Argh!

Data quality vendor not interested in data quality?

2011-10-09T14:49:00.000-07:00

CIFAS should be all things to all people. They provide a platform for members to share data about fraudulent transactions - and provide ways of protecting individuals against identity theft. All wrapped in a not-for-profit organisation.

But dig below the surface and all is not as it seems.

Part of the facilities they provide is protective registration. This means that either at your request or the request of a CIFAS member, they will place a notice on you credit records saying that when a credit application is made in your name or from your address, then there should be additional checks on the identity of the party applying.

This helps with the big problem of identity fraud; regaining control of an identity and preventing further abuse.

However go and have a Google for them. There seems to be an awful lot of people out there who are not being protected - they are being prevented from obtaining credit due to a CIFAS listing. So at best, CIFAS have failed to communicate what their policy is to their members.

But suppose you find yourself unfairly blacklisted by CIFAS. How do you go about correcting this? Surely CIFAS, who generate income from providing accurate information would not only take an active interest in resolving individual cases, but would also seek to monitor the reputation of their members' recommendations? Indeed according to the Data Protection Registrar, that is what they are obliged to do, regardless of their business model.

However according to the CIFAS website, issues regarding innappropriate/innaccurate registrations must be directed to the member company and ”CIFAS will not become involved in a dispute until the CIFAS Member has issued a Final Response letter.”

UK Government website privacy abuse?

2011-03-04T15:55:00.000-08:00

Anyone who knows me will not be surprised to hear that I think measuring user-experience and how users interact with your website is a very good idea. If you're in the business of trying to collect or analyse this information, then this post is addressed to you.

As I've often said, looking at the standard server-side logs can be very informative - but its only half the story. To get a better picture you need to go client-side. And that means Javascript. For many people / organisations, there just isn't the time or money to develop your own solution - and of course there are no end of vendors trying to flog their wares to you.

This post was prompted by a wasted hour investigating unusual patterns in referer stats. Where I work, phishing poses a very serious risk. Despite this, (and a large IT staff, dedicated security team. and an annual turnover well into the billions) there are no SPF records in our published DNS records! The referer stats for out customer facing website shows our logos appearing in lots of web-based email readers (including those from service providers who are known to validate SPF) - implying that it is more than just a risk. The is a shocking and absurd set of circumstances which I am still trying to resolve after 2 years.

However, that's not what this gripe is about.

This week I noticed a few referals from a very long URL starting with xxxxx.stcllctrs.com (where xxxxxx is the name of my employers parent organisation). The URL was not obviously an email reader. Dropping the URL into a browser returned a 200 response with no content. So I had a look at the root URL, http://xxxxx.stcllctrs.com/ Where I found the documentation for 'jsunpack' (http://jsunpack.jeek.org/dec/go) a tool 'designed for security researchers and computer professionals'. This is primarily a javascript code obfuscator. Interestingly, the URL for jsunpack seems to link to a form allowing people to report possible abuses of the tool - which has a record of its use at http://xxxxx.stcllctrs.com/ flagged as suspicious.

I then Googled for xxxxx.stcllctrs.com and found that our parents organisation had several references to this site, loading javascript files and NOSCRIPT content. Looking at the Javascript it was serving up, it was rather difficult to read (since it was obfuscated) but seemed to be doing strange things with cookies. The domain also apepars in several ad blocking lists. Alarm bells started ringing!

Of course my employers make up for the quality of the security policy with the quantity of it - so I couldn't do proper whois lookup - but looking at tools on the web - this turned out to be a 16 bit subnet owned by Savvis.net. The name is registered with viatel.com. So both the netblock and DNS registration are effectively anonymous.

Obfuscated code, unusual URLs, cookie manipulation, anonymous hosting, greyware listings - DING DING DING!!!

Most of the whois services available online are provided by companies trying to sell registration services- the one I used initially did not provide any information about the registrant (and reformatted the content significantly so it looked like viatel was the registrant). But I eventually found another site (in Romania of all places!) which gave the registrant contact - speed-trap.com limited. This proved to be the Rosetta stone to unravelling what was really going on.

Speed-Trap appear to be a legitimate organisation providing web-usage monitoring services to companies. Surprisingly, they have a number of very high profile customers including direct.gov.uk, RBS, Axa and others. Yet they behave online like a script-kiddy - obfuscating their identity as well as code deployed to run in my browser, leaving other peoples hacking code
on their own website.

DirectGov have a link to their privacy policy on each and every page in their site (for the benefit of those from the colonies - DirectGov is the single, open access portal spanning all central government services in the UK). They clearly state they use javascript and cookies to record and analyse your usage of the site. They do not state that this information is processed by a third party. Indeed they go to unusual lengths to suggest that this information would only be shared with other bodies in extreme circumstances. RBS and http://www.axa.co.uk/privacy take a similar tack.

http://www.direct.gov.uk/en/SiteInformation/DG_020456
http://www.rbs.co.uk/global/f/privacy.ashx
http://www.axa.co.uk/privacy

From https://www.dephormation.org.uk/
"Intercepting, monitoring, eavesdropping, tapping communications requires legal authority, or consent from both parties to the communication."

Although there are some differences to BTs Phorm rollout (in that case, it was clear that Phorm were using the information for other purposes than just usage analysis) I find it very worrying that the UK government and several large financial institutions should be misleading their customers (or citizens) like this.

Crappy code

2011-02-04T16:42:00.000-08:00

I spend way too much time dealing with other peoples' crappy code. To that end, a very long time ago, I wrote a quick script that would help me navigate around a PHP source file in order to work out what it's supposed to, and what it actually does.

It generates a call graph of the functions and methods in a PHP file, example shown below.

It had been sitting, festering on my HD for a while, and I thought "Hey, maybe someone else might find this helpful" so I uploaded it to phpclasses.org

So blow me, not only do they find it useful - but they want me to support the damn thing too! And then I get nominated for an award! I had a quick look at the source code. OMG - it's a mess!

So a couple of late nights were spent cleaning it up until the API is at least usable.

You can get the (cleaned up, slightly) source code here

Keyboard not detected. Press F1 to continue

2011-01-14T15:41:00.000-08:00

I don't moan all the time.

Once in a while someone goes out of their way to be helpful, or technology works the way it should or I find something which is useful / good value.

Today I bought a new keyboard.

Like many computer people I know, I've had the same PC for the last 15 years or so. In that time the motherboard has been replaced a few times, disk drives have come and gone, graphics cards and monitrs have been swapped. But the oldest component was an HP keyboard which has been putting in sterling service for the last 8 years.

So while I was in PCWorld/Curry's today, I picked up a Sandstrøm keyboard for £15. This has the nicest action of any keyborad around this price I'd seen, and has the added bonus that the keys have LED illumination.

The reason I was in Curry's was to pick up a simlarly branded HiFi for my daughter's birthday. Again which I thought good value.

Despite the scandinavian looking name, not surprisingly both are made in China, and although time will tell regarding the quality of the electronices, both seem to be reasonably solid construction.

I suspect that the manufacturer / importer / retailler are currently discounting heavily to establish the brand in the UK.

Getting all the keys to work on my home machine (currently still with Fedora 9 - a Linux distribution) was surprisingly easy (most of the extra weeks worked as soon as it was plugged in anyway).

It does have a somewhat compressed physical layout (the space bar is only 60mm) so I'm still hitting thEWRONG Kets some if the time but I@m sure that will pass/

Where can I get away from them

2010-06-23T14:35:00.000-07:00

The internet is great - everyone has access

The internet is terrible - everyone has access

When I first started using online systems (some time before the arrival of the internet - but I'm not saying how long) people I met online always seemed so knowledgeable and helpful. As I progressed through my studies, and the internet became available I was getting at least as much out of newsgroups and mailing lists as I put in. But gradually the balance shifted - increasingly I saw people asking dumber and dumber questions. For a brief period Stack Overflow seemed to be the new hope, before it became as bad as anywhere else (although the rating system bolstering my ego still tends to outweigh my disappointment at the quality of the questions nevermind the "answers".

While I'd like to think I know what I'm talking about in the forums I participate in regularly, I don't think I'm any sort uber-guru (yeuch - what a horrible term) but primarily I go there to learn - and I'm not learning anymore.

Of course the same questions come up again and again:

How do I make this pattern fit this problem?
Do my Class Assignment for me
The people I pay for support won't answer the phone any more so I'm posting my question here
It's broken, I don't know why, but I expect you to fix it

Am I just getting too cynical in my old age? Maybe I'll take up nuclear physics as a hobby so I can go back to being a newbie and asking stupid questions on the internet myself.

C.

Little furry babies need adopted!

2010-05-24T15:10:00.000-07:00

For those of you whom I've not met, my daughter breeds and shows rats. She's done very well winning several best in breed and couple best in show at national level.

The reason I mention this is that we also provide short-term fostering for rescue rats - and we're currently trying to find homes for 13 rescue rats. If you live in the West of Scotland, and are interested, please visit our site at www.ralstonrats.co.uk

Dokuwiki is smarter than I am

2010-04-06T11:31:00.001-07:00

In a previous episode, I was moaning that I couldn't get my DokuWiki RSS feed to display using the RSS parser - it was my wetware which was not up to the job!

I'd configured this Dokuwiki to disallow any anonymous access - and the RSS generator (feed.php) was correctly showing all the items which the anonymous user was allowed to see - i.e.none!

I didn't realise this until I'd downloaded the latest stable DokuWiki and ported the hacks I've applied to it, then patched my installation - which obviously did not fix the problem.

In the meantime, I've created a new user with read access to the entire wiki - then changed my RSS wiki syntax to pass the auth details:

{{rss>http://www.mysite.com/dokuwiki/feed.php?u=anonymousRss&p=s3cr3t}}

Apologies to the DokuWiki team!

New Site Up

2010-04-01T13:30:00.000-07:00

I've setup a website for my daughter's business (well the whole family are involved really). Its at http://www.ralstonrats.co.uk

Does DokuWiki eat its own dog food?

2010-04-01T13:25:00.000-07:00

In the last exciting episode I wrote about my troubles setting up blogging/RSS in Dokuwiki - I eventually gave up and installed Serendipity to handle this.

Having done that, I've now gone full circle and am publishing the blogs as an RSS in DokuWiki. I wanted to provide a single news list, so I had a look at integrating the 'recent changes' feed from DokuWiki on the same page as the serendipity blog - however the DokuWiki RSS feed works with every reader I've tested except the one built into DokuWiki!!!!

AAAAARRRGGGGHHHH!

DokuWiki blogging

2010-02-06T15:36:00.000-08:00

I've used DokuWiki as a base for a few PHP projects since it provides access control navigation and other such niceties, combined with a very capable Wiki CMS for publishing static content.

Adding your code to it can be as simple as editing a page and entering:

[php]
include("myPhpCode.inc.php");
[/php]

(where I've subsitituted square brackets for the usual angle brackets - since blogger.com seems not to like the latter)

There are a some complications around dealing with when the headers are sent vs when the contents of the page is generated, and around when the session is written back - but nothing insurmountable.

So when my boss tasked me to come up with a simple CMS solution which could provide RSS and atom feeds, needed authentication for adding content, and needed to have "lists of things" using a blog within DokuWiki seemed like an obvious solution.

Dokuwiki has a plugin 'blogtng' intended to replace the older 'blog' plugin. Both use files for holding the content which was not ideal (I expect that we'll be adding a lot of stuff in there, and require the ability to edit/remove old stuff, also actively pruning old data might be required too for performance/storage reasons). However blogtng uses a database for indexing the content. Great, I thought.

And then I discover that the PHP from RHEL5 is compiled without sqlite support. That's odd - but I'm not disheartened - I go find out local software guardian and ask for the installation media. There then follows much running around in the manner of the Keystone Cops - indeed if this were a movie rather than a blog it would undoubtedly be shown speeded up, and accompanied by Yakkety Sax - a la Benny Hill. Still no CD-ROM, however as far as I can tell, RedHat never implemented the sqlite extension. There are some third party implementations for RHEL :) except for version 5 :(

So then I try to rewrite blogtng using mysql. Which proves to be messy. Although it appears to have been written with the notion of some abstraction from the underlying database, direct calls to the extension occur throughout the code. So I first rewrote all these into the abstractin layer. Next, I doscover that sqlite seems to be completely untyped, so I have to reverse engineer the possible datatypes and update all the DDL scripts. Then I find that all the DML needs to be changed too. I also find that it seems to be creating blog entries whenver I view a page (even before I've added the page markup to create any blogs).

The RHEL5 does support the PDO extension with the sqlite driver, and now that all the database connection code is in one place, it was fairly easy to port it back to that and restore the original DDL and DML. It seems I can now create blogs, blog entries and comments, but still getting blog entries created randomly - so I go back and check the repository - its a known bug. Grrrr.

PHP and long running processes

2010-02-06T14:44:00.000-08:00

It seems this question keeps coming up on the PHP newsgroups and, now that I've plugged into Stack Overflow - I keep seeing it their too:

How I do I start a PHP program which takes a long time to complete and how do I track its progress?

While these tend to attract lots of replies, they are usually wrong.

The first thing to consider is that you need to seperate the the thing which takes a long time from its initiation, the ongoing monitoring and whatever final reporting is required.

Since we're talking about PHP its fair to assume that in most cases, the initiation will be a PHP script running in a webserver. However this is not a good place to keep a long-running program.

1) webservers are all about turning around requests quickly - indeed most have failsafe mechanisms to prevent one request hanging about too long.

2) the webserver ties the request to both the execution of the script and to the client socket connection. Typically NOT keeping a browser window open somewhere waiting for the job to complete is an objective for the exercise. Although the dependence on the client connection can be reduced via ignore_user_abort() that was never its intended purpose.

3) long-running typically means it will have quite different resource requirements than a typical web page script - e.g. lots of file handles being opened and closed, more memory being consumed.

Most commentators come back with the suggestion of spawning a seperate thread of execution, either using fork or via the shell. The former obviously does not solve the webserver related issues if the interpreter is running as a module - you're just going to fork the webserver process. You've not solved any of the web related issues and created a whole lot of new ones.

You need to create a new process certainly.

The obvious type of process to create would be a standalone PHP interpreter to process the long running job. So is there a standalone interpreter available to the webserver? The prospective implementor would need to check (and whether the webserver runs as chroot). So lets assume there is, our coder writes:


      print shell_exec('/usr/bin/php -q longThing.php &');

A brave attempt. However they will soon find that this doesn't behave as well as they expected and keeps stopping. Why? because all the process they created runs concurrently with the php which created it, it is still a child of that process. Now this is where it starts to get complicated. In our example above, the webserver process finishes with the users script immediately after it creates the new process - however it will probably hang around waiting to be assigned a new request to deal with. However at some point the controller for the webserver processes will decide to terminate it - either as a matter of policy because it has dealt with a certain number of requests (for apache: MaxRequestsPerChild) or because it has too many idle processes (apache's MinSpareServers). However the webserver process should not stop until all its child processes have terminated. How this is dealt with varies by operating system and of course, webserver. Regardless, the coder has created a situation which should not have arisen.

But on a Unix system there are lots of jobs which run independently for long periods of time. They achieve this by:

1) they are first started, say as pid 1234, and try to fork, say to pid 1235 after calling fork, pid 1234 exits
2) pid 1235 will become the daemon - it closes all its open fds including those for stdin, stdout and stderr
3) pid 1235 now calls setsid(), this dissociates this process from the tree of processes which led to its creation (and typically makes it a child of the 'init' process).

You can do all this in a PHP script, assuming you've got the posix and pcntl extensions. However in my experience its usually a lot simpler to ask an existing daemon to run the script for you:


     print `echo /usr/bin/php -q longThing.php | at now`;

But how do you get progress information? Simple, just get your long running script to report its progress to a file or a database, and use another, web-based script to read the progress / show the final result.

Not quiet times

2010-02-06T14:37:00.000-08:00

It's been a while since my last post since $ork, in their wisdom have blocked access to a huge list of sites including this one. While my exorcising my demons in public does not directly improve my productivity - it does provide a release (a few of my colleagues have expressed a concern that I may go postal at any moment - having been privy to some of my recent frustrations!).

Anyway, to catch up.....

Car / Mill Motors (Paisley):
1) Trading Standards were worse than useless, waiting for their advice cost me several weeks which could have been better spent on other things. The advice they gave me was incomplete and substantially wrong in several places.

2) The Credit Card denied all responsibility - so I went to the Financial Ombidsman - who agreed that there was a problem with the car, and that the Credit Card company should have resolved this.

The end result is that I got a full refund for the repairs.

Ripped off by Mill Motors, Paisley

2009-05-14T02:30:00.000-07:00

In January, I bought a used car from Mill Motors (4 Linwood Road, Paisley). The car had a serious fault which I reported to them within the 1 month guarantee period (confirmed by the official Saab dealership) and Mill Motors said (by phone) there was nothing wrong with it, that they were going to do nothing.

I thought I would be able to get some resolution to this since:
1) it specifically contravenes the sale of goods act
2) I paid for it on my credit card

So I've been chasing Mill Motors, Trading Standards and my Credit Card company for 4 months, trying to get some restitution. But Mill Motors refuse to put anything in writing - and as a result Trading Standards won't do anything, and neither will my credit card company.

grrr!

Lessons learnt:
1) never buy a used car from Mill Motors
2) if I ever get mugged, I'll be sure to get a receipt from the mugger for my credit card company.

More IIS oddities

2009-02-25T02:20:00.000-08:00

hmmmm.

Script connecting to Oracle database worked fine in MSIE but fails in Firefox and Chrome.

On further investigation we discovered that the problem was due to PHP failing to open the tnsnames.ora file (this tells Oracle clients where on the network and what protocol to use when connecting to the database given in ora_logon / oci_connect).

Let's be quite clear here:
- when the request originated from MSIE, IIS had permissions to open the file
- when the request originated from any other browser, IIS did not have permission to open the file

In both cases, the script executes as the same user on IIS. Using a user-agent switcher on Firefox had no impact.

There is an additional complication that the file in question sat on a network share, but that should have no bearing on how IIS behaves. However using a local copy of the file works as expected.

Micorosft IIS's security model is working differently depending on the browser used - this is potentially a security vulnerability in IIS.

Again, Microsoft IIS is giving different and preferential treatment to MSIE browsers

OS war

2009-02-24T04:37:00.000-08:00

At the weekend I was working on my home network. My daughter's new laptop arrived (a samsung R60, £300 @ dabs). This was my first prolonged experience with MS Vista.

I was first pleasantly surprised that it had rather sensibly split the disk into three partitions - one for diagnostics and TWO for Vista - a program drive and data drive! However Microsoft soon put a damper on my excitement - everything is so sssllllloooooowww. Just like previous versions of MS Windows, just about any change requires an immediate reboot - so just getting it working took about 3 hours and 6 reboots (Typically a Linux install from raw metal takes me 45 mins - although I only need to spend about 10 minutes at the computer and 1 reboot).

Then I got down to the business of configuring the software I really wanted. It came with a trial version of MS Office - Microsoft punished my insolence for removing the package by taking over an hour to uninstall it.

It also had SQL Server installed for some reason. That took just as long. And of curse Vista keeps asking me if I really do want to run xyz.exe at seemingly random intervals. How the hell should I know?

Still its just about done now.

Overall the laptop seems to be of good quality although the screen seems a bit washed out - not sure if thats just Vista's colour scheme though. When I've recovered from the pain of cleaning up the default install I'll add dual boot for something - probably PCLinuxOS 2008

Meanwhile, I rolled forward all the patches (only do the security ones on a regular basis) on my Fedora 9 desktop machine. This has taken away most of the rough edges in KDE 4.

Back at the office found a weird problem with PHP/Oracle/IIS - a script a colleague wrote to poll some data from Oracle works as planned if the browser is MSIE, but in Firefox it gives an ORA-12154 error (can't find database / tns names file). Very weird. Investigations continue.

Two factor authentication - grid Key followup

2008-10-03T08:38:00.000-07:00

It looks like CAPCHA's days could be numbered. And not before time as I try to decipher the picture below the editor where I'm typing this.

Given such a simple idea as gridKey (working title - don't sue me) its not surprising that someone else thought of it first.

Maybe I'll get round to writing a PHP and/or PAM lib to implement it.

Authentication tokens

2008-09-28T02:53:00.000-07:00

Devices like hashing fobs or tamper-proof smart cards are technically the best solutions for secure authentication - but they have a number of drawbacks for proactical applications. By far the biggest one is that they are not universal - I can't use my Paypal fob to log onto my LAN, I have several smart cards in my wallet, but where do I get a reader? Even if I did, how would I get Google to support the use of the card for accessing my gmail account?

Instead we seem doomed to endure badly implemented wish-it-was-2-factor-authentication and Capchas which even those of us lucky enough not to be visually impaired, cannot read.

While kitten capchas are undoubtedly cute, do they really help solve the problem?

It occurred to me that not entering the same password more than once is a good way to avoid the risk of compromise (essentially this is the common factor in Capchas, smart cards and key fobs) and here is a simple way to achieve this:

When you create an account for your user, issue them with a grid of letters and digits, 6x6 seems about right.

	A	B	C	D	E	F
1	s	a	r	3	c	v
2	8	t	e	y	p	4
3	q	i	g	h	w	k
4	f	m	z	b	i	9
5	7	d	j	a	n	p
6	g	e	u	5	9	w

Then, each time they log in, ask for, say 5 of the entries, the grid holds more than 8000 passwords.

Given say 32 possible keys (omitting the letter O and number 0, lower case L and digit 1) the chance of guessing the password are one in 33 million.

Someone's probably already thought of this. But I thought I'd write it down before it gets patented.

Microsoft backdoor optimization?

2008-09-01T07:12:00.000-07:00

I recently replied to a post on uk.comp.os.linux regarding squid - but on reflection, if the details supplied by the OP are correct, then this exposes some backdoor optimization by Microsoft in IIS

The post and replay are here.

Tim said that:

tim@feynman:~$ telnet www.plumbcenter.co.uk 80
Trying 89.207.160.30...
Connected to www.plumbcenter.co.uk.
Escape character is '^]'.
GET /plumb/index.html HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

HTTP/1.1 400 Bad Request
Date: Wed, 27 Aug 2008 21:44:51 GMT
Server: Microsoft-IIS/6.0
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
(404 body snipped)

Connection closed by foreign host.

This works if you drop the "; SV1" from the user agent. Or even replace
"; SV1" with "; SV2" or replace "5.1" with "5.0" but leave the "; SV1"
bit!

What's interesting here is that the request headers specify HTTP/1.0 but the response comes back from the server as HTTP/1.1

While maybe this is just sloppy programming by Microsoft, its worth bearing in mind that, by default MSIE degrades to HTTP/1.0 responses when it knows it's talking via a proxy. Also, HTTP/1.1 mainly addresses performance improvements.

Further - as Tim points out, the behaviour of the server changes when the user-agent changes.

Could it be that IIS is using the user-agent for purposes beyond what it should do according to spec? This could give Microsoft an unfair performance advantage over other browsers. Certainly in this case there is hard evidencethat the server is basing its response on the user-agent supplied in the request.

For the time being this is mostly conjecture and conspiracy theory. But it would be interesting to confirm whether IIS always responds to HTTP/1.0 requests with a HTTP/1.1 response, whether it will include HTTP/1.1 specific browser instructions - and to see if the browser then acts on these.

KISS

2008-08-08T04:07:00.000-07:00

Today I'm looking at monitoring the throughput of a mail server running RHEL5. Unfortunately the default check_mailq supplied with Nagios just looks at the size of the number of messages in the mailq.

Another problem I encountered was that mailq is not setuid root on this distro. Rather than reinvent the wheel, I thought I'd have a look at how RH & sendmail measure the size of the queue.

/usr/bin/mailq is a symlink to /etc/alternatives/mta-mailq
/etc/alternatives/mta-mailq is a symlink to /usr/bin/mailq.sendmail
/usr/bin/mailq.sendmail is a symlink to /usr/sbin/sendmail
/usr/sbin/sendmail is a symlink to /etc/alternatives/mta
/etc/alternatives/mta is a symlink to /usr/sbin/sendmail.sendmail

...of course!

2008-08-01T04:37:00.000-07:00

It would appear that the UK Cabinet Office publish guidance on publishing word processor and other files on government websites:
"Microsoft Word (DOC)

Documents can also be saved in Microsoft Word format. ... This is the least desirable format as it is proprietary and it cannot be guaranteed that a reader exists for a particular user’s computer."

Guess what format they use.

Oracle Javascript

2008-06-06T04:04:00.000-07:00

Finally got to the bottom of the problems with oracle_smp_chronos.js turns out its worse than I thought. The script just can't cope with links calling a forms onsubmit method on Mozilla based browsers (actually there is about three different defects here, only the first was initially visible). The odd thing is that the code they've written for MSIE works flawlessly on every version of Mozilla / Firefox I've tested - although I haven't gone back to Navigator version 4. The solution seems quite simple - just change the browser identification code so it runs the same code for Mozilla 5+ and Firefox 1+ as it does for MSIE.

Blackberry blues

2008-06-06T03:49:00.000-07:00

Work has decided I need a Blackberry. So after a mere two months procurement process an 8800 appeared. It took me about 3 hours to find the first bug in the software (browser does not accept a cookie suplied in a HTTP 302 response) still I was trying to look on the bright side. Having previously worked for a company selling ringtones, I thought it would be a good idea to add something a bit out of the ordinary. But having previously worked in the industry, the last thing I would do is actually buy one from one of the many suppliers! Fate helped things along when I saw bluetooth USB dongles in my local Tesco for £7. It wasn't long before I had it plugged into my computer and the relevant software up and running. Unfortunately, although I could get the devies to pair, the only service I could get working was kbluelock - the Obex push client just couldn't see the device.

A bit of research suggested that this is a common problem - Blackberries won't talk to the BlueZ stack.

Ho hum.

Meanwhile, having built a test rig and demonstrated the browser problem, I tried reporting the fault to Vodafone. They've written back asking for lots and LOTS of information none of which relates to the bug. I spent less time re-writing the web application I was trying to access then I have trying to satisfy the requests from the support department - who don't seem to understand how their own software works.

Oracle - not as bad as I thought?

2008-05-15T09:24:00.000-07:00

In fairness to Oracle, the problems I described only seem to manifest in conjunction with other suppliers javascript. But perhaps its just as well that the DMCA forbids me from finding out exactly how well written their code really is.

Oracle stop eating own dog food?

2008-02-08T09:15:00.000-08:00

Enabling End-User performance monitoring using the Oracle application stack and Grid Control, depends on a script called oracle_smp_chronos.js however the the copy we've got will only work with MSIE (its hard-wired to the Microsoft browser event model). I had a look around forums.oracle.com to see if anyone had a solution - and I couldn't find anyone with the same problem. I couldn't - so I thought great, they've fixed it! But I can't find the fix.

But what's even more interesting is that Oracle no longer seem to be using their own tools for monitoring - a 'view source' on most of the oracle.com pages shows they are now using Omniture's SiteCatalyst.

Laptop bling

2007-12-16T14:00:00.000-08:00

2 posts in a week! I must be sick or something.

In Spring a friend showed me his new laptop, running a new window manager - something called Beryl - OMG! It rocked. I was as impressed as the first time I saw a Windows/Mouse interface, or a Web Browser. Computers should be fun to use and this showed how! At that time though I didn't have the time to play around with such hardware (which surely required the very latest bitchin' graphics card).

Fast-forward to December. I've recently completed redecorating my daughter's bedroom, and thought I'd let her have my laptop (semi-) permanently installed in there. Despite being a computer geek, the hardware I own is usually cobbled together from spare parts picked up at jumble sales or bought off eBay. Laptop in question is a 1GHz Celeron with 384Mb memory (only recently upgraded from 128) and a slow 10Gb HD (where I need to keep a copy of XP which is used about.........never....so about 4GB left for everything else). Its a very basic workhorse and was bottom of the range even when new.

I thought I'd do a reinstall for her. Previously it had a series of Suse installs, currently at 9.3. Everything worked, but I felt it was rather bloatware, and her main interest would be in playing games - Suse do not provide a good portfolio of installable games. I had a look at the top 10 on Distrowatch, and decided to try out PC Linux OS. This can run as a Live CD before installing which is a very handy way to check if it supports your hardware (another area where Linux is now actually leading the other OS vendors!). After bottong it up and liking it, installation was painless and quick handling the Linksys PCMCIA WiFi card, sound and everything else.

After setting it all up, I noticed there was an option to run a "3D Window Manager" so I turned it on not expecting very much. WOW.

OK, so not all the effects work (its the most basic video chipset on this thing) I don't get Windows going up in flames or appearing from sparkles - but the wobble, expand, and I can rotate the Desktop cube - indeed the only falut is that it all happens so quickly/smoothly, if you blink you'll miss it.

Meanwhile everything else works really well - the single CD it installs from had an impressive amount of software on it - and more is easily added from the internet. The only thing which doesn't seem to work is SuperKaramba where the theme browser only list the most popular/highest rated and newest (you can't brows the main catalog from the application) also, liquid weather refused to work (IMHO the only reason for having SK) and SK loses its settings each time you log out. But I was really only playing around with it for extra eye-candy (I still can't believe I'm trying to demo-up that old banger of a laptop!)

Off work, sick

2007-12-13T15:25:00.000-08:00

For the first time in my life I've been off-work due to illness for a week.

I thought I'd go see the quack. It's been a long time since I've seen a doctor, so long in fact that the previous doctor has since retired and been replaced. This happened 2 years ago to my dentist - but I used to see him a very 6 months. I'm beginning to suspect a conspiracy.....

But meanwhile, back at the the doctor's surgery - I'm perhaps not fully compus mentus due to the virus and in-approprately large doses of the children's cough medicine (the instructions only went up to age 8 - so I'm about 5 times older than that, and a grown up, and they always leave a bit of safety margin so say 7 times the dosage?) so I'm expecting a bit of banter, maybe a bit patronizing, but we both know its just posturing at this stage to fulfill both our contractual obligations....something like....

dr: What can I for you today Mr M?
me: Why, heal me, physician!

I then proceed to provide a colourful tale of my man-flu. It is of course crystal clear to both parties that this is a virus and therefore medicines are far from appropriate (you do know that there are lots of anti-virals out there, just like antibiotics....but this could turn into a physiology lecture...so back to the main text) And in addition to demonstrating the value of the states investment in terms of training and salary by verifying my symptoms are in fact due to the virus and not, say, due to being impaled with tyre iron, the good doctor will give me the usual 5 point oil and water change while I'm in there. Checking my blood pressure and such....

dr: well you're not dead yet
me: that's good but I just need a short-range forecast for my sicknote
dr: that is a short-range forecast; you're over-weight, and don't get enough exercise; the fact your blood pressure is so low despite this is indicative of even further health failings.

But how quickly I have forgotten what (most) doctors are like - I say most, because there is a very small number (1, OK, which is, technically, the smallest number) of doctors I have met who actually impressed me as being very clever, imaginitive and being funny. The rest seem to the product of a selection system valuing only the ability to memorize lots of information and look very sincere. The former talent will of course be of some benefit to anybody taking a tertiary course of education but has often been my own downfall. The second skill is altogether more different. A total failure to look for secondary or un-intended meaning in a statement seems to be route by which the candidates acheive their hippocratic serenity. Who knew that this humour bypass, this Asperger's syndrome with eye-contact should be a pre-requisite for entry?

I certainly did not. As a youngster, I considered bearing the staff of Asceplius a noble career, my chance to give something back to the world, not to mention that since my GP drove an E-Type Jag and lived in a big house, a bloody nice salary with a """free health-plan""" .

But for whatever reason, it was not to be. So I found myself on a parallel course of study on the good ship Cell Biology. Somewhat unexpectedly, this led to me actually teaching physiology to medical students! And this provided me a rare opportunity to observe the phenogenesis of the medical mind.

Medicine, and maybe Law, seem to unique in that they allow no dilution by other disciplines. And the way in which they operate (hah!) has not changed for hundreds of years. Oh, change - sure, they moan about it, but at the end of the day, NPFIT, the largest ever overhaul of Patient Records in the NHS boils to changing a green form for a pink one (and of course a £20bn feeding frenzy for an approved list of suppliers). Doctors decide what is wrong with people, nurses ensure doctors instructions are carried out. And with one Health Service, providing centralised super-hospitals for in-patients, call-centers for end-users, locums for out-of-hours work the identity of the doctor becomes irrelevant and thus the ability for the user to discriminate between good and bad is diminished.

Meanwhile, back at the surgery, it actually went more like this:

dr: Hello Mr M, You've not been well.
(this has caught me on the backstep. Not falling into the trap of asking why I was here. But instead opening a conversation with a statement. Was the trap spotted and pre-empted or is the savante merely failing to engage fully in the social interaction).

I pre-emptively scrub "man-flu" from my lexicon for the day.

The diagnosis goes pretty much as I expect. One mistake was saying I worked in IT when she asks what I do far a living. It's true, but this one is still young and keen and now has reason to give me the full, un-abridged, BMA approved story of why I'm not getting a prescription for penicillin in words of less than 3 syllables. Beam me up Scottie,
The reported findings are a bit different from my earlier expectations:

dr (ticks the box marked overweight, but makes no mention): your blood pressure is very good. Do you exercise?
me: no, I know I should, there doesn't seem enough hours in the day.
dr: mhm
dr: OK, thanks for coming in

I like the ancient Chinese system where you pay your doctor to keep you healthy not to treat you when you're ill.

PHP double plus good?

2007-09-26T04:10:00.000-07:00

I've just read this article about how PHP was better for one user than Ruby on Rails. It's given me a lot of food for thought about where I go with PfP Studio (but I'm not short of ideas - just time to code!). James Gosling's comments that PHP is only really suitable for web-based applications seemed a bit unfair, but thinking about it, they really demonstrate one of the main areas where Java fails as a web programming language.
Sure in PHP there are bindings for GTK, ncurses and rumours of Qt/KDE bindings, but the Garbage Collection problem remains - AFAIK PHP handles Garbage Collection by way of reference counting, but there are scenarios where an object can have a reference but still be garbage (actually I can only think of one, with variations, where two objects reference each other, but aren't referenced by anything else). Java can cater for such a scenario - but this comes at a cost. In Java GC is always a trade off between throughput and pause times. For PHP running in a Web application, its simple - at the end of executing the script, delete everything! However this model doesn't really work for long running PHP programs.

I suppose if PHP wants to be taken seriously for non-web applications it will need a tracing (reachability) based Garbage Collector. If it does come, I hope I can still switch it off for my web applications!

Buggy WYSIWYG Editor

2007-08-16T04:03:00.000-07:00

This WYSIWYG HTML editor on Blogger.com sucks.

Encrypting Files in MS Windows (2)

2007-08-16T03:50:00.000-07:00

AXCrypt

Using the context menu, I first tried to encrypt a copy of a directory - this seemed to be doing something - but I'd no idea where it put the encrypted file!

I then tried encrypting in place - the program seemed to stop at shredding the first file.

Eventually it dawned that the program does not created archives - it was encrypting each file in the directory.

In use, it does what its suppoed to. As with 7zip it uses a temporary directory to store the unencrypted file. In some circumstances it seems to have problems deleting the file when the application is finished with it - but it does promise to delete it the next time the computer is started up. This seems to be related to an existing process opening the file (start up MS Excel, open another doc, then open a axx doc).

Saving a modified file caused errors, but subsequently reopening the file from axcrypt it kept the changes.

Its ugly, but fairly fool proof.

CryptonIt
CryptonIt uses asymmetric encryption - and we have no PKI infrastructure. But looks like a worthy successor to the delisted WinCrypt freeware (still available from other sources on the internet).

LockDisk
LockDisk looks interesting but the developers are very vague about the licence and the algorithm.

BladeBox
BladeBox creates a virtual drive (no temp files?) the site claims AES encrpytion but licence terms are not published. Variously listed as shareware and freeware.

CryptoExpertLite
CryptoExpertLite is another virtual drive - nice gui but no dynamic sizing of the drive.

I should point out that I was just joking about the CamelCase thing in my previous post - it seems to be coincidence that all the products which seem to come close to matching my brief
have CamelCase names.

Encrypting files in MS Windows

2007-08-16T01:16:00.000-07:00

I'm currently looking for a product for encrypting files within MS-Windows.

The contents of the file are to be available only to a select number of individuals. The obvious approach was one based on symmetric encryption or quorum type encryption. Although it would be possible to have a system publishing versions encrypted using the individuals public keys this seems overkill.

XP Encryption
Based on previous experience in disaster recovery scenarios my initial thought was to look at facilities built in to the operating system. However even before digging in to the details of the implementation (based on their implementation of pptp and Office password protection, I thought it best to check) I came across a major stumbling block - users in the domain with admin privileges can access the encrypted files. It's not that I'm trying to subvert our security model - quite the opposite; not everyone in the admin group should have access.

7zip Encryption
We are already using 7zip widely but until I started doing some digging on the topic, I was not aware that it also supported encryption. Despite the weaknesses in the implementation (described here for WinZip, most of which applies equally to 7zip) it seemed ideal for our purposes. However when I tried it out, I found that the ergonomics were so bad that it would be unusable for our needs.

Although not a show stopper, it uses a temp directory on the local machines physical hard disk to store the unencrypted file. It does clean this up after the application using the file is closed, but could provide a new avenue for accessing the encrypted document.
Under normal operations, when a file within an archive is edited, 7zip automatically puts it back into the archive when the application is exited. It just gives an error when you try this using an encrypted file.
The password for encryption is set when the archive is created. If you try to add additional files later, these are added unencrypted with no warning.

I was a bit surprised at this as, for compression purposes I had found the user interface to be very well designed.

Because of the Byzantine procurement process here it is a painful experience to actually buy software - and my experience is that it is always better to try before you buy - hence FOSS software is particularly attractive.

So I'm off to have a look at:

AxCrypt
CryptonIt

AnyThingElseICanFindWhichEncrypts
AndHasACamelCaseName

Joining the blogging generation

2007-08-15T08:49:00.000-07:00

Sooner or later I knew I'd end up getting a blog somewhere. Previously I'd published a journal on my NTL homepage - but with only HTML available it was a pain to maintain it (even with PushSite). Since everyone is entitled to my opinion I thought I'd get me a proper blog account somewhere which handles all those cool things like trackbacks and RSS and other such gobbledygook.

Don't expect regular postings or wisdom or much in the way of entertainment - but plenty of ranting and general complaining.