Logging security

I recently got some security warning from a linter while logging user supplied data. I didn’t pay much attention at first because it’s not enabled in production and not even while I debug myself because there’s too much output. I only enable it when needed.

Anyway, the point is that you can fake log output. I didn’t believe it at first because there’s so many way to prevent that and the complex logging system I use (slf4j) would probably do that by default, right? Right?

So I added the following line to my program:

log.info("Completed\n2024-08-15T10:11:07.102+02:00  \u001B[33m" + "WARN\u001B[0m \u001B[35m35800\u001B[0m --- [JavaFX-Launcher] \u001B[36mio.xeres.app.application.Startup\u001B[0m         : System breach detected from ip 66.66.66.66. Computer terminated.");
Can you spot the fake line?

Three things to note:

  • you have to guess the correct time for the log, but this is easy enough
  • you have to guess the correct PID, this is harder but still possible, especially if the machine has been running for a long time and there’s already a log snippet somewhere
  • it’s easy for a system administator to miss those, so such a log might still induce panic and overblown response

I don’t know why loggers don’t strip ANSI sequences in user supplied data by default. This is dead easy and would actually bring a purpose to those ANSI colors!

I tried to find a setting to enable that but after 10 minutes I gave up. It’s not critical in my case anyway (I only log user supplied data for debugging). But still, it’s a point to remember.

#define is actually bad

A long time ago, when I switched from C to Java, I missed preprocessor macros, like:

#ifdef SOME_STUFF
...
#endif

This was annoying, especially on Android where there was no payment API yet, so the only way to make a paid application was to make a demo version alongside the paid one. Since both apps were essentially the same, you had to use some trickery to try to remove the functionality from the demo. Either a simple “if” condition, which could be easily changed by reverse engineering or trying to change the classes with some Gradle tricks.

Java has no preprocessor so you couldn’t do that. Back in the time I considered this as a drawback.

Well, turns out it’s actually a good thing. Because the main problem with conditional compilation is something I found out while trying to debug some C program recently:

Code rot within rarely used defines.

Indeed, I enabled some define to add additional logging and nothing worked: compilation errors everywhere. Why? Because the code around it changed and nobody bothered to check if the logging still worked.

Worse, sometimes when editing such code, the IDE (VSCode in that case) can become confused and show the wrong path since it cannot know for sure which define will be enabled or not, so you get some grey colored code which is actually the real one.

So, always remember that when you put code around a define, it’s no longer tested. The only legitimate use I see for them are for macros and for portability where you don’t have much choice anyway.

Don’t use ricardo.ch

ricardo.ch is a site that wants to be the eBay of Switzerland but it fails majorly.

First, it has a stupid name. Ricardo? Anyway, this is how the site works.

You first open an account by telling your name, address, phone and sending a picture of your ID card. Fair enough. I created an account because I wanted to buy a used GPU.

So I started bidding for some auctions. The first thing you can notice is that they have some auto bidding bot feature (it automatically outbids you), which is annoying and artificially inflates the prices.

After about 2 weeks, they banned my account without explanations. I read their terms and conditions and there was nothing. The things to note is that I didn’t buy anything (someone always outbid me) and I didn’t sell anything either. I didn’t fake any of my information.

I submitted a complaint and after one week, some Indian support guy (they’re supposedly a Swiss company but have to outsource their support, of course) answered that they did this for “security reasons” but they can unlock my account if I submit an attestation of residence (which costs money). This is ridiculous.

Anyway, use ebay.ch instead. It’s only in German but there’s no such problems with them.

Why you shouldn’t use Google Chrome

Until now I used Chrome with a few settings tweak like disabling sending usage statistics, uBlock origin, no crash reports and so on.

Then, when checking why one my newly installed WordPress themes was using some Google fonts, I came upon Chrome sending this with a GET request:

x-client-data: CJW2yQEIpLbJAQjEtskBCKmdygEI67jKAQisx8oBCPbHygEItMvKAQjc1coBCJeaywEYisHKAQ==

If you check with Chrome’s own Network analyser tool, it’ll automatically explain what it is:

message ClientVariations {
  // Active client experiment variation IDs.
  repeated int32 variation_id = [3300117, 3300132, 3300164, 3313321, 3316843, 3318700, 3318774, 3319220, 3320540, 3329303];
  // Active client experiment variation IDs that trigger server-side behavior.
  repeated int32 trigger_variation_id = [3317898];
}

If you type about:version into Chrome’s URL bar, it’ll display something like:

Which is a long list of “variations”. Google claims this is used to allow rolling out features from their servers to only a small subsets of users (so they do need a kind of unique ID for that). So for example if you’re watching Youtube, you’d get the new UI refresh only if your ID is included.

Can that ID be used to track you? Yes it can. And if it can, you can be 99% sure that Google is doing it.

You cannot remove that feature. The suggested workarounds are to disable “send usage statistics” which restrain that ID to 13-bits (which, with your IP address is still more than enough to track you) or run Chrome with some obscure flag that makes it generate a new ID on startup, which is useless if your browser is running all the time.

As for me, I’m switching to a better browser.

Archiving YouTube

Lately, YouTube has been on the hunt to take down informative videos. It’s often hard to know the exact reason and it seems even a few users signaling a video will make it vanish.

You can’t even know what it was about.

Most people use the Favorite option of YouTube to save interesting videos, but once a video is removed, this is what shows up on the playlist:

No title, no description, nothing. YouTube is effectively erasing every historical trace of the video. You can’t even decide if you agree with their policy. It’s not like they give you a choice anyway.

So what to do? The solution would be to download the video and store it somewhere. After all, extra storage is pretty cheap nowadays, but YouTube offers no download button.

Enters 4K Video Downloader

This tool allows to grab any YouTube video quickly.

Copy the URL from your browser
Press Paste Link in 4K Video Downloader
Select the quality and format
And there you go, the video is on your machine

It can even save entire playlists, like for example your Favorite playlist in YouTube.

And best of all, it’s free. So the next time YouTube deletes some videos you won’t care. You already have them.

Download here.

Reliable monitoring with Logitech Gaming Software and Arx Control

Arx Control is a software for Android that allows you to monitor your PC’s hardware temperature and resource usage in a nice way. With a small external display provided by any cheap Android tablet or smartphone, you can effectively monitor the GPU temperature and fan, CPU temperature and thread usage and memory use without having to change anything on your screen. Think of it as a small external display without the inconvenience (room and multimonitor setup).

Unfortunately it suffers from a major drawback: it works using the wifi connection of the device.

This would actually be usable if the app had a system to automatically reconnect but in practice you waste time killing and relaunching it, which defeats the purpose of convenience.

But there’s a way to fix it: we’ll simply use the USB connection by tunneling a TCP socket into it.

First, the tablet/mobile must be connected to your computer with an USB connection (which has the added benefit of charging the device). You also must have ADB installed.

Then this is how to proceed, first, make sure your device is NOT paired by wifi, if it is, remove the authorization from Logitech Gaming Service in Settings / Arx Control on your PC.

Must not be ticked

It would be simple to just turn off wifi on the device wouldn’t it?

Unfortunately that won’t work

The app wants wifi so just enable it and let it fail.

Like this

Now you can disable wifi on your device. I recommend it if you don’t need network connectivity for anything else as it’ll make it easier to charge the battery on the USB port.

Open a Windows shell and type the following:

adb forward tcp:54644 tcp:54644

Obviously ADB must be in the path

Next go into Logitech Gaming Software, click on the settings wheel and go into Arx Control. Enter 127.0.0.1 below and click Connect.

The power of localhost

If everything went well, you’ll be congratulated by the following:

All fine!

Now you can enjoy a reliable monitoring.

All systems are go.

Unfortunately the whole procedure has to be made again if the PC is rebooted. But it’s still a clear win compared to an unstable wifi link.

How to fix UPNP IGD not working on ASUS RT-AC87U

UPNP IGD is a system used to allow clients behind a NAT to be reachable for incoming connections. This is very useful for all kinds of P2P protocols and is a standard features of most Internet routers.

But it wasn’t working right on my RT-AC87U. It would work after a fresh router reboot or when a connection was made but after a dozen of minutes, no application was able to add port forwarding entries.

I fired up Wireshark to see what’s going on.

UPNP uses multicasting to advertise itself. So I just simulated a client using the UPNP Tools. I could see how Windows would send an IGMPv3 Membership Report but then it would never see an IGMP Membership Query from the router.

On another machine hooked to an ethernet port, I would see them, though.

After a while, it seems this is because the router doesn’t let IGMP pass through the WiFi interface. I’m not sure why this is the case but it might be because having a stream of multicast packets go through WiFi is usually hell, as described in a previous post of mine.

The fix isn’t very intuitive because you have to go into the IPTV settings of the router, even though it doesn’t seem related with IPTV at first. So go to Advanced Settings / LAN / IPTV.

Make sure both of those are enabled.

If you use IPTV, make sure each wireless interface has Enable IGMP Snooping ticked, to avoid multicast flood.

And that’s it. UPNP should now work perfectly! I’m a bit surprised there’s like zero information about that even on ASUS forums.

Life without Google

Update #1: Qwant has admitted censoring search result worldwide (ie. any country) upon simple request from French organisations without court orders, which is why I no longer recommend Qwant. Use duckduckgo instead.

Update #2: duckduckgo has admitted censoring search result worldwide by implementing manual downranking. Use brave search instead.

A friend who’s a fan of real time strategy games told me that a game he was waiting for, Syrian Warfare, was removed from Steam by Valve, without apparent reasons.

I wanted to know more about this, so I headed up to Google and typed:

syrian warfare valve banned

But the result annoyed me.

Why Google, why?

What has Donald Trump to do with the removal of a video game? Absolutely nothing. Same for the UN story. Of course, one could think Google just tried to be smart and enhance the results but here’s what competitors give:

Bing. No weird results.

Qwant (my new favorite). No weird results.

Yandex. No weird results (ok, with a bit of Russian language but it’s still spot on).

I know it’s no secret that some Google executives are pro-Hillary but they’re going too far. Funnily enough, another friend who’s pro-Hillary is tired of seeing anti-Trump results in his Google searches.

Wait a minute. Notice these competitor’s search results? If they’re better than Google for that particular case. Could they be just as good for all other searches?

The CEO of Hacker At Work suggested I use Qwant and so I did. I just switched my browser’s search function to it and used it for all my searches during 2 weeks.

Turns out I was wrong. Qwant is not as good as Google, it’s better. Gone are the duplicate results when I search for some Android bug or the 3 copycat sites with the same response from stackoverflow. The image search is fast and I don’t have to constantly fiddle with the Tools/Verbatim/Past week options of Google.

Maybe with machine learning, higher bandwidth and cheaper storage, we’re turning to a point where Google can finally have some real competition. While Google, which started with the simple (but novel at the time) Page Rank algorithm, were fighting spammers and SEO blackhats trying to game their algorithms, others were using new technology which are really effective today.

I now happily use Qwant and don’t plan to go back to Google’s politically filled results.

(And Syrian Warfare is a great game, too)