Category Archives: Metal (Technical)

Metal (Technical)

South African Banks SSL Security (2)

After seeing someone’s Facebook security horror story about a local credit card (not one of the banks listed below), I was inspired to re-run the tests I previously ran on the South African banks, using SSL Lab’s SSL Server Test.

The results last time were awful, with Standard Bank and Absa falling way below the acceptable standard. This time, I was pleasantly surprised (previous results in brackets).

Ranking Bank Overall Grade Protocol Support Key Exchange Cipher Strength
1 FNB A+ (B) 95 (95) 90 (80) 90 (90)
2 Nedbank A (B) 95 (70) 90 (90) 90 (80)
3 Capitec A- (A-) 95 (95) 90 (80) 90 (90)
Absa A- (F) 95 (0) 90 (90) 90 (90)
Standard A- (F) 95 (0) 90 (0) 90 (60)

All of the banks have improved their scores. Capitec, which has dropped from first to third, still does not support Forward Secrecy, but has improved its key exchange ranking from 80% to 90%.

FNB, which jumped from second to first, has deployed HTTP Strict Transport Security (HSTS) with long duration. FNB gets the only A+ ranking.

Nedbank, which jumped from third to second, has improved from a B to an A, improving its protocol support and cipher strength rankings.

Absa and Standard Bank have both improved from F’s to A-‘s, and are joint third with Capitec. To put things in perspective, their rankings would have put them top during the previous test. So all banks are doing better than the best bank in May 2016. With no-one talking of a big four anymore (Capitec now outrank Nedbank in some metrics), perhaps little bit of competition is helping after all.

Related Posts:

Metal (Technical)

Trust Us, We’re a Payment Gateway

A friend told me today about an experience of attempting to book a flight on kulula.com. His credit card wasn’t working, but there was an option for bank transfer (EFT), so he chose that.

The EFT option used SID, a payment option promising secure EFT transactions. All good so far, so he followed the link.

The SID window asked him to enter his bank account login details… You know, the kind you’re constantly warned about to never give to anyone and never to enter on any other site except your banks.

I couldn’t believe that this is actually what happened (perhaps the friend had missed his morning coffee), so I checked it for myself. Looking into SID’s documentation, they claim to be externally verified, not to store the login details, and to use the bank’s own security system. But yes, you are asked to enter your bank account login details in their window.

I’ve got no reason to doubt that SID does what it says, but the methodology seems hopelessly flawed.

Let’s say I start a new payment system called SAD. At the same time I launch my casino website, relying on trusted SAD security. I state clearly that SAD uses the bank’s own security systems, and doesn’t store any of the login credentials. Totally secure!

The transaction succeeds, and the customer has a credit to spend on my casino site. They spend many happy hours on my casino website, winning up a storm, and dreaming of their new Tesla. For some reason the cashout option isn’t working today, but check back soon…

Some time later, they decide to check their bank balance, and find, to their horror, it’s all gone. They immediately phone their bank. Perhaps the conversation goes something like this:

HORRIFIED CUSTOMER: There’s a transaction clearing out my entire balance! It wasn’t me! The transaction needs to be reversed!

BANK: Hmm, our records indicate you logged in from internet banking, and transferred the money out. When was the last time you remember logging in?

HC: Er, I logged in to winbigbillionscasino.com and made a R50 transfer to their account from my bank account, using the safe and secure SAD system.

BANK: OK, no problem, we’re refunding the money now, apologies for the mistake.

Or perhaps not…

Perhaps the bank, in their charming and professional manner, laughs you off the phone and tells you you’re and idiot for giving your login details to another site.

Merchants asking customers to trust them, assuring them that their bank details are secure, is a recipe for disaster. Just don’t do it.

Related posts:

Image from Wikimedia Commons

Metal (Technical)

South African Banks SSL Security

3 Comments

After coming across an article testing the security of the SSL implementations of Australian banks, I decided to run the same tests on the South African banks, using SSL Lab’s SSL Server Test. I have a little bit of inside info into some of the banks systems, so was not too surprised how bad the results were.

Bank Overall Grade Protocol Support Key Exchange Cipher Strength
Capitec A- 95 80 90
FNB B 95 80 90
Nedbank B 70 90 80
Absa F 0 90 90
Standard F 0 0 60

None of the banks score an A (they all fail with Forward Secrecy), but pick of the bunch was Capitec, whose only only other failing was using a relatively weak signature.

FNB is limited to a B by accepting the weak RC4 cipher, and Nedbank adds supporting only older protocols to the list of failings.

You’d hope for better security from banks, but the failings of Capitec, FNB and Nedbank are not too serious. On to the others…

Absa has all of the above failings, does not support secure renegotiation, uses the obsolete SSL3, and most dismally of all, is vulnerable to the POODLE attack against TLS servers.

Although Standard Bank also gets an F, it stands alone in the number of criteria it failed. It uses the even more old and insecure SSL 2, supports insecure Diffie-Hellman (DH) key exchange parameters, supports 512-bit export suites and might be vulnerable to the FREAK attack as well as being vulnerable to POODLE.

It’s quite astounding that Standard Bank may still be still vulnerable to the FREAK attack, which has been known about for over two months, and which is extremely serious.

These results match the banks scores in other areas as well, such as bank fees and customer satisfaction. So Standard Bank clients will be happy to know they’re not only with the least secure bank, but also with the most expensive and the one with the worst customer service.

Related Posts:

Metal (Technical)

A comparison of WhatsApp, Facebook Messenger and Telegram permissions on Android

Recently I’ve seen quite a few postings of the article The Insidiousness of Facebook Messenger’s Mobile App Terms of Service , claiming you should remove your Facebook Messenger because of the control the app has over your Android device. Many have suggested Telegram instead, which I’ve been using a while. “Using”, I should add, in the same sense I would use a carrier pigeon. It’s nice to have, but there aren’t many others to share the fun with.

So how bad is the Facebook app compared to others? Here’s a comparison between the permissions demanded by Facebook Messenger, Telegram and Whatsapp on Android:

Permission Facebook Messenger Telegram WhatsApp
Retrieve running apps No No Yes
Find accounts on the device Yes Yes Yes
Find accounts on the device No Yes Yes
Read your own contact card Yes Yes Yes
Read your own contact card Yes Yes Yes
Read contacts Yes Yes Yes
Modify your contacts No Yes Yes
Approximate location (network-based) Yes Yes Yes
Precise location (GPS and network-based) Yes Yes Yes
Edit your text messages Yes No No
Receive text messages (SMS) Yes Yes Yes
Read your text messages Yes No No
Send SMS messages Yes No Yes
Receive text messages (MMS) Yes No No
Directly call phone numbers Yes No Yes
Read call log Yes No No
Test access to protected storage Yes Yes Yes
Modify or delete contents of your USB storage Yes Yes Yes
Take pictures and videos Yes Yes Yes
Record audio Yes Yes Yes
View wifi connections Yes Yes Yes
Read phone status and identity Yes Yes Yes
Read sync statistics No No Yes
Receive data from internet Yes Yes Yes
Download files without notification Yes No No
Run at startup Yes Yes Yes
Prevent device from sleeping Yes Yes Yes
View network connections Yes Yes Yes
Install shortcuts Yes No Yes
Change your audio settings Yes No Yes
Read Google service configuration Yes Yes Yes
Draw over other apps Yes Yes No
Full network access Yes Yes Yes
Read sync settings Yes Yes Yes
Read sync statistics No No Yes
Control vibration Yes Yes Yes
Change network connectivity Yes No No
Toggle sync on and off No No Yes
Use accounts on the device No No Yes
Modify system settings No No Yes
Uninstall shortcuts No No Yes

The permissions that have got most people worried, with visions of their phone starting to video them and record their conversations, “Take pictures and videos” and “Record audio”, are shared by all the apps. In Android’s permission system, they’re required to function. So if you want to use the chat functionality, you have to give the app these permissions. If the software is proprietary (Facebook and Whatsapp), you’ll need trust the company behind the app (Facebook owns Whatsapp as well). Telegram is open source, and therefore anyone can (and does) check the code. If you’re worried about security, you should be as concerned about what happens to your messages and data in transit, and here the best option I know of right now is Telegram, which is designed with a focus on privacy.

Now if only more people would use it…

Metal (Technical)

Autumnal spring cleaning

This weekend I did some unseasonal spring cleaning. I closed down my chess website, my rugby website, the Wikipedia template translation tool, the free and open source feeds list, and some now rather dated software that I hosted.

So, if you’ve been redirected here looking for any of those, sorry to disappoint you! It’s time to simplify and none of the projects were particularly active or interesting anymore, so it was time to so some tidying.

Metal (Technical)

WordPress spam, Akismet and Cookies for Comments

This blog gets about 1 spam comment a second.

Not bad for an obscure blog with, as I write this, only one post open for comments.

Akismet, the spam plugin does a great job of keeping the spam out, although recently a few more spam posts have been sneaking through for moderation, perhaps two a week. Still considering I get about 600 000 spam comments in that week, a miss ratio of 1 in 300 000 is rather exceptional.

The volume of spam shot up markedly after this post, which in retrospect, isn’t so surprising, since it contains every about spam phrase out there.

A feature I’d like to see in WordPress is the ability to automatically delete spam after a certain period. Apparently this is automatically set to one month, but since in that month I’d get about 2.5 million posts, and have to up the space on my backup server, I prefer to delete spam posts manually a little more often than that.

Deleting spam posts isn’t entirely smooth. If the number is too large, the script times out and I have to re-run a number of times. Since the spam arrives so quickly, I never have an empty spam folder, as by the time the deletion has happened, but before the page reloads, there’s normally a couple more posts.

After coming back from the weekend to 40 000 spam posts, I decided to look for a solution. It’d be easy enough to adjust the period in the code manually, but since I’d have to re-implement the change each time I upgraded, I prefer to look for an existing solution.

Enter Cookies for Comments. The solution is simple – the plugin sets a random cookie, which, if it doesn’t exist when a comment is posted, is almost a sure sign that the comment is being placed by a bot.

You can set the plugin to either automatically mark the comment as spam (effectively catching the two or so comments a week Akismet misses, but not solving my problem), or automatically delete the comment.

I set it automatically delete comments. Boom! Blissful silence with my recently-cleared spam folder now not moving from 247 comments.

You can play further and use an Apache rewrite rule to block the requests from even reaching WordPress, which I haven’t implemented yet, but looks hopeful in reducing unnecessary load further.

What’s that? You’re suspicious of cookies and have disabled them, and now you can’t comment on my blog? I doubt you can do much else on the internet either…

Related posts:

Earth (Arts and Literature), Metal (Technical)

MySQL, MariaDB and relative asymptotics

In 2002 I wrote a book on MySQL. At the time, I was working crazy fulltime hours for IOL and I was exhausted by the end of the process. I’ve been approached quite a few times since to write an update, or to write other related books, but have never had the energy, time or interest. The most recent approach, by a publisher I won’t mention, was for a hilariously obscure topic. I’ve deleted the email, so can’t recall the exact topic, but it was along the lines of “Asymptotic Relative Efficiency in Python”. Not only have I hardly used Python, but I’m relatively inefficient in asymptotics. It did make me wonder about the quality of the rest of their books.

It’s obviously taken 10 and a half years for the memories to fade because although I’m as busy as ever, I’m considering an update to the book. I’ve been watching MySQL’s progress with interest, from the company’s purchase by Sun to the Oracle takeover.

With concerns about the direction of MySQL under Oracle, MariaDB is gaining widespread prominence, and it’s been good to see that Fedora and OpenSUSE are the first two Linux distributions to announce that they will move towards replacing MySQL with MariaDB.

MariaDB is a drop-in replacement for MySQL, but contains a number of enhancements and has been reported to perform better. Wikipedia were the first high-profile entity to begin switching, and their move has probably triggered similar moves elsewhere. MariaDB is administered by the non-profit MariaDB foundation in a much more open and transparent manner than MySQL currently, and employs some of the original MySQL developers.

Where Fedora goes, Red Hat follows, and it’s only a matter of time before MariaDB is widely available as a standard on most server setups.

Although I still use it myself regularly as a reference, the old book is quite dated now, so it’ll be interesting to get to grips with all the enhancements that MariaDB offers.

Metal (Technical)

Speed Comparison of South African Media Websites

2 Comments

I’ve noticed that each time I’ve visited IOL recently my browser takes a noticeable performance knock. Trying to browse it by opening lots of tabs, as I do with most sites I visit, is out of the question, and it’s probably the worst-performing site I have visited recently.

I decided to run speed tests of the major South African news sites, and a few well-known international ones, to see how the performance shapes up.

I ran Yslow, which, along with Google’s PageSpeed alternative, is one of the more well-known speed tests. YSlow is a Firebug addon, both addons for Mozilla Firefox.

Here are the results. Higher scores are better – I only visited the front pages of each.

Site Grade Score
IOL E 55
News24 E 57
New Age E 60
Business Day D 61
Times Live D 62
Guardian (UK) D 64
iafrica D 66
New York Times (USA) D 68
City Press D 69
BBC (UK) C 71
Mail & Guardian C 73
Cricinfo C 74
Daily Maverick C 75
Facebook C 80
Twitter B 89

It’s no surprise that IOL comes in last, close behind the nearly-as-clunky News24, while at the other end of the scale, the Daily Maverick comes top, closely followed by the Mail & Guardian. The South African news websites are generally slower than the most popular international alternatives, ironic in a country with relatively slow and expensive bandwidth. Although Facebook and Twitter aren’t news sites, I’ve added them as two of the most popular sites for comparison. Twitter is unsurprisingly light, with it’s minimal interface, but Facebook comes out well, probably due to the hefty resources it devotes. It can by no means be called a light site, and the front page is filled with content, but it performs far better that any of the local sites.

Metal (Technical)

You like my blog?

1 Comment

With my regularly updated blog jam-packed full of brilliant content, naturally it receives more compliments than Lady Gaga’s Twitter account.

Happy New Year by the way. And Christmas.

One fan went a bit overboard, submitting what seems to be every one of the compliments spammers regularly use to deceiver bloggers. Here’s the heartfelt comment:

Thanks for ones marvelous posting! I truly enjoyed reading it, you can be a great author.
I will be sure to bookmark your blog and definitely will come back in the future.

I want to encourage you to ultimately continue your great work, have
a nice afternoon!
I absolutely love your blog and find a lot
of your post’s to be what precisely I’m looking for.
can you offer guest writers to write content to suit
your needs? I wouldn’t mind creating a post or elaborating on most of the subjects you write about here. Again, awesome web site!
My spouse and I stumbled over here from a different web page and thought I should check things out. I like what I see so now i’m following
you. Look forward to looking at your web page for a
second time.
I really like what you guys are up too. Such clever work and coverage!
Keep up the great works guys I’ve added you guys to my personal blogroll.
Hello there I am so delighted I found your web site, I really found you by accident, while I was searching on Aol for something else, Anyways I am here now and would just like to say thank you for a fantastic post and a all round entertaining blog (I also love the theme/design), I don’t have time to browse it all at the moment but I have saved it and also added in your RSS feeds, so when I have time I will be back to read much more, Please do keep up the fantastic work.
Appreciating the time and energy you put into your site and in depth information you provide. It’s
great to come across a blog every once in
a while that isn’t the same out of date rehashed information. Excellent read! I’ve bookmarked your site and I’m adding your RSS feeds to my Google account.
Hola! I’ve been following your website for a while now and finally got
the bravery to go ahead and give you a shout out from Lubbock Texas!
Just wanted to mention keep up the fantastic job!
I am really loving the theme/design of your blog. Do you ever run into any browser compatibility
issues? A small number of my blog visitors have complained about my blog not operating correctly in
Explorer but looks great in Chrome. Do you have any recommendations to help fix this issue?

I am curious to find out what blog system you have been using?

I’m experiencing some minor security issues with my latest website and I would like to find something more risk-free. Do you have any suggestions?
Hmm it seems like your website ate my first comment (it was extremely long) so I guess I’ll just
sum it up what I submitted and say, I’m thoroughly enjoying your blog. I too am an aspiring blog writer but I’m still
new to the whole thing. Do you have any tips for first-time blog writers?
I’d certainly appreciate it.
Woah! I’m really enjoying the template/theme of this site.

It’s simple, yet effective. A lot of times it’s hard to get that “perfect balance” between usability and visual appeal.
I must say you’ve done a awesome job with this. In addition, the blog loads super fast for me on Chrome. Excellent Blog!
Do you mind if I quote a couple of your articles as long as I provide credit and sources back to your website? My blog is in the exact same area of interest as yours and my visitors would genuinely benefit from a lot of the information you present here. Please let me know if this ok with you. Thanks a lot!
Hey there would you mind letting me know which webhost you’re working with?
I’ve loaded your blog in 3 different web browsers and I must say this blog loads a lot faster then most. Can you suggest a good hosting provider at a fair price? Thank you, I appreciate it!
Excellent blog you have here but I was wondering if you knew of any message boards that cover the same topics talked about here? I’d
really like to be a part of group where I can get feed-back from other knowledgeable individuals that share
the same interest. If you have any recommendations, please let me know.
Cheers!
Hi! This is my first comment here so I just wanted to give a quick shout out and say I truly enjoy
reading through your posts. Can you suggest any other
blogs/websites/forums that cover the same topics? Many
thanks!
Do you have a spam problem on this site; I also am
a blogger, and I was wanting to know your situation; we have developed some nice procedures and we are
looking to swap methods with other folks, why not shoot me an email if interested.

Please let me know if you’re looking for a article writer for your site. You have some really good posts and I think I would be a good asset. If you ever want to take some of the load off, I’d absolutely love to write some content for your
blog in exchange for a link back to mine. Please shoot
me an e-mail if interested. Kudos!
Have you ever thought about including a little bit more than just your articles?
I mean, what you say is valuable and everything. However think about if you added some great photos
or video clips to give your posts more, “pop”! Your content is excellent but with images and clips,
this site could undeniably be one of the greatest in its niche.
Great blog!
Neat blog! Is your theme custom made or did you download it from somewhere?
A theme like yours with a few simple adjustements would really make my blog stand out.
Please let me know where you got your design. Appreciate it
Hi would you mind stating which blog platform you’re working with? I’m planning to start my own blog soon
but I’m having a difficult time making a decision between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design seems different then most blogs and I’m looking
for something unique. P.S My apologies for getting off-topic but I had
to ask!
Hey just wanted to give you a quick heads up. The text in your content seem to be running off the screen in Firefox.
I’m not sure if this is a formatting issue or something to do with internet browser compatibility but I figured I’d post to let you know.
The layout look great though! Hope you get the problem fixed soon.
Many thanks
With havin so much content do you ever run into any issues of plagorism or
copyright violation? My blog has a lot of exclusive content I’ve either created myself or outsourced but it appears a lot of it is popping it up all over the internet without my authorization. Do you know any solutions to help prevent content from being ripped off? I’d really appreciate it.

Have you ever considered writing an e-book or guest authoring on other blogs?
I have a blog centered on the same information you discuss and would love to have you share some stories/information.

I know my readers would enjoy your work. If you
are even remotely interested, feel free to send me an email.

Hello! Someone in my Facebook group shared this website with us so I
came to give it a look. I’m definitely enjoying the information. I’m bookmarking
and will be tweeting this to my followers! Exceptional blog and wonderful design.

Very good blog! Do you have any hints for aspiring writers?

I’m planning to start my own blog soon but I’m a little lost on everything.
Would you recommend starting with a free platform like WordPress or go
for a paid option? There are so many options out there that I’m totally overwhelmed .. Any tips? Thank you!
My coder is trying to convince me to move to .net from PHP. I have always disliked the idea because of the expenses. But he’s tryiong none the less.
I’ve been using WordPress on a variety of websites for about a year and am anxious about switching to another platform. I have heard good things about blogengine.net. Is there a way I can transfer all my wordpress content into it? Any kind of help would be really appreciated!
Does your blog have a contact page? I’m having a
tough time locating it but, I’d like to shoot you an email. I’ve
got some ideas for your blog you might be interested in hearing.
Either way, great site and I look forward to seeing it grow over
time.
It’s a pity you don’t have a donate button! I’d definitely donate to this superb blog! I guess for now i’ll settle for
book-marking and adding your RSS feed to my Google account.
I look forward to brand new updates and will talk about this site with my Facebook group.
Chat soon!
Greetings from Florida! I’m bored to tears at work so I decided to check out your blog on my iphone during lunch break. I enjoy the knowledge you provide here and can’t wait to take
a look when I get home. I’m surprised at how fast your blog loaded on my cell phone .. I’m
not even using WIFI, just 3G .. Anyhow, wonderful blog!

Greetings! I know this is kinda off topic nevertheless I’d figured I’d ask.
Would you be interested in trading links or maybe guest
writing a blog post or vice-versa? My site addresses a lot of the same subjects as yours and I believe we could
greatly benefit from each other. If you are interested feel free to
shoot me an email. I look forward to hearing from you!
Great blog by the way!
At this time it appears like WordPress is the top blogging platform
available right now. (from what I’ve read) Is that what you’re using on your
blog?
Excellent post but I was wondering if you could write a litte more on this topic?
I’d be very thankful if you could elaborate a little bit further. Many thanks!
Hi there! I know this is kinda off topic but I was wondering if you knew where I could locate a captcha plugin for my comment form? I’m using the same blog
platform as yours and I’m having problems finding one? Thanks a lot!
When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get three e-mails with the same comment. Is there any way you can remove people from that service? Thank you!
Hi there! This is my first visit to your blog! We are a group of volunteers and starting a new project in a community in the same niche. Your blog provided us useful information to work on. You have done a extraordinary job!
Hello! I know this is kind of off topic but I was wondering which blog platform are you using for this website? I’m getting fed up of WordPress because I’ve had issues with hackers and I’m
looking at options for another platform. I would be awesome if you could point
me in the direction of a good platform.
Good day! This post could not be written any better!
Reading this post reminds me of my previous room mate!
He always kept chatting about this. I will forward this post
to him. Fairly certain he will have a good read. Thank
you for sharing!
Write more, thats all I have to say. Literally, it seems as though you
relied on the video to make your point. You clearly know what youre talking
about, why waste your intelligence on just posting videos to your site
when you could be giving us something enlightening to
read?
Today, I went to the beachfront with my children. I found a sea
shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She placed the
shell to her ear and screamed. There was a hermit crab inside and it pinched her ear.
She never wants to go back! LoL I know this is completely off topic but I had to tell
someone!
The other day, while I was at work, my sister
stole my iPad and tested to see if it can survive a thirty foot drop, just so she can be
a youtube sensation. My apple ipad is now broken and she has 83 views.
I know this is completely off topic but I had to share it with someone!

I was wondering if you ever thought of changing the structure of your website?
Its very well written; I love what youve got to say.
But maybe you could a little more in the way of content so people could connect with
it better. Youve got an awful lot of text for only having 1 or 2 pictures.
Maybe you could space it out better?
Hi, i read your blog occasionally and i own a similar one and i was just wondering if you get a lot
of spam comments? If so how do you prevent it, any
plugin or anything you can advise? I get so much lately
it’s driving me mad so any assistance is very much appreciated.
This design is spectacular! You most certainly know how to keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Great job. I really loved what you had to say, and more than that, how you presented it. Too cool!
I’m really enjoying the design and layout of your website.
It’s a very easy on the eyes which makes it much more pleasant for me to come here and visit more often. Did you hire out a developer to create your theme? Fantastic work!
Hey! I could have sworn I’ve been to this blog before but after checking through some of the
post I realized it’s new to me. Anyhow, I’m definitely glad I found it and I’ll be book-marking and checking back often!
Hey there! Would you mind if I share your blog with my zynga group? There’s a lot of folks
that I think would really appreciate your content.

Please let me know. Many thanks
Hi, I think your blog might be having browser compatibility issues.
When I look at your blog site in Ie, it looks fine but when opening in Internet Explorer, it has some overlapping.

I just wanted to give you a quick heads up!
Other then that, wonderful blog!
Wonderful blog! I found it while surfing around on Yahoo News.
Do you have any suggestions on how to get listed in
Yahoo News? I’ve been trying for a while but I never seem to get there! Many thanks
Hey! This is kind of off topic but I need some help from an established blog. Is it very hard to set up your own blog? I’m not very techincal but I
can figure things out pretty quick. I’m thinking about creating my own but I’m not
sure where to start. Do you have any points or suggestions?
Appreciate it
Hello there! Quick question that’s completely off topic. Do you know how to make your site mobile friendly? My blog looks weird when viewing from my iphone 4. I’m trying to find a
theme or plugin that might be able to correct this issue.

If you have any recommendations, please share. Thanks!
I’m not that much of a online reader to be honest but your blogs really nice, keep it up!
I’ll go ahead and bookmark your website to come back down the road. Cheers
I really like your blog.. very nice colors & theme. Did you create this website yourself or did you hire someone to do it for you? Plz reply as I’m looking to construct my own
blog and would like to find out where u got this from. appreciate it
Incredible! This blog looks exactly like my old one! It’s on a entirely different topic but it has pretty much the same layout and design. Outstanding choice of colors!
Hey just wanted to give you a quick heads up and let you know a few of the pictures aren’t
loading correctly. I’m not sure why but I think its a linking issue. I’ve tried it in two different browsers and both show the same results.

Whats up are using WordPress for your site platform?
I’m new to the blog world but I’m trying to get started and
create my own. Do you require any html coding knowledge to make your
own blog? Any help would be really appreciated!

Howdy this is somewhat of off topic but I was wondering if blogs use WYSIWYG editors or
if you have to manually code with HTML. I’m starting a blog soon but have no coding skills so I wanted to get advice from someone with experience. Any help would be greatly appreciated!
Hey! I just wanted to ask if you ever have any issues with hackers? My last blog (wordpress) was hacked and I ended up losing many months of hard work due to no backup. Do you have any solutions to prevent hackers?
Hi! Do you use Twitter? I’d like to follow you if that
would be okay. I’m definitely enjoying your blog and look forward to new posts.
Good day! Do you know if they make any plugins to protect against hackers? I’m kinda paranoid about losing everything I’ve worked hard on. Any suggestions?
Hello! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying
to get my blog to rank for some targeted keywords but I’m not seeing very good success. If you know of any please share. Many thanks!
I know this if off topic but I’m looking into starting my own blog and was wondering
what all is needed to get setup? I’m assuming having a blog like yours would cost a pretty penny? I’m not very internet smart so I’m not 100% sure. Any tips or advice would be greatly appreciated. Thank you
Hmm is anyone else having problems with the images on this blog loading? I’m trying to determine if its a problem on my end
or if it’s the blog. Any feed-back would be greatly appreciated.
I’m not sure exactly why but this web site is loading incredibly slow for me.

Is anyone else having this problem or is it a issue on my end?

I’ll check back later and see if the problem still exists.
Hi there! I’m at work browsing your blog from my new iphone!
Just wanted to say I love reading through your blog and look forward to all your posts!
Keep up the fantastic work!
Wow that was strange. I just wrote an very long comment but after I clicked submit my comment didn’t appear. Grrrr… well I’m not writing all that over again.
Anyhow, just wanted to say fantastic blog!

Metal (Technical)

Lessons from a server upgrade

4 Comments

Recently, the server hosting the Ethical Co-op website died, and needed to be replaced. It launched in 2005, running on a standard LAMP system.

Since it was written in the days of PHP4, and was working well, I’d never upgraded it to PHP5. Everything was running smoothly on PHP4, but this had reached end of life, and running PHP4 on the server was proving more and more of an obstacle when trying to install other, newer code.

So, when the server died late on Saturday night, and with the weekend usually being a very quiet time, I decided to use the opportunity to finally move to PHP5.

The server has needed to be replaced or reinstalled perhaps three times since 2005. I’m not a natural system administrator – I have a programming and database background, and have never done system administration professionally, so the first few times were a bit shaky. However, I’ve improved as I’ve gone along, and the installation went very smoothly this time.

I have everything carefully documented. There are a lot of tweaks to the vanilla system, various extra PEAR libraries installed, and all are carefully documented, so setting up from scratch is a breeze.

I upgraded the code from PHP4 to PHP5 which (considering my coding style carefully honed from its roots in ZX-81 BASIC) was trivial. Everything was back in good time by the end of the weekend, my tests reported no problems, and I went to bed.

Monday the problem reports started.

It didn’t take long to identify the problem. POST variables were being chopped off. Consistently nothing more than around product 200 was being returned. I’d never encountered a problem like this before, but after Googling I identified a culprit. Suhosin, the Hardened PHP project, has a post.max_vars setting which defaults to 200. A quick look at my config and I see This server is protected with the Suhosin Patch.

A perfect fit. This must be the cause of the problem!

Cursing the paranoid security, I spent much of the day investigating Suhosin. A Twitter search returned “Fuck Suhosin!” as the first result, making me more sure I’d identified the culprit.

None of the Suhosin settings were appearing in my phpinfo() output, which apparently is normal behaviour for the defaults, and explicitly setting them in php.ini, which seemed to solve the problem for most people out there, had no effect.

The server by default had the Suhosin patch installed, and in my attempts to get come control over the configuration I installed the Extension, which finally gave me control.

At this point I realised my first mistake. There may have been 200 products, but each product has five variables, so the cutoff was actually happening at 1000, not at 200.

And so I made my second mistake. If suhosin.post.max_vars is by default set to 200, it couldn’t be the cause of the problem. Still, there was no way to know that the setting was 200 on my system, and in the default configuration file that appeared after I installed the extension, this line appeared

;suhosin.post.max_vars = 1000

Commented out, but indicative that the default was 1000, not 200 as the documentation indicated. By now I really was convinced that Suhosin was the spawn of all evil.

However, no matter what changes I made to these and other possible Suhosin settings, nothing made a difference.

Eventually I had to accept it wasn’t Suhosin, and I had wasted most of the day. It had been unclear to me from Suhosin’s documentation exactly the difference between the patch and extension was, and I had also been misled by some posts claiming that the patch was responsible for the POST var limit, when it appears after all it isn’t, and this is only implemented if the extension is installed.

By that stage there was such a mess from the day’s errors and the downtime that I was ready to cancel the week’s deliveries (the Ethical Co-op delivers once a week, with most of the orders arriving on Monday and Tuesday).

Bernhard of Meglakor had been helping me, and was much quicker than me to realise Suhosin was not the cause. I was convinced it was the cause; after all, it had seemed a perfect match, and it was the only thing I could find that limited POST variables.

But it wasn’t.

Earlier this year, PHP 5.3.9 was released. One of the minor changes made during that release was the following:

Added max_input_vars directive to prevent attacks based on hash collisions.

There it was! PHP now limits any input variables to 1000 by default! After all my worrying about upgrading the code, it was a minor configuration change in a minor version that caused all the problems.

A classic case of being led astray by mis-identifying the problem, and then being less open to alternatives because of the investment in the identification!

A simple change, and everything was working again.

Thanks Bernhard for clearing Suhosin’s name, and then identifying max_input_vars.

Related Posts: