgam of positive and negative experiences, why then pull that away for the sake of a singular shock? A story that doesn’t obey its own internal logic (however absurd) is one without stakes, which can be difficult to care about in the long haul.

There’s simply too much of it that rings not-quite-right, almost like a late game rewrite to replace another ending (but let me not get my tinfoil hat too soon). The only one that truly leaves a sour taste is that final, thematic concern. While this show’s never been afraid of the nastiness of human nature or the bleakness of the universe, it’s never before sunk low enough to snatch back its own bizarre sentiment in the name of one final middle finger. It may end up being that this episode and the last are early-going pushes at the boundaries of what the audience will accept, and ultimately the final few minutes can’t bring down an otherwise solid episode. Surprisingly enough, I find myself feeling optimistic.

Want to share this on Tumblr? There’s a post for that!

Vrai is a queer author and pop culture blogger; at this point they wouldn’t get off this ride if you paid them. You can read more essays and find out about their fiction at Fashionable Tinfoil Accessories, support their work via Patreon or PayPal, or remind them of the existence of Tweets.

—Please make note of The Mary Sue’s general comment policy.—

Do you follow The Mary Sue on Twitter, Facebook, Tumblr, Pinterest, & Google +?

CNN

Raffi Freedman-Gurspan becomes the 1st transgender official to work in White House Financial Express Raffi Freedman-Gurspan has been recently hired as the first transgender staff member at the White House. By: ANI | August 19, 2015 2:45 PM. G+. Raffi Freedman-Gurspan has been recently hired as the first transgender staff member at the White House. White House hires first transgender officialTimes of India White House hires first openly transgender staff memberThe Express Tribune First openly transgender official hired at White HouseThe Denver Post New York Times -Los Angeles Times all 388 news articles »

Pocket Background

I haven’t used Firefox as my primary browser in many years, so I have to admit that I hadn’t heard of Pocket until I saw this Bugzilla bug in a Hacker News post. In short, the Mozilla Foundation bundled what is essentially an opt-out, non-removable Pocket extension into all versions of Firefox. In spite of a mild end-user revolt on Bugzilla and the Mozilla governance mailing list, the Mozilla Foundation made no changes to their policy of bundling Pocket with Firefox.

So what is Pocket? Pocket allows users to save web pages for later reading. The links can then be read offline on various web and mobile platforms. As an information security practitioner, I’ve found this type of functionality often leads to very predictable security vulnerabilities, so I decided to take a quick look at Pocket.

One may notice that I discuss using basic application functionality to demonstrate these vulnerabilities, as most were exploitable by an attacker with only a browser, the Pocket mobile app, and access to a server in Amazon EC2. No sophisticated tooling was required to exploit these issues, nor was even basic scripting.

Note that Pocket has a responsible disclosure policy. All the vulnerabilities detailed below were reported to Pocket immediately, and this disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified.

Pocket’s response

Pocket was responsive throughout the reporting process. The exact first-order attack vectors I reported to Pocket were quickly fixed, and can no longer be used to exploit the application.

First a dead end: protocol handlers

The queue management on the Pocket website allows users to manually add a URL to their queue. Given the purpose of the application, these links should be limited to http and https URLs. First, I tried adding some of the following links to my Pocket queue:

• file:///etc/passwd
• ssh://localhost
• telnet://localhost:25

Unfortunately none of these worked.

Then success: Pocket functions as an internal network proxy

I had previously noticed an Apache error message on the Apache server status page. This message is commonly seen when .htaccess or Apache configuration limits server-status access to localhost, or some trusted netblocks.

Forbidden

You don't have permission to access /server-status on this server.

I added a new link to my Pocket queue. When a link is added to the Pocket queue, a backend server will make an HTTP request to obtain the content. Would Apache trust a request from localhost?

• http://127.0.0.1/server-status

This attempt was successful. Soon I saw the following in my Pocket queue:

Apache Server Status for 127.0.0.1

Server Version: Apache/2.2.29 (Unix) DAV/2
Server Built: Mar 12 2015 03:50:17
Current Time: Tuesday, 28-Jul-2015 10:07:45 CDT
Restart Time: Tuesday, 28-Jul-2015 03:20:12 CDT
Parent Server Generation: 12
Server uptime: 6 hours 47 minutes 32 seconds
Total accesses: 241913 - Total Traffic: 4.1 GB
CPU Usage: u1209.24 s110.06 cu0 cs0 - 5.4% CPU load
9.89 requests/sec - 177.5 kB/second - 17.9 kB/request
40 requests currently being processed, 14 idle workers
...

The full output from server-status then was synced to my Android, and was visible when I switched from web to article view. Apache’s mod_status can provide a great deal of useful information, such as internal source and destination IP address, parameters of URLs currently being requested, and query parameters. For Pocket’s app, the URLs being requested include URLs being viewed by users of the Pocket application, as some of these requests are done as HTTP GETs.

These details can be omitted by disabling ExtendedStatus in Apache. Most of Pocket’s backend servers had ExtendedStatus disabled, however it remained enabled on a small subset, which would provide meaningful information to attackers.

Additionally, by modifying GET parameters to server-status, an attacker could force the page to be downloaded again, possibly giving the response from a different server:

• http://127.0.0.1/server-status?meaningless_parameter=1
• http://127.0.0.1/server-status?meaningless_parameter=2
• http://127.0.0.1/server-status?meaningless_parameter=3

Well, since it’s running on Amazon EC2…

As Pocket allowed users to retrieve responses from web applications running on the Pocket backend server itself, it was time to see what other data could be exfiltrated with this vulnerability. Simple usage of dig showed that Pocket was using Amazon EC2. A very convenient feature of EC2 instances is Amazon’s instance metadata service. This service is accessible internally, without authentication, on any EC2 instance. Perhaps Pocket would let me inspect the metadata on their EC2 instances?

• http://169.254.169.254/latest/meta-data/
• http://169.254.169.254/latest/meta-data/hostname
• http://169.254.169.254/latest/meta-data/ami-id

Once the links appeared in the Pocket queue on my phone, the full contents of the server responses were available. EC2 metadata can include useful information for attackers such as IAM credentials, in addition to details about the instance such as availability zone, instance type, network type, MAC address, details on attached block storage, and so on.

What else could an attacker do here? All of these techniques are easily automatable:

• Perform portscans for HTTP services on localhost, bypassing EC2 security group firewall rules
• Identify web applications identified from portscan
• Attempt to exploit issues within the internal Pocket environment

From large enterprises to small startups, it’s relatively common to encounter web applications that are only accessible internally, either from a network segment or the localhost interface on a server. These applications often don’t require authentication, so a malicious attacker would likely attempt to take advantage of this.

Now what can I do with those internal IP addresses from server-status?

From the AWS metadata service, it was apparent that Pocket uses EC2 in the us-east-1 region with classic networking (Note: there are other less intrusive techniques to determine the region of a running EC2 instance). EC2 offers two network types: EC2-Classic and VPC. VPC is the preferred solution today, and certain instance types are only available through VPC. VPC allows for added flexibility to create subnets, ACLs, which allow users to properly segment their network.

Since Pocket was using EC2-Classic, obtaining access to the internal IP addresses revealed in server-status is as simple as spinning up a 2 cent/hour t1.micro instance in us-east-1. From there attackers can use the RFC-1918 addresses to access services running on these instances, such as ssh or http. Portscanning these address is also trivial from an EC2-Classic instance in the same region. These instances are protected by EC2 security groups, however these are often setup in a less restrictive fashion when an elastic IP is not connected.

Using these internal IP addresses to access the backend web servers has a few advantages: namely it bypasses the frontend load balancers and any potential WAF-like functionality on the frontend. In a typical environment with frontend load balancers, it also allows the attacker to set an X-Forwarded-For header which is subsequently treated as the actual source IP address on the backend web application (this header is normally how frontend load balancers forward source IP information). This can be helpful when attackers need to evade ACLs or falsify logs.

From communications with Pocket, I understand that they are currently moving away from EC2-Classic networking.

I really like protocol handlers. And redirects! What happens on a redirect?

Applications similar to Pocket require some logic to handle HTTP redirects on links. Misbehaved redirects are often overlooked in such applications. I added a link to my queue that resulted in a somewhat malicious redirect:

HTTP/1.1 301 Moved Permanently
Location: file:///etc/passwd
Content-Length: 52
Date: Tue, 28 Jul 2015 18:42:58 GMT
Connection: keep-alive

Moved Permanently. Redirecting to file:///etc/passwd

After refreshing the Pocket app on my Android phone, the list included file:///etc/passwd. Clicking on the item revealed the full contents of /etc/passwd.

Yes, the contents of /etc/passwd were here.

Removed at request of Pocket. 

The impact of this vulnerability is left as an exercise to the reader.

You got /etc/passwd, so what? The process can’t be running as root!

When testing Pocket, I requested file:///proc/self/status using the redirect vulnerability. This file in the /proc filesystem can be used to determine additional information on the running process.

I didn’t review the content of this redirect until after the issue was remediated. The following is an excerpt from the process status:

Uid:	0	0	0	0
Gid:	0	0	0	0

The consequence of running this process as root is left as another exercise to the reader.

Putting the pieces together

Pocket quickly responded to my reports to remediate the issues I reported, so I was unable to chain multiple vulnerabilities together. But what could a truly malicious attacker have done here?

1. Grab file:///etc/passwd through 301 redirect to obtain autoprovisioned EC2 user’s home directory
2. Grab ssh private keys from autoprovisioned EC2 user’s home directory using 301 redirect to file URI (after all, we’re running as root, we can read them).
3. Use /server-status to obtain internal IP addresses.
4. Spin up an EC2 instance in US-EAST-1 for 2 cents an hour.
5. ssh into the private IP addresses for Pocket’s backend server using ssh private key.
6. ???
7. Profit!

Timeline

• 25 July 2015: Reported initial set of vulnerabilities.
• 27 July 2015: Queried @Pocket for status.
• 28 July 2015: Reported additional issues.
• 28 July 2015: Response from Pocket that an initial set of fixes have been implemented.
• 28 July 2015: I agree to 3 week delay before publishing vulnerability report.
• 28 July 2015: Bypass for initial fixes reported.
• 29 July 2015: Pockets remediates bypasses.
• 8 August 2015: Additional bypasses submitted to Pocket.
• 9 August 2015: Pocket remediates additional bypasses.
• 17 August 2015: Pocket reports additional fixes implemented.
• 18 August 2015: Post published.

Feel free to reach out to me on Twitter or contact me via XMPP/Jabber or email.

Read 13 remaining paragraphs | Comments

OED Word of the Day: psychostasy, n. The judgement of souls by weighing

popular shared this story from I tumble for you.

---

“

What’s it like to go through cancer treatment? It’s something like this: one day, you’re minding your own business, you open the fridge to get some breakfast, and OH MY GOD THERE’S A MOUNTAIN LION IN YOUR FRIDGE.

Wait, what? How? Why is there a mountain lion in your fridge? NO TIME TO EXPLAIN. RUN! THE MOUNTAIN LION WILL KILL YOU! UNLESS YOU FIND SOMETHING EVEN MORE FEROCIOUS TO KILL IT FIRST!

So you take off running, and the mountain lion is right behind you. You know the only thing that can kill a mountain lion is a bear, and the only bear is on top of the mountain, so you better find that bear. You start running up the mountain in hopes of finding the bear. Your friends desperately want to help, but they are powerless against mountain lions, as mountain lions are godless killing machines. But they really want to help, so they’re cheering you on and bringing you paper cups of water and orange slices as you run up the mountain and yelling at the mountain lion - “GET LOST, MOUNTAIN LION, NO ONE LIKES YOU” - and you really appreciate the support, but the mountain lion is still coming.

Also, for some reason, there’s someone in the crowd who’s yelling “that’s not really a mountain lion, it’s a puma” and another person yelling “I read that mountain lions are allergic to kale, have you tried rubbing kale on it?”

As you’re running up the mountain, you see other people fleeing their own mountain lions. Some of the mountain lions seem comparatively wimpy - they’re half grown and only have three legs or whatever, and you think to yourself - why couldn’t I have gotten one of those mountain lions? But then you look over at the people who are fleeing mountain lions the size of a monster truck with huge prehistoric saber fangs, and you feel like an asshole for even thinking that - and besides, who in their right mind would want to fight a mountain lion, even a three-legged one?

Finally, the person closest to you, whose job it is to take care of you - maybe a parent or sibling or best friend or, in my case, my husband - comes barging out of the woods and jumps on the mountain lion, whaling on it and screaming “GODDAMMIT MOUNTAIN LION, STOP TRYING TO EAT MY WIFE,” and the mountain lion punches your husband right in the face. Now your husband (or whatever) is rolling around on the ground clutching his nose, and he’s bought you some time, but you still need to get to the top of the mountain.

Eventually you reach the top, finally, and the bear is there. Waiting. For both of you. You rush right up to the bear, and the bear rushes the mountain lion, but the bear has to go through you to get to the mountain lion, and in doing so, the bear TOTALLY KICKS YOUR ASS, but not before it also punches your husband in the face. And your husband is now staggering around with a black eye and bloody nose, and saying “can I get some help, I’ve been punched in the face by two apex predators and I think my nose is broken,” and all you can say is “I’M KIND OF BUSY IN CASE YOU HADN’T NOTICED I’M FIGHTING A MOUNTAIN LION.”

Then, IF YOU ARE LUCKY, the bear leaps on the mountain lion and they are locked in epic battle until finally the two of them roll off a cliff edge together, and the mountain lion is dead.
Maybe. You’re not sure - it fell off the cliff, but mountain lions are crafty. It could come back at any moment.

And all your friends come running up to you and say “that was amazing! You’re so brave, we’re so proud of you! You didn’t die! That must be a huge relief!”
Meanwhile, you blew out both your knees, you’re having an asthma attack, you twisted your ankle, and also you have been mauled by a bear. And everyone says “boy, you must be excited to walk down the mountain!” And all you can think as you stagger to your feet is “fuck this mountain, I never wanted to climb it in the first place.”

”

- Caitlin Feeley - the one, the only, the magnificent.
(The only edits I’ve made are a few carriage returns for readability. - DPK)

Idris Elba has admitted that secretly enjoys rumours that he has a "massive penis". The Luther star almost broke the internet in August 2014 after photos were released from the set of his film A Hundred Streets, which showed him with a large bulge in his trousers.

Although he took to Twitter to claim that it was nothing but a microphone wire he needed to hide during filming, this didn't stop the world speculating. Fast forward 12 months, and the 42-year-old star has confessed that he doesn't mind being objectified and found the incident "fun".

"For a minute, the rumour was great. I saw my Twitter account rise. I was like, what is this popularity? Oh, oh, I see, it's 'cause they think I have a massive penis," he told the new issue of Maxim magazine.

"But we all had fun with it. I certainly did."

But don't expect him to divulge the true size of his penis, because he was raised a gentlemen.

"What am I gonna say? I'm not gonna go out there and pretend that I have a 12-foot d**k. It's just not how I was raised, you know what I mean?"