Craig Mayhew’s Blog

Generate a key:

openssl genrsa -des3 -out server.key 2048


Generate a certificate signing request (csr):

openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [GB]:GB
State or Province Name (full name) [Berkshire]: Hampshire
Locality Name (eg, city) [Newbury]: Southampton
Organization Name (eg, company) [My Company Ltd]:Your Company Ltd
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:www.craigmayhew.com
Email Address []:person@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


Remove the password from the key file:

cp server.key server.key.bak
openssl rsa -in server.key -out server.key


A very quick reference for anyone that wants to tunnel data via SSH. In this case I am using RDP over SSH.

IPv6 as covered in a recent article on the adire site will enable us to have millions of unique ip address for every individual on the planet. This creates brilliant opportunities but also one very big problem.

Website account security until no has been failry easy to maintain. For instance, attacking someones twitter account and gaining access could cause you substantial financial gain the owner substantial damage. Websites like twitter will detect obvious brute force attacks where someone attempts to guess an account password and they will block the offending ip address from attempting to login to that twitter account. So let’s say if I as an attacker attempt to crack a twitter account by guessing the forgotten password then my attempts will be ignored after my 10th failed login. The twitter account therefore remains secure.

Now let’s say there are 500 celebrity twitter accounts I wanted to try and gain access to, and would be delighted if I as the attacked cracked even one of these. If twitter uses the above logic of blocking me from logging in to each accoun after 10 trys then in total I ill get 5000 attempts across all the accounts!

Twitter along with other websites are thankfully much smarter than this. They will instead block my ip address from attempting to login to any account after a certain number of failed login attempts. So they may spot what I’m doing and block me after my 50th login attempt.

With time as a factor – if I’m patient then I might be able to get 50 attempts a day – I’m sure you can see where this is going. If your password isn;t suitably complex, e.g. it’s just one word then it will likely be cracked in at most a few years. But let’s also assume you have a fairly secure password.

As long as the password isn’t simple then this is a great method of security as it doesn’t involve locking accounts or really give anyone a hope of breaking ito someones account unless they have used a really dumb password.

However, IPv6 might ruin all that. Imagine instead of the one or two IP addresses, I have millions.

This does depend on how the IPv6 addresses are allocated. One way to prevent this problem is if all my ip adresses start the same e.g. 1111:1111:1111:1111:1111:1111:1111:0001 to 1111:1111:1111:1111:1111:1111:1111:FFFF then twitter could block all addresses beginning with 1111:1111:1111:1111:1111:1111:1111. although it might not have any way of knowing they are all in use by me.

I’ve been experimenting with openNIC the alternative DNS. My site is now visible on the craig.geek domain but virtually all of you will just get an error or 404 when you try to view that page. This is because currently to use openNIC – you need to change your DNS configuration to use their servers instead of ICANN. For most, this is a pretty daunting task. The only way this will become wide spread is if enough people requested that their ISP start resolving these new (and free!) top level domains.

Again none of these following links will work unless you are setup to use the alternate DNS.

grep.geek – Currently the only search engine I could find.
openniclist.ing – A website listing, similar to dmoz.org
monitor.ing – A website that monitors the openNic servers across the world and allows you to see any problems.

This last one you can actually visit – it explains how to setup and use the alternate DNS on your hardware.
www.opennicproject.org

Simon Holywell sent me a link to this clevor way of displaying 3d images. Now if only we could shrink this to a portable size…

If you need to concatenate several files on a windows system the command is as follows:

“copy /B filePart1 + filePart2 + filePart3 outFileName”

The /B indicates the files are binary files.

Back from phpuk2010 and feeling like I really want to contribute to some open source projects! I’ll summarize the main points I took away from each of the talks I attended.

Josh Holmes – Keynote talk – The Lost Art of Simplicity:

Josh talked about how overcomplicating things seems to happen all to often and grave a great example of a man simply trying to pluck an apple from a tree. He introduced me to “the truck factor” which I knew by a different name but this one has a much better ing to it :)

Stefan Priebsch – AntiPHPatterns:

I took alot away from this talk. Stefan had some great usage cases where singletons are bad and I have come across similar problems in my own code. I still think are cases where it makes sense and they are great for chucking an example together, but for production code and unit testing they are a bit of a nightmare.

He also pointed out that using global within a class is a real pain for unit testing too and ideally you should use the class __construct() function to get any required arrays/objects from outside the class (dependencies).

cakePHP took a bit of bashing during the talk due to it’s insanely high number of globals. CakePHP wasn’t alone either it seems a great many open source PHP projects are taking steps to fix there high use of globals and singletons.

Remo Biagioni – Database Optimization:

This was a story about how a small side projected grew into a multi server nightmare in just a few short years. He gave some good examples of how not to manage your databases and some equelly good examples of how to speed up different aspects of the database server. In short:

1. Reduce the number of queries as much as possible by merging them together.
2. INSERT IGNORES are faster than a SELECT query and then a possible a INSERT query.
3. Move the queue to memory
4. Use LOW_PRIORITY on DELETEs that don’t matter.
5. memcached is awesome, if your not using memcached or something like it then you really should.
6. If possible, avoid; LIKE, GROUP BY, DISTINCT as these are all slow.
7. Use something like beanstalked to manage the queue.
8. They used an MD5 hash (calculated in php) as a primary/unique row key. This is faster than using AUTO_INCREMENT to manage the primary keys. Note: you could use sha1() for even less chance of a duplicate key.

HA Proxy, Google’s  MMM, NoSQL and CouchDB all got a mention near the end and during question time.

Kore Nordmann – CouchDB & PHPillow:

This talk introduced a completely new concept to me and got me excited about a new kind of database. CouchDB is different, very different to relational databases such a MySQL. Firstly it uses http to connect to it! This opens up immediate possibilities and new security concerns but means you can make a database connection within javascript in the users browser! There is no schema in CouchDB as the “rows” are infact JSON objects. This means each row doesn’t have to follow any kind of set rules, they could have a different number of “columns” or have very different data in each “column” such as a another object or multi dimensional array. Your probably thinking the same thing I was at this point, “do we have indexes in CouchDB? and how the hell would they work”. Well, there are indexes in CouchDB and they are very flexible, but they are harder to implemenet than in say MySQL. Indexes in CouchDB are called views. These views exist as code that is run to create e.g. a btree index. The great part is, you write the code for the view! and you can write it in javascript (or other languages with the help of plugins). This gives you far more direct control of your indexes and should result in you having a far better understanding of your databases internal workings. PHPillow is the framework for implementing coucheDB within PHP.

Juliette Folmer – Regex-fu:

Although there’s not alot to blog about from the regex talk, you really had to be there… Two things I did pick up was that PCRE is faster than POSIX and the php documentation for it is here http://php.net/manual/en/book.pcre.php. Also the built in and blindingly fast PHP Filter extension is often forgotten or not known about and the documentation is here http://www.php.net/manual/en/intro.filter.php.

Damien Seguy – PHP Code Audits:

Damien gave a good talk on security in PHP, he covered the usual stuff about REGISTER_GLOBALS being a terrible idea on any system, production or development. But went into far more detail on how he searches for security issues in a short space of time so that you can quickly audit your own code. The bottom line is search the php code with the help of a tokenizer for php injection in places that use backticks require/include etc and eval. Search the codes notes for swearing and keywords such as “todo”.

A good tip for finding redundent code he gave was search for variables that only appear once. Some of these will be global variables but some of them may well lead you to old or troubling code.

Tools he recommended were Groogle, Reviewboard, Rietvold and Smartbear.

These factors can be used to show the environmental and financial impact of inefficient HTML.

1. A core 2 duo e6600 uses ~30 watts more when under single core heavy load than when it is idle. 30 watts = 0.03 kWh.
2. Assuming 10p/kWh then 1 computer second costs 0.00008333 pence.
3. Assuming 0.54055 Kg of CO₂ emissions per kWh for the average UK grid electricity then 1 second of additional computer processing time creates 0.0045g of CO₂
4. 3600 seconds in an hour

Financial Cost = (pencePerkWh/3600) * 0.03 * renderSecondsPerPageView * pageViews

Examples: (using 1 million page views, each taking 0.25 seconds)

Financial Cost = (10/3600) * 0.03 * 0.25 * 1000000 = 20 pence
CO₂ Emmissions = (0.54055/3600) * 0.03 * 0.25 * 1000000 = 1.12Kg of CO₂

Installation on Ubuntu 9.04

Filip Brcic is kindly providing Ubuntu packages for zfs-fuse.

To install zfs-fuse add the Filip Brcic’s launchpad repo to a source list.

sudo nano /etc/apt/sources.list.d/zfs-fuse.list

Add…
At the time of writing, the karmic version of this doesn’t work so keep the word jaunty in repositories and it should be ok.

deb http://ppa.launchpad.net/brcha/ubuntu jaunty main
deb-src http://ppa.launchpad.net/brcha/ubuntu jaunty main

Then update apt.

sudo apt-get update

Now install zfs-fuse.

sudo apt-get install zfs-fuse

CAVEATS:
if you get this message then you need to run the command as root:
connect: Permission denied
internal error: failed to initialize ZFS library

zfs get compressratio

Further Reading:
https://wiki.ubuntu.com/ZFS
https://wiki.ubuntu.com/ZFS/ZPool
http://www.lildude.co.uk/zfs-cheatsheet/
http://blogs.sun.com/bonwick/entry/zfs_dedup

Regular backups, we all know the score. If you don’t make regular backups then you will lose data.

In recent years more and more of the big players are releasing bigger and cheaper cloud solutions. e.g. Amazon’s EC2 or Microsoft’s Azure. Clouds offer incredible scalability allowing you to go from needing no processing power to thousands of CPUs or a few megabytes of storage to terabytes without ever needing to upgrade your server. Unfortunately sometimes proper backup solutions are not put in place. After all it is no easy task to backup an entire data centre in a timely manor that doesn’t impact upon the clouds performance. Even more than that the backup must be stored differently to the main cloud. For instance it’s not a good idea to backup an Amazon EC2 cloud to another EC2 cloud. If someone found an exploitable flaw in the EC2 platform that meant they could wipe the cloud or the cloud itself failed and erased all it’s data then the exact same thing could happen to the backup copy. A simple solution is to mirror your data between two cloud platforms. The perfect solution is to maintain a tape backup (or at least some kind of offline storage) of your data and keep it in geographically different place.

Cloud computers are not immune to failure, they are simply as good as the software running on them. Some good examples of massive irreversible data loss:

Upto 1 million T-Mobile sidekick customers lose their mobile data

100,000 websites wiped by hack attack