KODING HACKATHON: RECAP

This past weekend was Koding International Hackathon which touted itself as the first virtual hackathon. There were plenty of applicants but we got ours in early, my backend dev and I were among the first people to use Koding for anything, and I dont even remember how we discovered Koding in the first place actually, but its one in a long line of virtual development environments like Cloud9, but Koding has a beautiful UI that makes angels weep. So I fell in love, as I do with everything that has beautiful design.

When I got the email for the hackathon I signed up immediately and to my surprise, despite being probably the least qualified in the world, I started a team at work. Before the hackathon began there were 20,000 applicants and only 2000 slots, my team was accepted within the first round of 200 which makes us true 1%ers.

This wasnt my first rodeo, but this was my first time as a team lead. So lets talk about the hackathon.

JSON AND ¯\_(ツ)_/¯

My team decided in a heated discussion on slack that the name that best embodied our team was ¯\_(ツ)_/¯ because Happy Developers and Team Toast really didnt encapsulate the feel of our team. I put together our github page and submitted it early because I thought that when I got the email from Koding to fork the day before thanksgiving that meant it was also due that day. However, if anyone has ever used JSON they also know that \ breaks JSON parsers because its an escape character, and it broke their JSON parser for teams.

For 17 hours.

They ended up renaming us to Team Prince so we could be added to the roster at all, Prince was due to my quip that we are a symbol and not a name, like the artist prince

So Team #Prince was born! I was actually pretty excited about this, as was my Project Manager Liz, since she loves Prince.

OUR PROJECT IDEA

My coding language dating sim was shot down completely and I was miffed about it but Sloane, my front end dev, pointed out that a lot of people would most likely take to the game project, so it was better that we were doing legal stuff. In retrospect I am very glad that we ended up doing the legal project because we got a finished project at the end that we were all proud of and it actually was much useful than dating OS tans.

There were a lot of problems I guess early on in the planning stage, I was already busy with projects at work, and outside of work too, so most of the planning was done right before we met at 4:00 to decide on the UI. I wrote out our features list in hopes that we could get them all, and sketched some things out on paper. I said a prayer when I left our pregame meeting, already at odds with team members on how the application would actually work.

HACKATHON DAY 1:

WHY WONT TRANSLATORS WORK ;

My designer, Lauren, brought us mimosas. So Day 1 started out with champagne and I think every hackathon should start out with champagne because the first few hours of a hackathon is like a coder party full of dreams and features that will all work beautifully together. I wrote up to do lists on the windows of the new office and put on courage the cowardly dog.

Lauren came prepared for everything, and she had a gorgeous color palette picked out for the site already:

She told me that she had based the color palette around the Pantone Color of the Year for 2015: Marsala. This would be the basis for the badge designs and all the other colors we would eventually pick for the website. Lauren is so incredibly talented, I would have never thought to connect something so current with our hackathon.

Our research team on the other hand had been hard at work already, and had combed through Terms of Services, Terms and Conditions, and Privacy Policies for many major corporations to find repetitive terms that we could use to base our grading system off of. This had to be the most tedious and terrible thing I could ask of a person, and I am ever grateful for their patience, Liz and Michael are stars.

Meanwhile, I found a great translator library called Translate.JS and because our front end developer was missing we used bootstrap to get started and had a lot of responsive front end development done before it was even noon.

However I quickly realized that if youre not communicating with your team, then they wont know what to do. Which seems obvious in retrospect, there was a lot more whiteboarding in the afternoon to get Michael back on doing research, I had him begin to take the common phrases and code them into a dictionary file that would work with Translate.JS.

By late afternoon Billy, my backend developer, and Sloane, my front end developer, both had come in to take some weight off my shoulders while I wrestled with the translation library that was translating absolutely nothing. Michael and Lauren had worked together to establish the badge system which she would be designing. Day 1 ended with everything on track, except for the translator.

I put it aside and integrated the WordNik API into our system so people could define words if they wanted, which was so easy with wordsmith, and I was quite proud of our progress by the end of Day 1. We had a great looking site, and everything was running along smoothly.

It didnt do much of anything but it looked great and you could highlight stuff, so it seemed like Day 2 would be a breeze. Translate.JS still wasnt working, but javascript libraries are fickle.

I deleted my repo on koding 3 times accidentally by losing focus on the terminal, and their systems were overloaded due to the high volume of people accessing it, but I really enjoyed reading what other teams were doing on their channels. I mostly stuck to vim.

DAY 2: GHOSTS AND LIGHTBOXES

Day 2 started out terribly, I woke up to the realization that the reason the translator wasnt working was because Translate.JS did not translate parts of strings, it would only translate whole strings. Which meant bad news for my idea of assigning badges out based on key terms that Liz and Michael had found. On a whim I found this ReplaceText plugin which meant I had to recode the entire dictionary from Translate.JSs format to ReplaceText. Most of Day 2s morning was spent copying and pasting.

Lauren lifted my spirits by completing the badge design that was everything I had imagined them to be

The badges were controlled by the dictionary, if a key term was found, I would append a span class to that term in order to show a badge (which was Billys idea, I swear he knows the easiest way to do everything aside from diagnosing Javascript errors) but we would also add a highlight to show people what they were graded on. I had initially set out to try and format heading titles through the dictionary too, but I realized after I viewed a few Terms and Conditions that everyone uses all caps all the times in a terms and conditions. I couldnt format anything beautifully without things looking ugly later on.

After I had finished the entire badge system I went back to the office with Sloane to complete the last of the system, which was mostly superficial stuff, and silly things I wanted like the xbox achievement that popped up when you scrolled too fast.

At my work we had just moved to a new office and there were strange screams heard from upstairs, but Sloane just insisted I turned up the music and hope that whatever was up there wasnt going to interrupt us.

Billy came late to help us add styling to the pasted text and helped me brainstorm a better idea for the demo text, which was a lot easier than I had made it out to be. I had coded out extensive regex to be applied for the styling, and a javascript text area replace, and he came up with a much more elegant solution for both.

Modals didnt work for hours due to the library that we were using for tooltips and when we got the modals to work finally they would never close. Bootstrap hates everything else that tries to take its place.

I deleted the git repo from Koding yet again thanks to the terminal losing focus. Im starting to think the problem lies between the computer and the chair -_-.

There was a lot of typos and lorem ipsum that we had to clean up but by around 9:00pm we had a gorgeous working site that would give pretty pictures to any legal document with our legal dictionary! Sloane and I spent a majority of the evening asking each other what anime the music we were listening to was from, and cleaning up small fixes. She chose the yellow for our logo which stood out better against the backdrop despite it not being in the color palette. Lauren chose Nixie One for our logo font…

TEMPES GEEKS NIGHT OUT: KINECT FOR KIDS

Today is Geeks Night Out in Tempe, which is a derisive sounding event to honor us nerds for being the only ones who paid attention in math class in high school and managed to secure a STEM degree, and to encourage other people to do the same. These STEM events always get to me because its like Look what fun things you could maybe do one day! but IRL it doesnt tell you how much I cried and drank to get to the position I am today!

Anyways enough complaining about STEM, onto what I actually did for this event.

We had to have some kind of interactive demonstration for kids to see what technology we do at my company, and since I was invited forced to do the entire thing I decided to have some fun with it. I took my dusty Kinect off the wall and put together an easy to use interface with interactive websites that do pretty things when you mouse over them.

The UI of the demo is based off an anime (of course) from a long time ago called .hack//sign which I think must be ten years ago by now. I always thought the OS they used in the anime was particularly well designed for its time

I started with a metro interface because that one was designed to work with the Kinect the best but it didnt quite fit, so instead of the squares I switched to a honeycomb look and it seemed to fit better with the futuristic operating system feel that altimit has.

The backdrop is actually particles.js to make it seem more like an operating system and less like a static page.

and I pulled my loading screen design from Battlefield 3

Each of the honeycombs go to a simple code demo some of them using d3.js or other things Ive pulled off of Codepen that seem colorful enough to entice kids into a lifelong slavery like programming. Each demo has a forward and back button and works very well with the kinect mouse program I managed to finagle into working (it seems that everyone abandoned the kinect back in 2013, most of the programs are dead or abandoned.) An example of one of the ones we have available to play with:

This was kind of a rushed project, because I was in Hong Kong for a week when I was supposed to be doing the development for this project so when I came back I spent a good day on the only part I cared about which was Future Disco.

I think I love working on music visualizers more than anything. I did a project for my office recently that used a particle cloud and fast fourier transforms in order to pulse to the beat with Coffeescript and SASS. Future Disco started out as a simple interactive visualizer based off of party mode but I added too many special effects and now its a full blown discotheque.

Included is a SASS starfield, a SASS animated gradient, and of course the final theme (my favorite) is a random anime webm picker a la AMV Hell that works by randomly picking a webm video and a random spot in the webm video to play. I want to expand the webm concept a little more but I ran out of time before the date of the event.

The visualizer itself and the theme of the visualizer can be controlled by mouse gestures or the keyboard arrows, and it allows for import of your own soundcloud tracks if you dont care for DJ Amaya (but you should because I really like him and he runs Arch Linux), and of course its sharable, for anyone else who wants to see the disco.…

HOW TO SECURE UBUNTU FOR THE WEB

Last Saturday I did a talk for ASU about Server Security, while it probably wont be as well attended as my friend gtks talk on offensive security this Saturday, I found it interesting that a lot of the more veteran people who set up production servers said they didnt do a lot of the more basic security practices, which is troubling. Im going to gloss over some of the parts of the talk, and provide the slideshare at the bottom below. Ill focus mostly on securing apache and some auditing tools.

This is ubuntu centric because a lot of people get nervous when I talk about anything else at my LUG, even though I use CentOS in practice. Sorry in advance.

DEVOPS BASICS

So before we begin, and I cant even stress this enough, you need to have a terminal program, and you need to start teaching yourself how to use the command line. I worry about the future of the internet if everyone is afraid to open up their terminal. This was a big problem at the talk, which means its probably a big problem elsewhere.

We will be using vi, because thats just how I roll, quick refresher

i for insert
:wq to save your changes and exit

Okay, now that my little sermon is over, lets get onto some security practices.

IPTABLES

What is IPTables ?
Its the firewall for linux, but maybe the word firewall is copyrighted, so they just call it IPTables, its a port management system. By default your computer and ports are more open than Taco Bell, well be closing it up tighter than a five star restaurant.

IPTables is great because its always the first step in making sure that only the people you want to be on your server are on your server. However if youre not careful youll end up kicking yourself out of the server and unable to ssh back in to fix your mistake.

Lets see what are your rules to start with by typing in

sudo iptables -L

This will list all your current rules, if youre starting with a fresh install there wont be any rules, which means any type of traffic can get through on any port at any time. Thats not a good thing. The iptables rules are stored in the interfaces file on ubuntu, which are loaded on startup. Lets go ahead and test adding a rule to allow us to ssh in.

sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

iptables -A (append rule to file) INPUT -p (this protocol) tcp dport (on this destination port) ssh -j (jump to target rule) ACCEPT (accept incoming packets)

However iptables, like life, is fleeting if you dont save it. If you rebooted before saving, all your new rules would be gone!

sudo iptables-save

You can manually add every iptable rule in the same fashion for all sorts of common ports, 80 for HTTP traffic 443 for HTTPS etc, but I actually use this bash script instead to make my rules file quickly on set up.

Someone in the talk pointed out that the most important lines in the file are the following.

# default: DROP!
$ip -P INPUT DROP
$ip -P OUTPUT DROP
$ip -P FORWARD DROP

which says by default, if you dont know who it is, or if its not defined in the rule file, just drop the packet right away. This is a good rule to have because it prevents people from probing around your server.

SECURING APACHE

Apache is what I use for a lot of things, and so do many other people. Apache is the web server part of the LAMP Stack, and therefore kind of a big deal. Im going to go over a few of the things that I do on a base apache install to let me sleep a little better at night.

SSL, TLS, AND POODLE

One of the trendier vulnerabilities (and by trendy, I mean it got a cute name) was POODLE, a vulnerability that hasnt been patched to this day. The only way to get around this problem was to enforce TLS only on your site which you can do in the apache ssl config.

sudo vi /etc/apache2/mods-available/ssl.conf

Youll see a line that says

SSLProtocol all -SSLv3

go ahead and change that line to

SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

Doing the basic math it says for the SSL protocol -(dont allow) all protocols and SSLv3, (+)allow TLSv1-1.2

You can add SSLCipher at the bottom with

SSLCipherSuite HIGH:MEDIUM

but I generally dont do that, even though its probably best practice, I find some clients cant access sites.

SECURE PHP A LITTLE MORE

PHP is notoriously insecure, mainly because PHP developers dont care about anyone because theyre nihilist shits who dont care about anything, especially not sanitizing queries and strings (speaking as a PHP developer myself). Make your life a little easier by removing some default rules in php.

sudo vi /etc/php5/apache2/php.ini

Go ahead and add the following anywhere you see fit

disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off

disable_functions makes sure that php files cant go ahead and open up anything malicious such as a shell
register_globals has been deprecated because it was a vulnerability turned on by default that allowed privilege escalation
expose_php keeps yourself safe because it doesnt tell people what youre running
display_errors would allow anyone to traverse your file system
track_errors keeps your logs clean for for the same reason
html_errors is explanatory
magic_quotes_gpc allows escaped special characters to be entered into the database. We cant see how that could be used against us, could we?

SIDE-STEPPING A DDOS WITH MODSECURITY & MODEVASIVE

Well need to install a few packages first to get this party started.

sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev
sudo apt-get install libapache-mod-security

Where iptables was a firewall with no name, modsecurity is a very robust firewall that allows for logging and monitoring. I dont do anything special here, I actually just install the OWASP Rule set I dont know if that makes me a bad person or not.

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity.conf

Go ahead and go into the config file

sudo vi/etc/modsecurity/modsecurity.conf

and change SecRuleEngine to ON

To add OWASP to your modsecurity config check out this tutorial (starting at step three)

Next well install modevasive which will attempt to save our dying server in the case of a DDoS.

sudo apt-get install libapache2-mod-evasive

next make a log directory and give its ownership to the apache process www-data

sudo mkdir /var/log/mod_evasive
sudo chown www-data:www-data /var/log/mod_evasive

head back over to apache and add the modevasive module in to mods-available.

sudo vi /etc/apache2/mods-available/mod-evasive.conf

and add the following

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/mod_evasive
DOSEmailNotify [email protected]
DOSWhitelist 127.0.0.1

change this to whatever works for you. However modsecurity and modevasive really just set up good logging so youll be able to configure fail2ban and denyhosts better.

As an aside, a lot of people dont realize a good chunk of security is wading through log files to find what exactly happened and then trying to prevent that in the future. Dont worry, well be talking more about logs later

FAIL2BAN & DENYHOSTS

fail2ban is an automated log checking program that goes through logs and bans any IPs that show malicious signs for an indefinite period of time. These IPs go to jail just like monopoly. The cool part is you can configure so many jails.

SO MANY JAILS

just some jails to your jail config file

sudo vi /etc/fail2ban/jail.conf

and then configure your jails with some regular expression in their own config file, for example, for apaches jail I open

sudo vi /etc/fail2ban/filter.d/apache.conf

and add the following


failregex = [[]client []] user .* authentication failure
[[]client []] user .* not found
[[]client []] user .* password mismatch

This says that if there is any authentication failures, 404s or password mismatches that look suspicious, fail2ban will put that IP in jail until you post bail by springing them free. There are plenty of different config files for jails, so use the right ones for you.

denyhosts is like fail2ban but only for SSH. It uses user contributed data to prevent ssh attacks on your system, you can see how well it works here its also super simple to set up.

sudo apt-get install denyhosts

Then edit your config file following the instructions within with

sudo vi /etc/denyhosts.conf

Alright youre a bit safer now, and it wasnt even that hard to set up! Lets talk about intrusion detection systems next.

LOGWATCH

I noted before that a lot of security is watching logs to make sure if someone does get in, youll at least know about it in an effort to stop them from getting top secret data. Its kind of like being a sentry for your computer. Logwatch automates that (because what is life without automation)

sudo apt-get install logwatch libdate-manip-perl

You can see your logs with

sudo logwatch | less

and you can get them emailed to you if something suspicious comes up, or if you just like that kind of thing, but I generally dont configure that because I actually like my email inbox to not be flooded.

INTRUSION DETECTION WITH PASD

PASD is a few tools rolled into one, but it adds more logging to incoming traffic.

sudo apt-get install pasd

then go ahead and configure it (super simple set up just add email)

sudo vi /etc/psad/psad.conf

go into iptables and add the following few lines

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG

with the new logging rules in effect reload psad

psad -R
psad --sig-update

DO A QUICK AUDIT WITH TIGER

tiger is a security suite that I really love because it comes with a bunch of tools that will help you in the long run. First we need to install it.

sudo apt-get install tiger

During the install, Tripwire will require some attention. Tripwire is a little package that makes sure that files that arent supposed to be edited, dont get edited, and if they are edited, youre notified that you didnt do it. This is important because log files are often edited to cover a hackers tracks and make it easy for them to come back at any time. Configure it how you see fit and proceed with the install. Once its done go ahead and run the audit.

sudo tiger

the audit will run and when its finished it will give you a file that you can print out and keep or review to see what glaring security holes youve missed. Its not completely comprehensive, and you should never trust any audit 100% but its super helpful for little things.

Running audits alone is not security.

 

Protect your server and keep it updated, youre always a target, so its important to stay vigilant! This was just a brief recap of my 2.5 hour event/talk thing and Ill be doing a recap of gtks next week! Ill put the slideshare up in a bit I guess.…

SASS VS STYLUS OR WHY I HATE SASS SO MUCH

So everyone has been using SASS for years and because I am a very lazy developer, I have been avoiding it, the whole thing sounded very confusing to me, so I soldiered on, not learning SASS or any of the popular preprocessors. I dabbled in it here and there, using it for large wordpress installs that had a lot of different templates with a lot of different colors. However I finally saw the light one afternoon when I was on codepen (literally my favorite hangout on the internet lately) and I saw this beautiful CSS effect:

The gradients. the beautiful dropshadow that reminded me of a 70s cartoon, this was something I had to learn if I could make truly beautiful rainbows! Unfortunately, I am my own server admin and I had to set out installing SASS by myself on my server.

SASS is actually a ruby library, and so according to their well designed documentation it should be a snap to install! sudo gem install compass and away we go, right?

What I thought Installing SASS would be like

Wrong.

What installing SASS was really like

SASS has more obscure dependency libraries than a core install of Gentoo, to get my beautiful gradients to work I had to also install the compass animation library and then the Foundation Framework. So now, surely, I will have all I need to start my beautiful gradients, correct? Still not right, even after I created the project it was having problems finding compass dependencies. At this point, I had probably spent an hour on trying to get mixins working, and I was already getting fed up with SASS. Stack over flow suggested that it was my folder structure, and that my installation of compass was not from the right repository (installing it from the ubuntu package manager instead of through rpm), or maybe I should try the alpha version of compass, or my install of ruby was corrupted.

Finally, frustrated with every compile resulting in errors, I used sassmeister to compile my code and I had beautiful gradients that didnt work! (as a side note, this was a three hour problem that was Chrome specific, since keyframe animation is still in beta you must specify the browser as @-webkit- or @-moz- etc) Four hours into using SASS for more than specifying color variables, and I have gotten a gradient to work. I was officially sassed out. I think I stared at my gradient for four hours though, so the trade off was decent.

STYLUS TO THE RESCUE

I will talk about how perfect Stylus is in every single way until I am lowered into my grave. Stylus is a node.js based CSS preprocessor, and since Ive been doing a lot with node lately, I was glad to use something else other than coffeescript. I found some gradient text that kind of reminds me of the Zune logo and tried to implement it.

I already had npm on my server already, so installing stylus was a snap.

npm install stylus -g

I then created a folder called stylus and put my lone stylus script in the folder and ran:

stylus --compress some.styl some.css

and it compiled without error, and I think I cried because SASS had trained me to fear the compiling process. I spent the next week with Stylus in love with its ease of use and lack of dependencies, I added the nib framework which added additional mixins with a simple @import.

Ive been using Stylus for about a month now, and I cannot recommend it enough. Less dependencies, less fuss to install, less everything. Stylus is styless of a hassle (Im sorry). Their documentation is very detailed and while SASS is better known, I feel like Stylus will be gaining ground as more people find it easier to deal with. Dont waste your time with the SASS when you can have a no fuss, fun girlfriend of a preprocessor like Stylus.

Cover image for this post is Zorak, because I feel like hes the only sass master I need in my life

THE GREAT FIREWALL OF CHINA AND FACEBOOK DOWN

The Great Firewall of China is a nickname given to the government controlled internet for the people of China, but when one part of the world wide web is being blocked off for a whole swathe of people, it has begun to create problems for the rest of the internet. What first looked like a simple DDoS attack being orchestrated by comedy group Lizard Squad, reveals a deeper issue that many sysadmins are facing that involve Chinas DNS, abandoned parts of the internet, and bad traffic signals.

Initial reports of internet super sleuths came up with this graph showing a Distributed Denial of Service Attack coming from China provided by a DDoS Tracking Service

It looks pretty obvious that China was going all war games on US Servers, with most of the bad traffic (telnet requests) coming from that country. China is not an uncommon source for bad internet traffic, ask any belagured sysadmin and he will tell you that he gets most of his malicious traffic from Chinese and Russian IPs, but this is one case where the obvious answer is not the correct answer, and pirates are responsible.

In early January, Johannes Ullrich, CTO of SANS Internet Storm Center posted that he had been having problems with piratebay traffic flooding his server with bad requests. He reported:

Davids web server was hit with a sufficient number of requests like the one above to cause a denial of service. The requests originated from thousands of different IP addresses, all appear to be located in China. A quick Google search revealed that he wasnt alone, but other web servers experienced similar attacks.

The tracker that he reports getting requests from  was abandoned back in 2009:

Today marks the end of an era, as The Pirate Bay team announces that the worlds largest BitTorrent tracker is shutting down for good. Although the site will remain operational for now, millions of BitTorrent users will lose the use of its tracker and will instead have to rely on DHT and alternative trackers

So how is a dead torrent tracker coming back to haunt us? The answer lies in the configuration of the Great Firewalls DNS. When a query comes in to the torrent tracker, the Chinese firewall sends it out to thousands of sites, some that are blocked by the firewall, and some that are not. The effort to censor the countrys internet is backfiring by sending bad GET requests (sometimes thousands per second) to erroneous servers and essentially mimicking a DDoS for the rest of us (mostly the US, it seems, according to that graph I posted at the beginning of the article).

At first it seemed as if it was only the zombified piratebay tracker, but as more reports began flooding in, request logs showed that more sites were the origins of this strange phenomena.


host: “ads.gayfriendfinder.com”,
host: “ads.w55c.net”,
host: “am.6park.com”,
host: “analytics.twitter.com”,
host: “api.facebook.com”,
host: “apis.google.com”,
host: “api.twitter.com”,
host: “apps.facebook.com”,
host: “assets1.whicdn.com”,

Many Sysadmins report getting bad GET requests from sites that are known to be blocked in Mainland China (Facebook, Akamai, ThePirateBay, Tumblr, Instagram etc) due to some funny DNS routing and what appeared to be a DDoS at first glance, is actually a result of some going ons in China that sysadmins have been dealing with for weeks.

These bad requests mimic a DDoS in the effect that it plagues the server with connections asking for content that it does not have, tying up its memory in saying No repeatedly to every request for a facebook, an instagram, or gay porn. If youre not looking past the fact that youre getting assaulted from China, and see how theyre assaulting you, youll see that its not your average DDoS, but rather DNS routing issues.

Why is Chinas Firewall doing this? Does China really hate everyone? Probably.

The answer? Blocking all requests from China seem to fix the temporary DDoS that many sysadmins have been facing, but the problem still remains for many of us who have to allow traffic around the world. Chinas censorship is hurting more than their people, it is now putting a load on the internets infrastructure, and until they figure their DNS issues out, well be seeing a lot of DDoSes originating from the peoples repbulic.

Edit: Facebook came out today (after I wrote this) saying that it was a server misconfiguration, but I think Ill keep the clickbait title because I think this is a strange problem that warrants more attention.