Dealing with ShellShock on our older mac servers

We have a couple of machines that are still running Snow Leopard, so the Apple patch won’t work. One option is to recompile bash and its patches from source, but why do that when I already have MacPorts on those machines.

Testing the vulnerabilities

From Stack Exchange, there are multiple vulnerabilities:
The first one is tested with this:
$env x='() { :;}; echo vulnerable' bash -c 'echo hello'
if the shell is vulnerable, it will echo vulnerable and hello. Otherwise it just echoes hello.

A second vulnerability is tested with
$env X='() { (a)=>\' sh -c "echo date"; cat echo
if you’re OK, you will see something like
date
cat: echo: No such file or directory

or
sh: X: line 0: syntax error near unexpected token `='
sh: X: line 0: `X () { (a)=>\'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory

The important thing is that you don’t want to see an actual date and a file created called echo.

The third vulnerability redefines the ls command
$ env ls="() { echo 'Game over'; }" bash -c ls
Vulnerable systems will echo Game over.

Installing the fix

Getting it installed is easy after updating to the latest versions of the ports
sudo port selfupdate
sudo port upgrade outdated
sudo port install bash

But this only applies the MacPorts bash for the user. To make it the default, we have to make it the default shell for an intruder. To do this we need to edit /etc/shells to replace /bin/bash with /opt/local/bin/bash.

I think this is enough. But I still have some concerns. The bash version in MacPorts seems to be 4.3.28. Apple’s official release after the patch is 3.2.53 (apparently this is equivalent to 3.2.54 in terms of patches). The MacPorts version is still vulnerable to the second problem. I’ll be watching MacPorts for updates, but I am also looking at whether the machines, which are too old for Mavericks, can be updated to Lion or Mountain Lion.

Update: MacPorts pushed another bash update over the weekend

Edge wander

In class today, we talked about the first Assemblethon paper. A student asked about the term “edge wander”, which comes from a paper by Ian Holmes and Richard Durbin. Figure 6 from the paper illustrates the basic idea.
edge_wander

Edge wander is a problem in multiple sequence alignments, and often scientists manually adjust alignments based on some heuristics that are not entirely clear to me. At last year’s Texas Protein Folding and Function Meeting, Patsy Babbitt mentioned in passing that manually adjusting multiple sequence alignments has become impractical as the number of available sequences in conserved protein families is exploding.

More ribs

These were from last week. Bought as a rack from Rosenthal. Treated with salt pepper and brown sugar for a day or so. Sous vide at 138 for about a day and a half. Finished under the broiler
IMG_1192.JPG

College Football Week 4: Stomp

2-0 for my teams. Stanford had a bye.

Wisconsin d Bowling Green

Wisconsin started a bit slow but then blew out Bowling Green. I watched the beginning of the Badger game but had to go grocery shopping on Saturday, so I left when the rout began. This meant that I missed the record-setting rushing performance. Bowling Green came in having beaten Indiana last week, which turns out to be a better win than it looked like at the time.

The Badgers wore a uniform combo with red helmets, red jerseys, and white pants. When I switched to the game, I thought they looked like Indiana.

Texas A&M d SMU

The Aggies went to Dallas to play SMU, which may be the worst team they play, including Lamar. The Ponies started the season badly by being blown out by Baylor in the opener for the new stadium in Waco. Baylor is a top team this year, so that isn’t so bad. However they looked even more terrible than the score in the few minutes I caught a few weeks ago. Then they got blown out by North Texas. SMU had been predicted to be a middle of the pack team before the season started (The preseason hope was probably why this was a mid-afternoon ABC game instead of being relegated to some alternative ESPN channel.), and had a bye week to regroup before taking on the Aggies at home. But then Coach June Jones resigned in mid-season.

The Ags started slowly, if getting a FG on the first possession counts as starting slowly these days. There were more dumbass penalties and drops. The coaches were clearly working on giving backups playing experience and healing injuries. Center Mike Matthews missed the game but probably would have played if needed. Speedy Noil is out with an injury, but against a stronger opponent I’m not sure Boone Niederhofer would have been out there on the first drive.  Niederhofer took advantage of his opportunity and had a very good game: 6 catches for 73 yards, including a very nice second half grab. Jeremy Tabuyo had only had 2 catches, but they combined for 80 yards and 2 TDs

SMU gave up 8 sacks on the day, which is barely over their average. They did keep Myles Garrett from getting a sack, however. The Mustangs got their first first down in the middle of the second quarter.

The highlight of the day was Reveille’s handler blocking an SMU receiver as he ran out of bounds.

Elsewhere

A few results of note elsewhere

  • Florida State suspended Jameis Winston from the Clemson game for being an idiot. Not clear what happened to change the suspension from a half to a whole game, but the rumors are that he lied about an incident that was witnessed and tweeted by multiple people. Clemson blew their chance at the upset.
  • Mississippi State went into Death Valley and dominated LSU for 3 quarters to take a 34-10 lead. Then they came close to giving LSU another wild come from behind finish as the Bayou Bengals scored two TDs in the last 2 minutes to cut the score to 34-29. After a failed onside kick, MSU couldn’t run out the clock and LSU got a final possession with 20 seconds left. A Hail Mary was intercepted at the goal line as time ran out.  This was a great win for the Bulldogs, marred by center Dillon Day deciding that Jameis needed a rival for the biggest asshole in college football. Day decide to make the stomping literal as well as figurative.
  • Mizzou lost to Indiana, marring the SEC vs Big 10 narrative.
  • Some thought that Virginia Tech would have been a better fit for the SEC than Mizzou. But the Hokies are now 0-2 in games after their upset of Ohio State, as Georgia Tech capitalized on a late INT gift from Va Tech QB Michael Brewer
  • Cal celebrated a win over Arizona … before Arizona came back to win on a Hail Mary.

College Football Week 3: Divots

Wisconsin had a bye. Stanford shut out Army. The Ags beat Rice. Stanford-Army was on the Pac12 network and I watched a few minutes, but the format of the non-HD version on Suddenlink  does an annoying cropping of both sides of the image so I didn’t really watch.

Rice 10 Texas A&M 38

Aggie fans, like most college football fans, get spoiled easily. A&M won handily and only gave up 10 points. But because Rice outgained the Ags in total yards and the offense and defense were both slightly out of sync, fans are concerned. And while the players and coaches admit that it wasn’t the best performance, it is also notable that several starters were held out in order to let minor injuries heal. This gives valuable experience to the backups and should pay off in the long run.  Rice is also better than their 0-2 record.

The most notable things about this game was the terrible condition of the playing surface. The field was only sodded at the end of the summer, and the root systems for the grass haven’t intertwined enough yet. Players were leaving softball-sized divots in the turf, and the grounds crew was repairing holes after every play. Despite the team’s protests that the conditions didn’t really affect anything, since both teams had to play under similar conditions, I think it affected play, especially for the defense.  Yes, both teams played on the same bad surface: Rice didn’t exactly shut down the Ags on D either.

Elsewhere in College Football

The most interesting things on this weekend happened elsewhere.  The Big 10 continued its struggles as:

The only OOC wins were Ohio State over winless Kent State, Michigan over winless Miami (Ohio), and Nebraska over winless Fresno State.

The Buckeyes got an indirect hit as well, as the team that upset them last week at home, Virginia Tech, was upset at home by East Carolina. This had a third-order benefit to the Ags, as this win made S. Carolina look better… along with the Gamecock win over Georgia later in the day. A&M’s dominant win over S. Carolina looks better in hindsight… but I should note that I’ve been thinking since before that game that TAMU matches up well against S. Carolina’s weaknesses in the secondary, while the Gamecock strengths on D (linebackers) are better suited to match up with Georgia. Add to that Georgia’s inexplicable play calling at the end of the game. Gamecock QB Dylan Thompson threw a pick that gave the Bulldogs first and goal. Instead of handing the ball to Todd Gurley, Georgia called a pass that became intentional grounding. Having squandered their chance to take the lead, they then they missed the FG to tie the score.

The Pac 12 only had a few notable games this past weekend, and did not help the conference reputation. USC went to Boston College and got beaten badly ( the final score was closer than the box score). For the second week in a row, the Trojans were outgained. This time the opponent didn’t screw up in the red zone. UCLA was unimpressive in a win over Texas. The Bruins did need to use their backup QB most of the game after Heisman hopeful Brett Hundley went out early with an arm injury. But Bruins fans are still disgruntled because they really should have beaten Texas soundly instead of needing a late TD pass.

The other notable thing about this game is that Texas actually screwed up the opening coin toss. UCLA won the toss and deferred. Texas chose to kick off to start the game. So UCLA got the ball first in both halves.

UCLA won the coin toss and elected to defer its choice until the second half, then Texas said it wanted to go on defense. The referee turned off his microphone and briefly said something to the Longhorns players after their decision.

“I had trouble believing it at first,” Mora said. “I told the official, I asked him four or five times, I said, `Are you sure?’

College Football 2014 Week 2: is the B1G already eliminated?

My teams went 2-1, but with the Ags and the Badgers playing cupcakes. Didn’t see the Badgers, but checked the game thread at Bucky’s 5th quarter a few times.

USC 13 Stanford 10

The Stanford loss to USC, at Stanford, was a depressing result for the weekend.

Stanford won or tied the stats except for the two that matter the most:

[table id=5 /]

Stanford had the ball 9 times.

[table id=6 /]

All 9 possessions got inside the USC 35. The Cardinal got 1 TD and 1 FG to show for this. Both punts were taken from within FG range for a decent kicker. The first one went into the endzone for a touchback; the second put USC on their own 7 with the score tied late in the game. The Trojans marched down for the winning FG.

The game was also notable for a couple of things:

  • Pat Haden coming down to the field to be the first AD to argue with the refs on national TV based on getting a text message.
  • The usually excellent Kirk Herbstreit’s explanation that it’s OK for DBs to mug receivers as long as they are looking back for the ball.

The San Jose Mercury quotes coach David Shaw in the post-game:

The bottom line: You don’t take advantage of opportunities, you lose games to good teams,” Stanford coach David Shaw said. “They made plays and we didn’t. They made calls and we didn’t.”

Then, anticipating a familiar criticism from Stanford fans, Shaw added: “We were bad in the red zone, and it had nothing to do with being too conservative.”

I agree that it was not about being too conservative overall, but punting from the 32 and the 29 is pathologically conservative in my book.

Texas A&M 73 Lamar 3

The Aggies’ game was notable for being the first in the partially remodeled Kyle Field, for a 2 hour delay for lightning in the area, and for lots of Aggie subs getting valuable game experience.     The game was about to start and fireworks could be heard from our house when Coach Sumlin cut off the pregame interview on the SEC Network Alternate Channel by saying “We’ve got to get off the field”.  At first, I thought this was the usual coachspeak about how the defense has to get stops. Then it became clear that he meant it literally: lightning had been detected within the radius that mandates a delay of a game.

Texas A&M may have screwed up how this was handled. As detailed on Good Bull Hunting, leaving 104K fans in the stands during a lightning warning was not very smart. It also probably violated NCAA recommended policy.

Once the game got going, the Ags dominated as expected, with one breakdown allowing the Lamar Cardinal to get close enough to the goal line to kick a FG. 3 QBs played, and two seldom used running backs got a lot of carries.4th string  Junior Brice Dolezal ended up the leading rusher when he ignored the plan to run out the clock and broke a 41 yard run for a TD with 1:26 to go and the Ags already up 66-3.

Is the B1G out of the playoff picture already?

Big 10 (base 14) commish Jim Delaney says no

“Big games matter on big stages with big ratings and a lot of attention,” Delany told ESPN.com on Sunday. “In the three primetime games, we didn’t win any. That’s disappointing. I would say this: I said they would be disproportionately impactful but I didn’t say they would be dispositive. We’re not feeling very good but the facts are the facts. I would just say with 50 percent of the nonconference games and 100 percent of conference games remaining, it’s premature to make any judgments.

Here’s what’s left for the B1G OOC, with teams sorted by record and then name

  • Illinois (2-0): Washington, Texas State
  • Iowa (2-0): Iowa State, Pittsburgh
  • Maryland (2-0): W Virginia, Syracuse
  • Minnesota (2-0): TCU, San Jose State
  • Nebraska (2-0): Fresno State, Miami
  • Rutgers (2-0) Navy, Tulane
  • Penn State (2-0) UMass, Temple
  • Indiana (1-0) Bowling Green, Mizzou, N. Texas
  • Michigan (1-1): Miami, Utah
  • Michigan State (1-1) E. Michigan, Wyoming
  • Ohio State (1-1): Kent State, Cincinnati
  • Purdue (1-1): Notre Dame, S. Illinois
  • Wisconsin (1-1): Bowling Green, S. Florida
  • Northwestern (0-2): W. Illinois, Notre Dame

Teams from the former BCS conferences plus Notre Dame are in bold. Currently ranked teams in either the AP or the coaches poll are in italics. The opportunities to impress based on out of conference wins are limited. The B1G may still get into the playoff if their conference champ is undefeated and other conferences fail to produce unbeaten teams. But IMO it won’t be based on out of conference impressions.

This all just fits with my belief that the idea that the playoff will reduce controversy is delusional.

College Football 2014: week 1

My teams went 2-1, with the Ags winning the first big game of the season on the live football debut of the SEC Network, Stanford pitched a shutout and ran up the score on a cupcake, and the Badgers dropping an extremely frustrating game against LSU.  I don’t have anything to say about Stanford, since I didn’t see any of that game, so I’ll just cover the other two games.

#21 A&M d. #9 S. Carolina

Most of the teams in the SEC lost key players to the NFL or to other causes (e.g. kicked off for being criminals). The conventional wisdom on A&M seemed to be that losing Johnny Manziel, Mike Evans, and Jake Matthews would cause the offense to collapse, while the terrible D of 2013 would not be improved with the losses of Darian Claiborne and Isiah Golden, who were kicked off the team for criminal stupidity. Dropping expectations based on these losses was not unreasonable, but I got the feeling that the expectations were even lower than they should be based on prognosticators who expected A&M to take a beating in the SEC were putting too much weight on what Manziel meant to the success of the team.

At the same time, the reputation of Steve Spurrier is the only thing I could think of that caused pundits to anoint S. Carolina as not only a favorite in the SEC east (understandable given the lack of viable alternatives), but also the #9 team in the country. Like the Ags, they lost a starting QB, top receiver, and key defenders. It seemed to me that the rational evaluation would be that both teams would be so dependent on unknowns that the outcome of the game on Aug 28 would be a pick ’em.  Instead, the Gamecocks were 10.5 point favorites at home. Predictions varied from the Carolinians winning big by running the ball down our throats to winning a close one where neither D stops the other O.  I was telling friends that I thought A&M could win because our offense was a bad matchup for S. Carolina’s young defensive backs. But I was far from sure.

On Thursday night the Ags showed that they were not the most overrated team in the nation after all, winning big on S. Carolina’s home field. QB Kenny Hill broke Manziel’s single game record for passing, going 44/60 for 511 yards. 12 different Aggies caught those passes. A&M  converted on 12/17 third downs. They went 2/2 on fourth down, with the other three possessions being two punts and a FG. The D had some breakdowns that led to SC scores, but overall they did well: Carolina was only 2/9 on 3rd down and had 67 yards rushing. The Ags so thoroughly dominated that Gamecock fans were thrown into dark despair.

#13 LSU d #14 Wisconsin

My thoughts on the Badgers are NSFW. I may be able to write something … oh, screw it.

GARY ANDERSON ARE YOU FUCKING INSANE? WHO THE FUCK IS ANDY LUDWIG AND WHY IS HE ALLOWED TO RUIN THE BADGERS? RUN THE DAYUM BAAAAAAWL!!!!!!

The Badgers started strong, using the ground game to take a 17-7 lead into the half. The Badgers stretched the lead on their first possession of the second half to make it 24-7 with 12:24 to go in the third. From that point on, Heisman hopeful Melvin Gordon, who was averaging 8.8 yards per touch, got 3 more carries.

tweets via Bucky’s Fifth Quarter.

Worse, Gordon’s missing carries were not just given to backup RB Corey Clement. OC Andy Ludwig had Badger QB Tanner McEvoy slinging the ball downfield, despite an abundance of evidence that:

  • Wisconsin has no real threats at WR
  • McEvoy and the WRs were not making the same reads on what routes to run
  • LSU’s DBs were covering well all night
  • McEvoy is not a good passing QB.

McEvoy is a transfer from S. Carolina by way of an Arizona JC. At S. Carolina he couldn’t beat out Connor Shaw or Dylan Thompson (the losing QB in the A&M-USC game above, who is thought of as inconsistent). McEvoy played safety at Wisconsin last year, but beat out incumbent Joel Stave, who may be limited by the lingering effects of an injury from last season. McEvoy ended up going 8/24 for 50 yards and 2 INTs. Both picks came in the fourth quarter, helping LSU slingshot past the Badgers.

One of the completions down the right sideline in the first half may have convinced the Wisconsin coaches that they had a passing game. But I remember thinking to myself: “LSU picks that off more often than not”. McEvoy’s INT numbers were not worse mainly because so many of his incompletions were deep balls that were nowhere close to a receiver or defender.

The conventional wisdom used by Ludwig and Andersen was probably something along the lines of needing to pass to keep LSU from stacking the box. But that only works if there is a credible threat in the passing game, and from what I saw, there isn’t one at Wisconsin. The Badgers are likely to delude themselves into thinking they can improve their passing attack when they move on to the weaker opponents on their schedule, but IMO they would be better off embracing their 1-dimensional nature. Whenever I saw the Badgers line up with no fullback or worse, I wanted to scream at the TV.

Mail in Mavericks is screwed up

MailScreenSnapz001
What’s going on here?

Around the same time that I got this new laptop, TAMU switched from hosting its own mail to a Google Apps-based system. As part of the changeover, you can import your mailboxes from the old system to the new system. After hooking up the new account in Mail.app as an IMAP account, there are messages where what you select is not what you get: The sender and subject are for a different message somewhere else in the mailbox. In fact, this is the case for all of the imported messages; new arrivals seem to match up. There are also many unrelated messages grouped as if they belong in the same thread.

Now, blaming this on Mavericks might seem unfair, as there are multiple partners involved here: A&M’s import system, Google, and Apple. But this mismatch doesn’t happen on the old laptop running Lion, or on my iPad or iPhone.

Various posts online suggest rebuilding the mailbox. This didn’t work for me. In the web gmail, I deleted the label for the import, unstarred everything and marked everything a not important. I did another rebuild… not joy. Rebuilt the Spotlight index. I think that may have fixed it.

New laptop

I’ve been working on a 2011 MacBook Air since Spring of 2012. A&M is really nice in having a program to subsidize computer purchases for faculty, but unfortunately I had do spend my faculty workstation funds a month or so before Apple updated the Airs, which meant that I got the version where 250G was the maximum SSD and the ports were USB2 instead of USB3. I’ve been meaning to replace it since I started getting close to filling up the disk. Plus I’ve actually worn the letters off several of the keycaps (as you can see in the picture)!

20140801-014543-6343286.jpg

The SSD was so full that I moved my iTunes and iPhoto libraries to an external Volume using a Nifty Minidrive microSD card holder. But Time Machine keeps marking that Volume as one to not back up, even though I could have sworn that I changed that setting many times.

So, I finally decided to pull the trigger and order a new MacBook Air (spending my own money, as I’m not eligible for another workstation yet, and I don’t have the matching grant money right now anyway). It arrived today, so now I’m setting it up. This post is for notes on what worked and what didn’t

Migration assistant

The old Air was still running Lion while the new one came with Mavericks. I was running Lion because I didn’t want to deal with reinstalling MacPorts for the web development I do on my laptop, and I also figured that I was going to get a new machine anyway.  This meant that even though I attached the two laptops to each other using a thunderbolt cable, they didn’t handshake, so the transfer started using WiFi. Time estimate: more than 8 hours!  Attaching ethernet cables (I have one USB to ethernet and one thunderbolt to ethernet adaptor) during the transfer didn’t work, so I aborted the transfer and restarted it after I had created a temporary user on the new Mac. Using Ethernet the time was closer to 4 hours.

Interestingly, after the transfer, the old MacBook renamed itself because both machines had the same network names. The aborted transfer also did something very weird to the Applications folder. There is now a nameless folder with copies of all the Applications and a symlink to Applications. Deleted that.

Migration assistant seems to have moved my ssh keys.

iWork apps

Launching the App Store, I was prompted to accept the iWork apps. Cool. Got them.

Xcode

Xcode does not automatically update, so I did that in the App store. Based on this post and the MacPorts documentation, it seems that I also needed to reinstall the command line tools, using

sudo xcode-select --install

but then I discovered that updating Xcode via the App Store isn’t good enough; it just updated to a higher version of 4.x instead of going to 5.x. I had to trash the old one and reinstall from the App store. The command line tools have to be downloaded from the Apple Developer Site. I really don’t understand why Apple took these outside of the XCode installation.

MacPorts

MacPorts recommends reinstalling, so I downloaded the package installer and installed it.  The migration guide suggests uninstalling everything. After confirming that

sudo port selfupdate
sudo port upgrade outdated

failed, I went ahead and did

port -qv installed > myports.txt  
sudo port -f uninstall installed  
sudo port clean all

and then reinstalled the things I think I need.  This was not straightforward as it should be. I think it turned out that I needed to reset xcode-select to use the Command Line tools that are separate from XCode.

xcode-select -r

This allows me to install the desired modules in MacPorts, even though every one of them gives a warning about how it will probably fail because XCode is not installed (even though it is).

Mail.app

On launching, it updated the database… badly for the IMAP account used by TAMU’s recent migration to Gmail. I’m seeing problems where messages have to be clicked multiple times in order to go to the trash, and worse, there are cases where the sender and subject of the email selected in the mail browser doesn’t match the one in the preview window. This has been seen by others.  Rebuilding didn’t help, but deleting the account and recreating it seems to have worked.

Time Machine

There isn’t anything in the Time Machine Preference Panel to set the backup to inherit the history from the old machine, but the first time I started a backup, it prompted me to ask if I wanted to do that.  I’m wondering how long the first backup will take… I started on Saturday afternoon and it’s been preparing backup for at least a couple of hours.

UPDATE: despite estimating that it would take much longer, the backup completed sometime earlier than 9:20 PM on Saturday. Sweet!

Microsoft Office

As expected, Word complained about needing a product key. Once I found it in my Amazon account, things seem to work.

Websites

I use MacPorts php with the Apple Apache2 to do web development (mostly in Mediawiki and WordPress). It seems that the Migration Assistant didn’t move files owned by the www user.  Rather than dig the desired files out of the old machine (by this time the new laptop and I were at work and the old laptop is at home), I downloaded new versions and installed fresh.