Log

Found an interesting read over at O Reilly's website:

The GNU Operating System and the Free Software Movement, by Richard Stallman.

Something every PHP developer should be reading:

The Unexpected SQL Injection – When Escaping Is Not Enough

The conclusions:

• Write properly quoted SQL:
1. Single quotes around values (string literals and numbers)
2. Backtick quotes around identifiers (databases, tables, columns, aliases)
• Properly escape the strings and numbers:
1. mysql_real_escape_string() for all values (string literals and numbers)
2. intval() for all number values and the numeric parameters of LIMIT
3. Escape wildcard/regexp metacharacters (addcslashes('%_') for LIKE, and you better avoid REGEXP/RLIKE)
4. If identifiers (columns, tables or databases) or keywords (such as ASC and DESC) are referenced in the script parameters, make sure (and force) their values are chosen only as one of an explicit set of options
5. No matter what validation steps you take when processing the user input in your scripts, always do the escaping steps before issuing the query. Validation is not a substitute for escaping!

Like my rule #1 of what I like to call Defensive Coding: Don't be implicit, be explicit. In other words, don't try to escape things you don't want in your strings, simply only leave everything you do want in your strings. A column name in a ORDER BY clause should only consist of A-Z, a-z and 0-9. Anything else in the string invalidates that string.

The war on Vista continues:

Say NO to Vista.

I'm even recommending Apple Mac's above Vista!

I was implementing a plugin system for a framework I'm writing, and I needed plugins to be able to register a callback function or method with the Plugin Manager so that the callback function would get called when a signal was emitted. Here's a very stripped down version of what I ended up with:

<?php
 
// Sample callback function
function callback_function() {
	print("callback_function()\n");
}
 
// Sample class with static and non-static callback functions
class Callback
{
	// Sample callback method in a class instance
	public function callback_method() {
		print("Callback->callback_method()\n");
	}
 
	// Sample static callback method
	public static function callback_method_static() {
		print("Callback::callback_method_static()\n");
	}
}
 
// Hook class with which you register callback functions and methods
// which will be called when you call the emit() method.
class Hook
{
	private $callbacks = array(); // All the registered callbacks.
 
	//
	// Register a function/method as a callback function.
	//
	public function registerCallback($callback) {
		$this->callbacks[] = $callback;
	}
 
	//
	// Run all the functions/methods registered as callbacks.
	//
	public function emit() {
		foreach($this->callbacks as $callback) {
			call_user_func($callback);
		}
	}
}
 
// Create a hook class instance with which we will register our
// callbacks.
$hook = new Hook();
 
// Instantiate the sample callback class.
$callback = new Callback();
 
// Register all the sample callbacks with the Hook class instance.
$hook->registerCallback('callback_function');
$hook->registerCallback(array($callback, 'callback_method'));
$hook->registerCallback(array('Callback', 'callback_method_static'));
 
// Make the Hook class instance call all the registered callback
// methods.
$hook->emit();
 
?>

First, we set up some sample callback functions and methods (callback_function(), Callback->callback_method() and Callback::callback_method_static()). Then we define the Hook class with which we can register callback functions. Finally, we register our sample callbacks with the Hook class and emit the 'signal'.

Right now, there's only a single signal (or no signal at all, depending on how you look at it), but that's easy to implement. The magic basically is in the emit() method of the Hook class. It iterates over the registered callbacks, which is nothing more than an array containing either strings for function callbacks or arrays for static and non-static callback methods. It then calls those using the call_user_func() method.

All this results in the following output, when ran:

callback_function()
Callback->callback_method()
Callback::callback_method_static()

Nothing fancy, and I must have implemented something similar a gazillion times, but I thought I'd share it with you all.

Hi, I'm back from Dublin.

Here's a picture of what we did:

I'm off too Dublin for a couple of days. Be back on the 25th. Ahoy mateys!

'Tis that time o' the year again, me hearties! Yarrr! Now, where's me grog?

The Chinese government has outlawed the practice of reincarnating for Buddhist monks in Tibet without their permission.

In one of history's more absurd acts of totalitarianism, China has banned Buddhist monks in Tibet from reincarnating without government permission. According to a statement issued by the State Administration for Religious Affairs, the law, which goes into effect next month and strictly stipulates the procedures by which one is to reincarnate, is "an important move to institutionalize management of reincarnation." But beyond the irony lies China's true motive: to cut off the influence of the Dalai Lama, Tibet's exiled spiritual and political leader, and to quell the region's Buddhist religious establishment more than 50 years after China invaded the small Himalayan country. By barring any Buddhist monk living outside China from seeking reincarnation, the law effectively gives Chinese authorities the power to choose the next Dalai Lama, whose soul, by tradition, is reborn as a new human to continue the work of relieving suffering.

From Wikipedia's article on the Dalai Lama:

Despite its officially secular stance, the government of the People's Republic of China (PRC) has claimed the power to approve the naming of high reincarnations in Tibet. This decision cites a precedent set by the Qianlong Emperor of the Qing Dynasty, who instituted a system of selecting the Dalai Lama and the Panchen Lama by means of a lottery which utilised a golden urn with names wrapped in barley balls. Controversially, this precedent was called upon by the PRC to name their own Panchen Lama. The Dalai Lama and the majority of Tibetan Buddhists in exile do not regard this to be the legitimate Panchen Lama. The Dalai Lama has recognized a different child, Gedhun Choekyi Nyima, as the reincarnated Panchen Lama. This child and his family have been taken into 'protective custody' according to the PRC, and all attempts by members of the EU parliament and US government to garner guarantees of the family's safety have been denied by the PRC. There is some speculation that with the death of the current Dalai Lama, the People's Republic of China will attempt to direct the selection of a successor, using the authority of their chosen Panchen Lama.

The current Dalai Lama has repeatedly stated that he will never be reborn inside territory controlled by the People's Republic of China, and has occasionally suggested that he might choose to be the last Dalai Lama by not being reborn at all. However, he has also stated that the purpose of his repeated incarnations is to continue unfinished work and, as such, if the situation in Tibet remains unchanged, it is very likely that he will be reborn to finish his work. Additionally, in the draft constitution of future Tibet, the institution of the Dalai Lama can be revoked at any time by a democratic majority vote of two-thirds of the Assembly. The 14th Dalai Lama has stated, "Personally, I feel the institution of the Dalai Lama has served its purpose."

I finally found a good Bittorrent client for Debian. Freeloader. The original homepage doesn't appear to be live anymore, so perhaps it is unmaintained. But, it's written in Python, so if I need some functionality that it doesn't have, I can just add it myself. Here's a screenshot:

Things that are missing (which I'll probably add myself):

• Direct downloading of torrents by retrieving a .torrent URL
• Auto resuming when I've closed down the client.
• Auto (or manual) downloading of torrents via RSS
• Automatic seeding upto a certain ratio

NU.nl reports about a (English) Report about the safety of the web. In it, CA reports:

Browsers are one of the most commonly used applications today. Many people believe that Mozilla Firefox is more secure than Microsoft Internet Explorer, but their vulnerabilities are on par. In the first half of 2007, NIST reported 52 vulnerabilities in Internet Explorer of which half were medium or high severity. And there were 53 vulnerabilities reported in Firefox of which almost half were medium or high severity.

The numbers are climbing. In 2006, 96 vulnerabilities were reported in Internet Explorer and 103 reported in Firefox.

Even less popular browsers have more security holes. More than double the vulnerabilities have been reported in the Opera browser. NIST reports 14 vulnerabilities this year versus seven last year, and more than half of this year vulnerabilities are medium or high severity.

Apple Safari has 19 newly reported vulnerabilities this year nearly twice the number reported last year, and half of them are medium or high severity.

When will researchers understand that the number of vulnerabilities reported / fixed are not a good way to determine how secure an application is? The problem is either that these people don't understand software development, or that these people wish to backup their pre-determined claims with hard evidence, so they start looking at reported vulnerabilities. It doesn't work that way, unfortunately. There are way too many variables not accounted for:

• First off, where are the sources for their data? They only mention NIST, but no criteria they looked at at all. This immediately invalidates their findings.
• They look at 'reported' vulnerabilities, but these are third-party reports. Does NIST only reports vulnerabilities listed in the application's release notes?
• Do these statistics include reported, but unfixed bugs? Firefox maintains an open bug reporting facility where every user can report bugs. Not all of those vulnerabilities may have been fixed. Are those included in the statistics? If so, how can they compare those reports against the reports done on a closed bugtracking system such as IE, Safari and Opera?
• Where is the proper trend analyses? "In 2006, 96 vulnerabilities were reported". Trend analyses should be done over multiple years, IMHO.
• What were the severities of the reported/fixed vulnerabilities? For all we know, IE had 100 minor problems that were only exploitable when the moon was full and it was friday the 13th, but Firefox had 50 extremely severe vulnerabilities.
• What are the sources for the severities? The vendor? Hardly reliable information, as vendors like to downplay their own vulnerability's severity.
• The report doesn't take in account the user-base of the products. Nobody uses Firefox, Safari and Opera, whereas everybody uses Internet Explorer. That makes it a much bigger target for black-hat exploiters. No, it doesn't say anything about the security of a product from a technical point of view, but it does from a practical point of view.
• The report mentions, briefly, the security of third-party browser plugins such as Flash, Java, etc. But they make no relation to the different browsers. Firefox has a very easy to install and use Flash / Java blocker. It also has a very good Javascript blocker. Javascript is probably the number one source of vulnerabilities in Firefox. Since it's not installed by default, I can understand they don't focus on this, but at least the security potential for Firefox is higher because of this.
• No mention is made about ActiveX. ActiveX only works on Internet Explorer and is a HUGE contributor to security vulnerabilities.
• One of the most important things: Reality! People like to ignore it (which I can understand), but that doesn't mean it doesn't exist. How many vulnerabilities have actually led to exploits in the wild?

In defence of CA, their report doesn't specifically say that Internet Explorer, Safari, Firefox or whatever is more secure than the other. They just imply it. As usual, media outlets are twisting the view on reports in order to make for better news and scare-mongering.