Fun with JIRA

Atlassian's JIRA is an issue tracking system brought to you by the same people who made that-sounds-like-a-disease Confluence. It's used by a wide array of different companies to assign software developers to bug fixes and feature requests. The app itself is Java-based and typically comes bundled with Apache Tomcat. You can read more about the requirements here.

Google Dork
Due to distinct URLs that the JIRA dashboard generates, you can find open systems with a simple search for:

inurl:/secure/Dashboard.jspa

Some of these JIRA instances require authentication to poke around, others don't. Either way, it's an interesting look into who uses JIRA and what issues they're tracking. Highlights include software components, technologies in use, and developer names.

Server Information
JIRA also supports a charting plugin, built around JFreeChart. You can see an example of one of these charts in the screenshot below.

In version 4.3.4 (I haven't tested any others), you can right-click on this image and select "View Image." This will take you to a URL with a format similar to .../charts?filename=jfreechart-onetime-666hashstuff.png and give you a classy dump of server information.
In the "cause" section you can see the install directory and location of the temp folder used for chart generation. If you dig past the stack trace, you can find things such as:

• JIRA versions
• Build dates
• Install types
• Application server / version
• Memory information
• Java version and JVM
• Username
• Server OS
• Server processor architecture
• Database type / version
• Plugins

As well as a bunch of other random information. This is possibly just the result of a misconfigured error page, but JIRA's own tickets seem to suggest that it's supposed to happen. Regardless, if you happen to notice a JIRA install, it may be worth looking for.

Also worth noting is this ticket, which suggests that some of the generated charts stick around for a while. Feel free to try and fill up the temp directory.

Tumblr Using Amazon S3

Apparently Tumblr uses Amazon S3 for hosting content. Viewing an image on their site recently gave me a URL of:

http://s3.amazonaws.com/data.tumblr.com/tumblr_XXX.jpg?AWSAccessKeyId=XXX&Expires=XXX&Signature=XXX

As opposed to the URLs you normally see when viewing an image on Tumblr:

http://XX.media.tumblr.com/tumblr_XXX.jpg

The original URL is now giving me an "access denied" XML response but there are a bunch of references to it to be found on google. It's also worth noting that the XML response is the same for broken links regardless of which of the two previous URL formats you use. The s3 URLs appear to have been in use since at least 2009 (from some of the googlebot's crawl dates).

I found this interesting because I didn't see any prominent references to S3 storage on any of Tumblr's user agreements or staff blog. As more companies move to cloud storage solutions, users need to be more aware of where their information is going. What additional policies or user agreements, if any, are implied when your data is stored on Amazon? Is information passing country borders and subject to new laws?

On another note, while searching for more about this, I found this article mentioning a leak of Tumblr's API credentials, including their S3 clusters.

Vampire Crabs

A couple weeks ago, my girlfriend and I purchased a trio of Vampire Crabs from a local pet store (Preuss Pets, for those in the Lansing area). They had a sale on 10 gallon aquariums for $10, and it seemed like the perfect opportunity. We had been discussing getting some type of crab for a while, as we wanted to set up a sweet aquarium landscape. Land crabs and brakish/saltwater crabs seemed like too much maintenance for us, but then we got lucky when we spotted these guys. The important thing is that we can now officially tell the world: we have crabs.

We were given a care sheet about them and did some internet homework about 'em here and here. They're fairly easy to care for and are pretty social guys. We decided to name ours after some of our favorite black metal icons (Euronymous, Quorthon, and Count Grishnackh). Plans are currently in the works to pick up another few of them, too.

Vampire crabs are brightly colored freshwater crabs that require a good mixture of shallow water and land. They're pretty small guys, only about an inch or two across, and stay pretty small. Although they're not very territorial (~6 can live the good life in a 10 gallon), I have witnessed a pair of them slap-fighting over a hiding spot. Kids are so cute at that age.

Speaking of which: they like hiding and are somewhat nocturnal. Although Vampire Crabs do come out during the day, they seem far more active in a warmer dusk setting. A nice LED lamp will help them feel at home. Ours have been doing fine at room temperature (around 75f).

Although scavengers, our crabs seem to be picky eaters. Meats and fish food pellets seem to be favorites. It's also worth noting that they do not hunt or bother most aquarium mates. Ammonia and nitrate levels in their water need to be kept low, however, so watch out for any rotting food they've tried to hide. Certain plants can help with this (cryptocoryne species, anubias, java ferns/moss), otherwise clean out the tank a bit every week or so.

JavaScript Obfuscation

Hot on the heels of the last post, I figured I'd quickly talk about the flip-side of beautification.

What?
JavaScript is a client side scripting language that you're probably already somewhat familiar with if you've ever fought a losing war with pop ups. It's often used to add dynamic elements to otherwise static websites, however you can do all sorts of neat junk with it.

Code obfuscation is the sweet, sweet art of making your junk hard to understand. That's right, there's actually a word for it.

This brings us to javascript obfuscation. Because javascript is run "client-side," (as opposed to server side), your computer grabs a copy of it and runs it. When you view a website with javascript in it, you have full access to the script being executed. Besides looking at the actual logic of the code, you can even change how it runs using snazzy tools like firebug or kill it with things like noscript.

In the wild, there are plenty of reasons why you may want to hide your code... But usually there are only two:

1) You worked really hard on your script and you have deep-seated issues about sharing.

2) You're doing bad things and you don't want people to know what the things are.

You may also just write horrible code, but that's usually unintentional so I'm not adding a 3rd.

How?
There are plenty of tools out there to accomplish this or, if you're the industrious type, you can always do it by hand. For those of you who don't want to wait several hours tediously re-writing their scripts, here are two awesomely effective websites to help you out.

The JavaScript Packer - a javascript compressor and obfuscator that'll help make your code smaller and less user-friendly. For some fun stuff, trying switching on the "base62 encode" and "shrink variables" options.

The Free JavaScript Obfuscator - does exactly what it says. More human-unfriendly goodness.

The real awesomeness of these comes when you chain them together. Take a simple alert('yo') script and run it through both of them a few times. Have fun.

Keep in mind, though, that if someone has your script, even if it's obfuscated, they still have your damn script. And if they're good enough, you bet they can figure out what it does and reverse engineer it.

JavaScript Beautification

During the course of my work day, I'm frequently ambushed by horribly written JavaScript. Plenty of people have been adding cloudy web 2.0 elements to their sites without understanding the code they're copy/pasting. At some point, someone passed me a link to the Online Javascript Beautifier. This bit of code attempts to take ugly script and beautify it. Pretty nifty.

Welcome

Our rock isn't really the prettiest to look at from far away but it's really nice when you get closer. It's not the biggest, though. And we don't have any dust rings yet.

Every year our rock completes one entire orbit around our star, a distance of approximately 585,000,000 miles. To accomplish this, our rock spins really quickly about 365 times. Usually once we're done with one of these long trips, we celebrate surviving another orbit with a "birthday party." When we drink too many celebration liquids, sometimes we perceive everything to be spinning.

"This is what our rock must feel like all the time," we think. "Everything is spinning."

Welcome to our rock. Please enjoy your orbit.