Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
User Journal

Journal: Affirmative Rationality

Journal by yintercept
Opened the site Affirmative Rationality. The goal of this site is to encourage people to think about the difference between high and low quality thinking.

I have also been playing with a fun site called AboutUS.org (Sample Page). This is wiki style directory with entries on all of the domains on the internet.
Google

Journal: Moved Blog

Journal by yintercept

I just moved my blogger blog from yintercpt.blogspot.com to the domain yintercept.com.

The blog was removed from Google with the last index update.

That happened because I did something rather foolish. Earlier this year, blogger added a feature that allowed people to add keywords to their posts. You can see all of the posts with a particular keyword by going to the URI /search/label/keyword. For example, to see the photos, you would go to http://blog.yintercept.com/search/label/photo.

I used the keywords as if they were categories and changed all of the inbound links to the site to go to the keyword pages.

Recently Blogger decided to exclude the /search directory in Robots.txt. That effectively broke the majority of inbound links to the site. With the majority of inbound links excluded by robots.txt, Google decided to completely delete the blog from its index.

This same story is probably happening to all blogspot bloggers who used the keyword feature.

Of course, the real lesson of this story is that it is a waste of time to write a blog that is under the control of a third party, even if the third party is one that does no wrong.

So, I figured that since the blogspot url was excluded from Google, I would start the process of completely removing the blog from blogger.

It is actually a bit ironic that a site owned by Google does not have an XML sitemap and does not do the best practices touted by Google.

PHP

Journal: Less Secure

Journal by yintercept

My web host upgraded some of the programs on my account. During this change, they toggled the Magic Quotes settings on the account. That meant that I started getting the dreaded \"slash effect\" for all the quotes and apostrophes used on the page.

Of course, had things toggled the other way. I would have been in a much worse shape. If I had programmed with the expectation that magic quotes were on, and the magic disappeared, I would be having crashing SQL queries and would be suffering from an exposed system.

To be a good PHP programmer, one has to design the system so that it can handle both settings. Since PHP is a scripted language, this type of garbage wastes a lot of computer resources. This is why I am so angry with PHP's decision to add MAGICQUOTES.

The register globals issue has similar problems. The reason register globals was a security issue is that PHP programmers are often sloppy when initializing variables. A web site that has register globals off is slightly more secure than one with it on.

Problems arise when sloppy coders write with the assumption that register globals is off. A foolish program who writes as if register globals off were a security feature is more likely to deliver buggy code than one who knows that uninitialized variables are the security hole. A program that depends on RG Off for security will become insecure the moment that an network admin turns RG On.

The following code might appear in a program written with the expectation that RG is off:

if ($_POST['button'] == 'Login') {
if ($_POST['password'] == 'theITguyRules!') {
$access = 1;
} else {
$access = 0;
}
}
if ($access == 1) {
echo 'The company bank account is '.$account;
echo 'There is '.$balance.' dollars ready for transfer.';
}

Since register globals is off, the IT guy would not catch the fact that he failed to initialize $access. The code is secure with RG On, but is insecure with it off.

The security hole is not register globals, but the fact that the programmerr failed to initialize variables. RG Off helps protect from bad programming.

The RG toggle is easier to deal with than MagicQuotes. If you code as if RG were off and initialized all variables, your code would work for both settings. It also makes checking for unitialized variables easier.

Anyway, I am going to waste a whole day recoding a site so that it can handle the different settings of Magic Quotes. The end result of my day's work will be a site that is just a little bit slower than it was before.

Programming

Journal: Errant Tags 1

Journal by yintercept

XML has always made me feel sick to the stomache. It sits right there with the Windows Registry in garbage technology forced on the masses.

Anyway, I was looking around for an XML validators. Unlike simple delimited files or even CSV, you have to use a program to figure out if the XML is coded right.

Anyway, I am looking at the official XML.com list of validators. Not, surprisingly, the list is not informative. I broke out laughing. Each entry has errant <name> tag appended to it. The bastards who stuff this second rate technology down our gullets can't even program their own site.

Seeing errors on the pages coded by the XML gurus is not all that surprising. XML has never been about getting a job do. It has been about academicians and industry gurus hyping the new hype.

The site is not as pretty. I enjoy XML Sucks. They seem to have a better understanding of what XML really is.

PHP

Journal: Hacking an HTML Form for first graders 2

Journal by yintercept
I've read a number of PHP sites (and have spoken with supposed PHP gurus) who say that, as a security matter, web sites should never draw information from $_REQUEST. They should only draw data from $_POST or $_GET. Basically GET data is the stuff in the URL. POST data is the stuff that comes from a form with method set to "post".

Some of these wanks actually seem to think that POST data is somehow more secure than GET data. A hacker can manipulate GET data by typing stuff in the address bar.

Well, for folks who think that POST data is somehow more secure than GET, I thought I would write a quick tutorial on hacking POST data. Here Goes:

You can hack at a site that uses HTML forms by saving the form to your disk. You then use view source to edit the file. If the form used a relative URL, you would need to change that to an absolute URL. You then might want to change all of the type="hidden" submits to a type="text" submits.

With less than a half minute of effort a first grader can start hacking on a post form.

Most of the really serious hacking jobs I've detected on my sites have come from people using forms, and not from people manipulating the URI query string.

Anyone who buys the line that POST is somehow more secure than GET is suffering a serious lack of understanding of the way things work.

BTW, the reason that I am on this rant is that the impulse to distinugish between post and get is actually problematic for me. I am used to using an n-tiered approach to web development. Each layer of the structure exposes an interface to the next layer. The database layer, where I do most of the data validation, would want to know that the data came from the web server. It really dosn't care how the web client sent the data to the web server.

I can see some value to distinquishing between POST and GET in programs that actually produce web pages. I could even see merit in writing a code to help determine if a call is part of a hacking attack. However, I don't hold the illusion that such measures buy me any security.
PHP

Journal: Stripping Slashes 3

Journal by yintercept
Zend's waffling on features like register globals and magic quotes has made programming more like walking through a minefield than simple scripting. To have the same script run on different servers, the script must detect current settings than act accordingly.

It is not that I have problems with the idea of detecting settings and acting accordingly. It is just that such actions are very inefficient in a scripting language. (It would not be a problem in a compiled language).

Anyway, I am trying to figure out how to write a program for populating a database that would work with MagicQuotes on or off. If this were a compiled language, I would simply write a replacement program for addslashes(). The program would not add slashes if slashes have already been added. Such a scheme would prevent the double slashing affect, but would fail when a person wants to add slashed data to the database. For example, if you were writing documentation for PHP, or were storing PHP code in a database.
PHP

Journal: No Options

Journal by yintercept

The HTML select tag numbers among the most awkward data structures ever conceived. The select tag lets you present a list of options on a form. You open the tag with a <select> tag. You then send the data for the options in tags of the form <option value="id">display value<option>. Yes, the close tag is required in HTML 4, which does not recognized single tags. You cannot close the tag with a />. You point out the active option by including the valueless attribute "selected" in the option tag for the active value.

I think the mistake of the HTML designers was that they thought of each item in an option list as an item for display, when in practice it is only the selected one.

On analyzing the bandwidth of Community Color, I found that the select tags make up about half the bandwidth consumed by the site. I would not be surprised if a full tenth of all HTML traffic coursing through the net was simply open and shut option tags. The option list containing the ISO database of countries is 10k.

Even worse than the bandwidth waste, I found that over half the database activity was consumed populating option tags. I often do complex joins to show just the right option list and to put the silly little SELECTED attribute next to the selected option.

I can't do anything about the bandwidth consumed by the tags. I think I might be able to reduce the load on the server needed to generate the tags by buffing them in include files. I hadn't done this in the past because I figured I would still have to look through the data line at a time to determine the selected option. What I am trying right now is to buffer the data in a file, then to do a str_replace() to replace the code value="xxx" with value="xxx" selected. My new way for handling select lists is essentially:

//$name is the name of the select variable
//$val is the current value.
//str_replace checks for $chk and replaces with $rep.
$chk='value="'.$val.'"';
$rep='value="'.$val.'" selected';
echo '<select name="'.$name.'">';
echo str_replace($chk, $rep, file_get_contents($file_nm));
echo '</select>';

Reading the buffered file should be faster and take less memory than the database queries. The big question will be to see if it reduces the load on the database server.

It is strange. As I try to upgrade my programs to new standards (UTF-8, XML, HTML Strict), I feel that the signal to noise ratio is increasing exponentially. I so much preferred the days when people gave some thoughts to efficiency. Deep in my heart, I think efficiency is the height of elegance.

PHP

Journal: Register Globals Off

Journal by yintercept

I admit, I am one of those programmers who became addicted to the register globals feature of PHP. This feature was defaulted on in PHP 4. I moved to a new host and PHP 5 where it is off, and all my programs are broken.

The register global feature made it so all of the GET and POST elements would appear in a PHP program as variables. Hackers quickly learned that you can sometimes break into a site simply by hitting the site with random variables ... hoping to find a variable that was not properly initialized.

My way around this security threat was to put everything in functions. My hope was that the parameter list for the function would filter out any hacks. If you pressed a submit button on a form with inputs "one", "two" and "three"; the data would simply go straight into a function with parameters ($one,$two,$three). Any additional variables thrown by a hacker would be ignored.

Because I feel comfortable that the parameter list does a sufficient job of filtering out additional variables. I might consider running extract($_POST,EXTR_SKIP) to simply simulate Register Globals On. All of the pages I read say that this is a very bad idea.

I also thought about running the following code:

$varList = array('one'=>'int', 'two'=>'str', 'three'=>'int');

foreach($_REQUEST AS $key => $value) {
if ($varList[$key] == 'int') {
${$key} = (int) $value;
} elseif ($varType[$key] == 'str') {
${$key} = strValidation($value);
}
}

It seems that the above code would let me specify what elements I want in the program's symbol table. Of course, I am also thinking about just using the data directly from $_POST and $_GET. It is a hassle.

Having register globals off is a hassle. I am not sure if I am gaining any additional security by going through all the brain damage needed to handle this change.

BTW, in reading different pages on this issue, I've found several people who seem to have the illusion that POST data is somehow more secure than GET data. All a hacker needs to do to play with POST data is save your form to a disk then put whatever they want in the input fields. People can change the data in cookies. Anything that comes from the web is a security.

Music

Journal: aPlus - Ryan Hillers Music 1

Journal by yintercept
I moved Ryan Hiller's web site to a new server. The site has three free songs with a nice rock beat. Now that he has more bandwidth, I hope he opens the album up and makes all of the songs available.

Ryan is trying to make a go at it in San Diego. In the buy local first train of thought, we put the site on aPlus.Net. Their data center is in San Diego.

Unfortunately, aPlus.net does not allow people to run the PHP preprocessor on .html files (which is a major drag). From the perspective of the end user, it is an html file; so it should have a .html extension.

The basic idea of the site was to provide three free songs and to sell the CD for $10 a pop. In 5 years the site sold exactly one CD.

That proves what the free music crowd said. "If musicians gave their songs away for free; They would sell A CD." The site sold A CD. The theory was proven.

The only problem with the theory is that musicians require beer, and, the bartender, he don't work for free.
PHP

Journal: PHP ... An Object of Frustration

Journal by yintercept
I am sitting here upgrading a program (Community Color) to PHP 5. I originally wrote the program procedurally since there were people on the project who were new to OO programming.

So, I sat down and rewrote the program with a full object model, and now my brain is screaming because, writing everything out in a full object model, seems to be adding all sorts of extra overhead. If this was PL/SQL, Java or C++, I would be extremely happy with the new program. However, the full object model just doesn't feel right for a scripting environment like PHP.

The idea for this site was just to be a mindlessly simple directory and calendar. The same page gets pulled up a large number of times.

Each page is a very distinct path through the object model.

Here is what is sitting in my brain: A path through an object model is a procedural program. If each call goes through the same path, then why not just accept that, and take advantage of the efficiencies of straight procedural programming?

The other part of my brain screams: people think less of programmers who write procedural code. No-one, other than myself, will ever buy the idea that the procedural programs I had written were in fact simply a pathway through the object model in my mind.
Internet Explorer

Journal: tfswctrl.exe 2

Journal by yintercept
One of things I really dislike is that modern software companies jam pack computers with non-essentials. One of the non-essential programs that routinely gets me ticked off is tfswctrl.exe by Veritas. This program has something to do with writing to CDs. I have written to CDs about 10 times in the last three years. IMHO, anything dealing with writing to CDs should be loaded only when writing to CDs. Instead the program seems to get loaded at start up.

tfswctrl.exe routinely crashes on my machine. One out of three times I shut down, the program fails to exit.

Of course it is not just Veritas that makes my blood boil. It seems like half the software companies around install some sort of garbage at startup.

I made the mistake of installing McAfee. McAfee consumes close to a minute each start up trying to sell me more McAfee products. I really hate the direction that software vendors have chosen to follow. The products you buy all want to install at startup (when they should really install when you are wanting to run the program). Companies like McAfee overload their products with advertisements for more McAfee products.

Anyway, I had decided to try and install ie7 for kicks. For some unfathomable reason tfswctrl.exe crashed during the install. My guess is that the ie7 install must have checked to see if I had a CD. I found a page listing a few of the problems people have had with tfswctrl.

I am now wondering if I should try the IE7 install again. Grumble, grumble. Software companies are just getting worse and worse as time goes on.
United States

Journal: Force in Numbers 4

Journal by yintercept
The current immigration debate is remarkably similar to the music sharing debate that rocked the Internet community a few years back. Both debates came about because antiquated laws simply were not geared to current needs. The strongest similarity between the IP and immigrant debates is the idea that if enough people break the law and create a social movement, that the laws will change in favor of the social movement.

This idea failed in the music sharing debate. I suspect that the protests will work in the immigration debate.

The primary reason for the difference is the cost of compliance. A person could come into compliance with IP laws simply by deleting file shares or by deleting downloaded files. Complying with immigration laws requires costly court battles and deportations. Many of the immigrants are people who simply can't go back. The cost of deporting 12 million people is really beyond our means.

A second reason is that increasing the number of immigration slots fits in with the goal of transforming North American into a single market.

On the cynical side, we probably won't send immigrants back because a large number of businesses interests are aligned with the immigrants. Business interests were uniformly aligned against file sharing.

A final difference between the debates is the tone of the debate. The immigrant protests began with the typical in-your-face "our-mass-movement-will-rock-your-world" style rallies. The second round of rallies took the more conservative tone that immigrants weren't trying to transform society, but want their needs and contributions recognized as part of society.

In this world where our laws are becoming out of sync with our technological and social needs, we are left in a quandry of how to achieve change. Our legislative bodies have a poor record of adapting to change, yet this process of breaking laws to force change gradually undermines the rule of law at the foundation of society. Even worse, this process of discourse hurts good people like the HB52 workers who returned to their homelands when we prematurely expired their work permits. Legitimizing the undocumented immigrants also hurts the long line of people who are trying to immigrate through legal channels.
Programming

Journal: Transcendental Elitism

Journal by yintercept

I have to admit, one of my biggest enemies in life has been transcendentalism. Transcendentalism has been the rage since Kant.

Transcendental philosophies generally push the illusion that there is an elite group that has a higher way of thinking about things. For example, in math, we are given the illusion that transfinite theory is a higher way of thinking than classical discourse. Psychology produced a series of philosophies that were posited as a higher way of thinking.

In programming, Object Oriented Programming was positioned not simply as a technological improvement, but as a higher way of thinking. There are many technical advantages of using a OO design. Design decisions, however, are best made on the technical requirements and not on the sense that one technology is more elite than another.

For small clients, I generally push the idea of using PHP rather than Java Servlets. I would have preferred to work with Java, but the client was better served by PHP.

I think that when people get too caught up in the elitist allure that they are thinking at a higher level than the rest of us mortals, that they some times end up making very profound mistakes in their design.

Deep inside, I've always wanted to be that person working on the extreme edge of technology and science. I think the truth in life is that the edge is an illusion and we serve the people around us best by looking at their needs and designing for their needs and to skip the view of programmers as people living on a higher plane.

Once you develop the view that there is one person, or a group of persons who think at a higher level; you immediately find yourself in a world where who a person is is more important than what they say. The best world is one that accepts input from a diversity of points of view.

The Internet

Journal: Isolating Porn

Journal by yintercept
A talking head on TV was squalking about how porn was ubiquitous.

As a hobby, I have been working on building community directories. To build the directories, I basically find central web sites in a community, then follow the links from these central pages until I have a good representation of the sites in a town.

This process brings me through a large number of web sites.

In this process, I've come across surprisingly few porn sites. People rarely link to porn in their day to day lifes.

The primary ways the porn lords inject their sites into the local community is when they buy up expired domains and use the expired domains as feeder pages. I have to remove about 6 or 7 web sites a year from my directory because they turn to porn sites. Web sites that don't pay attention to their links page often end up with links to porn.

Anyway, the reason I like the idea of a .xxx TLD is that, with a dedicated porn TLD, we might be able to thwart that portion of the porn market that buys expired domains and sets them up as web traffic traps.

Other than the expired domain problem and problems with programs that fill guestbooks and comment pages with links to porn sites, the mainstream and porn industry are adequately separated in the status quo.

Interestingly, I've also noticed that churches tend to separated from the community at large. I rarely find web sites that link to their local church. I think many people are scared that people think that linking to churches in town will get their opinions labeled as kookish.
User Journal

Journal: Photo Galleries

Journal by yintercept
My picture gallery site seems stable enough to start adding pictures. (Assuming my ISP doesn't change the IP of the server, grrr.).

I have a big back log of subjects, most taken with my crappy old camera. The quality of pictures from this camera seem to have deteriorated through the years. Here's a few of of the new pages:

* Denver Civic Center Park
* Fort Collins

With my new camera, I took some shots of:

Ferguson Canyon in Salt Lake and South Temple

"Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come." --Matt Groening

Working...