Does Debian's Packaged PHP Include Suhosin?

I had noticed several times running PHP scripts that the default PHP install that comes from Debian repositories at the moment seems to include Suhosin – running ‘php -v’ yields:

PHP 5.2.6-1+lenny9 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 4 2010 03:25:57)

I had assumed this meant Suhosin was installed, but I was a bit confused as to why Suhosin functions like sha256() and sha256_file() didn’t exist, and also why the constant CRYPT_BLOWFISH didn’t appear to be set.

After a bit of looking around I finally thought to look at the actual Debian package page, which indicates there’s actually two variants of PHP/Suhosin:

The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

So I assume the one that comes with PHP when installed via the usual apt-get method is the first variant, and if you want the fully-fledged Suhosin you’ll need to figure out how to install the other one.

The Vote-o-matic 2010

Last week I stumbled across this spreadsheet, which had been put together by a bunch of Internet types. It is basically a list of all (or most) of the Australian political parties, a stack of policies, and how those parties feel about those policies.

This was something I had been wanting to compile at elections past, with a view to trying to do something useful with it. As with many things I have wanted to do, I never found time, so I was very happy to see someone else had done most of the hard work.

I thought it would be an interesting experiment to see how closely my personal preferences on all these topics aligned with these parties, so I threw together a little webpage which I dubbed (in a fit of originality) “Vote-o-Matic“.

Basically, you just select whether you oppose or support a particular policy, then hit the submit button, and the system simply calculates how many hits you get with each party. It is nothing fancy and people certainly shouldn’t treat it like a major feat of engineering; it was hacked together in about an hour late one night after a game of football.

It is very simple, though after sharing it around with a few people, it became clear that something like this could be a useful tool. Several people have volunteered some great ideas, and – if time permits – I hope to implement them in “version 2.0”. For example, a major flaw of the system at the moment is it gives more weight to parties that have more known positions on policies, simply because there’s a greater chance you’ll have matches with them. Having some sort of weighting would help mitigate that problem (or, alternatively, representatives of all the parties could contact the spreadsheet maintainers and get their positions listed so the data is complete).

While I hope that people don’t really use this to decide who they should vote for, I hope it helps to give people more information about our great country’s political parties. I know several people have been surprised to see how closely their preferences match one party over another (“hey, maybe I /am/ a solicalist!”).

I hope that people use this as an excuse to do some more in-depth research about who they should be voting for, rather than basing their decision on whatever single emotionally-charged issue they happened to see covered on TV.

As mentioned on the Vote-o-matic page I am happy to listen to any and all feedback and will reply to whatever I can (if you include an email address!); I’ll action any reasonable suggestion I can as well.

If you haven’t seen it, you can access Vote-o-matic here: https://trog.qgl.org/voteomatic

MBF Newsletter Mail Merge Mistake

Either someone is doing an excellent job phishing for MBF member details, or they screwed up sending out their most recent email newsletter.

The newsletter’s subject is “Your chance to win 10K worth of prizes” and it contains the following text:

Hi William,

At MBF we want to help you get the most from your health insurance.

Register to receive our updates via email today and we can help to keep you healthy and happy.

To register click here, login to myMBF and make sure you complete your contact details and update your communications preferences to email. If you’re already registered, make sure you check your details in case anything has changed since you last visited.

Two things immediately jump out at me here:

  1. My name isn’t William. Something has gone wrong with their mail merge and it’s put someone else’s name on my email. Embarrassing, but not fatal.
  2. I have all my MBF communications set to ‘post’ – all email options (that I can find) are switched off.

To complicate things further, the links are all of the form: http://p1.eservicesesp.com/cts/click?q=randomcharactershere – no doubt this is a mailing service that they’re using to track newsletter click throughs, but to a casual observer, it looks like it might be a phishing attempt.

The net result of this email is that it looks like a phishing attempt. But it’s almost certainly just a screw-up on behalf of MBF and/or the marketing agency they’ve employed to handle their bulk emails.

To make things even more painful, there’s no easy way to report the problem to MBF listed in the email (a simple “if you believe you have received this message in error, click here” link would have done the trick, or on their website. Even logged in, you don’t get an option to provide feedback over the web or via email – you have to use the phone or write them something called “a letter”.

Sending newsletters to lots of people is hard. But it’s not that hard. We’ve done it at Mammoth every week for almost eight years, sending millions of emails to hundreds of thousands of subscribers, so if you need some advice on how to do it right, maybe you should ask us :)

Advertising Tricks Using GeoIP

This story does not make web advertisers look good, although it’s almost so obviously phony that it barely warrants mentioning.

I randomly clicked on an island ad on a site that I was visiting (I sometimes do this to give them a click-through and show some support).

I got sent to the URL http://www.newswebdaily.com/health/white-teeth/index1.php, which then redirects to a new URL with a few different parameters in the query string.

It’s an ad that tells the story of Becky Bell, a teacher who wanted to try a teeth-whitening product:

For a split second, I thought “wow, that’s weird – she’s in Brisbane, Queensland, just like me!” Then I decided that seemed a bit too much like a coincidence, so I activated my US-based proxy server (handy for web development and testing) and got the following page:

So, to be crystal clear – this ad changes based on the location that you are viewing the page from, presumably to give you some feeling of confidence that it was a “local gal” that benefited from this product. Clearly, Becky Bell is not from Brisbane and Dallas at the same time.

Moral of the story: beware of advertising that just so happens to have your exact city and country in it like this.

Cumulative Moving Average in PHP

My brother needed to figure out how to do a “moving average” in some code he was writing a while ago. I’d never done this before and couldn’t find any really simple code examples so ended up on Wikipedia where I found it’s actually called a cumulative moving average.

Super simple code example follows:

<?php
$numbers = array(1,2,3,4);

// A simple function to calculate averages
function average($array)
{
	return (array_sum($array) / count($array));
}

/*
 * Simple function to calculate moving average with the following parameters
 * $datapoint - the most recently acquired new datapoint
 * $average - the current average
 * $count - the total number of items we're dealing with
 */
function cumulativeAverage($datapoint, $average, $count)
{
	return $average + (($datapoint - $average) /  $count);
}


// First let's print the average calculated normally so we can compare to the final result
print "Normal average:\t\t".average($numbers)."\n";


// $lastav stores the most recently calculated average
$lastav = 0;

// Loop through all the numbers in the array and calculate the cumulative average each time
for ($i = 0; $i<sizeof($numbers);$i++)
{
	$lastav = cumulativeAverage($numbers[$i], $lastav, $i+1);
}

print "Cumulative Average:\t".$lastav."\n";

>>

FlashGet Sucks, and Should be Blocked

Over on AusGamers, we run a moderately popular download service for files. We push out around, oh, 30 terabytes a month of data (this is a lot).

Our file servers work pretty hard, but we prefer the work they do be related to just reading files off risk and throwing them down the wire at users. Unfortunately sometimes they have to do other things – like deal with bad requests from really terrible download software.

In this case, FlashGet is the bad download software. It is really annoying. Here’s a few reasons why:

  • If you give it a URL that 404s or 403s (ie, a URL that doesn’t exist or is forbidden), FlashGet inexplicably wants to keep retrying that URL, over and over every two seconds.
  • It incorrectly identifies itself as an IE5-based browser. This is just rude at best, and flat-out lying at worst.

I have written about this earlier, but now that I’ve seen the following data from a single month of usage on our file servers, I think the time has come to do something more:

flashget-sucks

The top entry here is FlashGet, with over 16 million hits to our server. The vast, majority of these hits are 403 or 404 errors from repeatedly trying to access files that are no longer there or that it no longer has access to.

At this stage the plan is to block FlashGet users. This is harder than it sounds because it is so stupid it ignores things like 403s and 404s and keeps retrying. What I am thinking we’ll do is detect FlashGet via the user-agent string and then redirect them to a different file. The file will be a little video file that explains why their download failed.

Alltern8.com is hiring Writers & Bloggers – Spam?

I’ve been getting the following email to a few email addresses:

Hi Everyone,
Alltern8 (www.alltern8.com) is gathering together a group of dedicated experts in MMO Games, LARP & Ren Faires, Tabletop and Collectible Card Games, Tabletop Wargames, PC & Console Games, Comics/Graphic Novels, Cosplay/Memorabilia, and Indie Music & Film to hire a brand new blogging and writing network! This is your chance to make your voice heard about the games you love to play and the events you love to attend.

… and so on in that manner. The subject is ‘Alltern8.com is hiring Writers & Bloggers’.

On the surface it seems like a legitimate email that I might have (inadvertently) signed up for. But I’ve never been to their site before, or heard of it. I have almost every single website sign-up email I’ve ever been sent – since 1999 – and I don’t have one from their site.

I look in the footer of the email where the unsubscribe options are, and I see this:

Alltern8.com only emails to addresses collected via it’s own site or one of it’s associated partner sites, we take SPAM seriously so please unsubscribe by replying with the subject UNSUBSCRIBE and you will no longer receive mails from us. This is the quickest way to stop getting mail via our site.

So maybe it was an associated partner site I signed up to. Possible.

But then – something happened! I got the exact same email to a QGL mailing list, which has long been targeted by actual real spammers.

Now the most likely scenario has changed. I think they’re spammers. I’ve replied to their email (for reference, always a foolish thing to do, because it can simply just highlight the fact that your email address is still active and ripe to be spammed).

It’s an interesting issue. If I was less anally retentive about emails I get and where they come from, I would have just accepted this as something I signed up for and moved on. So much spam I get these days just has a similar footer, a we’re-so-innocent routine that is rapidly becoming tiresome – “oh, you must have signed up for something with us at SOME point, how ELSE would we have gotten your email.

I’ll be making sure that we accurately track sign-up information so when users want to know why they got a newsletter, we can say “well, you can see right here that on the 15th of May 2009, you created an account and left the ‘subscribe to newsletter’ checkbox ticked!”

edit: Shortly after posting this, someone from alltern8.com replied – check the comments for their thoughts.

Reporting problems on web sites – the bare minimum

We regularly get people asking us about issues (real and imaginary) on our websites. There are a variety of frustrating ways users can report problems with websites, including the favourite classic – “it doesn’t work”.

If you’re ever on a website and it has a problem or something isn’t working as expected, you should definitely take the time to report it. Problems often can go completely unnoticed by the development team, especially on large websites, and it’s only when they’re actually brought to someone’s attention that they are fixed.

However, if you are going to report a problem with a website, then there’s a couple of things you should try to remember to include, at an absolute bare minimum, to help the people at the other end know what you’re talking about:

1) A URL. This is the bit of text in the address bar that shows what page you are on. It looks like http://www.sitename.com/pagename/, and without it the site developers will probably have no idea what you’re talking about.

2) Some information about what you were doing at the time. Even simple things like saying what you clicked on or what you were reading can provide useful information.

3) Information about your computer, including what web browser you’re using (if you don’t know, it’s probably Internet Explorer) and what operating system you’re running.

Anything else you can add would be gravy, but including this data will greatly help anyone that is reading your request try to figure out how to help you!

Unpacking / extracting a .rpm file

I have never figured out the RPM package management system. It’s mostly because I haven’t tried hard, but it still makes me feel like a moron.

Every now and then I stumble across a package that, for whatever reason, is only distributed in .rpm form. Right now I wanted to install nano on godaddy.com’s shared hosting (because I’m also too lazy to learn vi), and the easiest way I could think of was to nab the .rpm and just rip out the nano binary.

Turns out this is really easy from a Linux shell:

# rpm2cpio [rpm filename] | cpio -idv

Another victory for laziness! It spewed out a bunch of stuff, I nabbed the nano binary, threw it on my godaddy shared hosting using wget via ssh, and now I have a fully functional and awesome editor (no matter what anyone tells you).

ANZ on the Security of Email

A while back, ANZ offered me the opportunity to receive some of my statements as ‘e-statements’. While I fully approve of the move away from paper, I must confess I was slightly disappointed to find out that they’d be emailing me notices about these e-statements – one of the big reasons I think Australia (or at least, ANZ) has done well in the fight against phishing is because they’ve simply not ever sent any emails out, ever. Contrast this to a US bank (Wells Fargo) – within days of signing up I’d received a huge variety of emails, making it easy to see why so many US citizens get scammed so easily.

I typically ignore these emails but as part of my ever-growing interest in how email works and how people use it, I checked out my most recent one, and was interested to see the following disclaimer in the email footer:

ANZ does not guarantee the integrity of this communication, or that it is free from errors, viruses or interference. As email is transmitted via the Internet, which is an unsecure environment, ANZ cannot ensure that an email is not interfered with during transmission.

Clearly they’ve never heard of public cryptography! Of course, even if they had, and the email was encrypted and/or digitally signed, that last sentence wold probably still exist from a sheer cover-their-ass perspective.

Still, I’m looking forward to the day when my bank (and other sites) let me enter in my public key as part of my account settings so all correspondence from them can be encrypted. I’m continually surprised that so few sites do this. I’m keen to integrate something like this into AusGamers – not that we really need it, but just because I think it would be cool to do.

It should be noted though that their emails include /no/ links at all and are sent in plain text.