...composed of an indefinite, perhaps infinite number of hexagonal galleries...

© 1994-2017. David Sklar. All rights reserved.

PHP one-liner of the day

Rahmin Pavlovic asked:<blockquote>I’m trying to take a string like: ‘abcd’ and add a fwd slash every other char, like: ‘a/b/c/d/’ Any suggestions?</blockquote>My reply was:

$str = implode(‘/’,preg_split(‘/\b|\B/’,$str,-1,PREG_SPLIT_NO_EMPTY)).’/’;

But Jon Baer had a better idea:

chunk_split($string, 1, ‘/’);

Security is not an end state, part MDCXVI

As part of a recent thread on nyphp-talk about password strength enforcement, Allen Shaw wrote:<blockquote>You know it seems like all this must have surely been discussed hundreds of

times by other people, maybe even by us, before. Wouldn’t this all be

somewhat generally understood by now, and maybe even written down in some

reliable source? I’ve found lots of “advice” on good password policy, but

nothing that claimed or seemed to be vaguely authoritative. Are there just

too many variables to generalize about, or maybe people aren’t interested in

really understanding the issue?

</blockquote>To which I replied:<blockquote><blockquote>> You know it seems like all this must have surely been discussed

> hundreds of times by other people, maybe even by us,

> before. Wouldn’t this all be somewhat generally understood

> by now, and maybe even written down in some reliable source?

> I’ve found lots of “advice” on good password policy, but

> nothing that claimed or seemed to be vaguely authoritative.</blockquote>One of my favorite resources for this sort of thing is the book

Practical Unix Security by Simson Garfinkel and Gene Spafford [*]

> Are there just too many variables to generalize about,
> or maybe people aren't interested in really understanding the
> issue?

I think both are true (most of the time).

It’s a waste of your time to spend many hours coming up with lots of

rules that filter out bad passwords (can’t begin or end with a number,

must have at least 3 uppercase and 3 lowercase chars, etc.) if what

results is that acceptable passwords are so complicated so that people

can’t remember them and end up writing them down on the dreaded “sticky

note attached to the monitor.” Same with overly stringent policies on

how frequently passwords must be changed, how many passwords the change

cycle must go through before you can re-use a password, etc.

Security is a process, not an end state. You must constantly make

decisions that balance robustness with convenience and risk of attack

with severity of attack.

So, sure, there are some guidelines that just about always make sense

(“your password can’t be your username or a dictionary word”) but much

beyond that is all situational.

Stopping brute force attacks on a web application’s login page (say,

more than 50 requests per second for the login page from the same IP or

same cookie or whatever) is a much easier, legitimate-user friendly, and

effective mechanism than making users who wish you no harm cycle through

the account signup page six times because they can’t think of a

sufficiently obfuscated password.

Some applications don’t need passwords at all. Witness the zillion wikis

around the web that mostly let anyone do anything and (perhaps) have a

squad of janitors who clean up the mess if someone does something bad.

(Another nice thing about this model is that it promotes the use of

version control.)

This essay has some interesting points about designing software for

specific, small, linked-offline communities:


Many of the points in there apply to how you make security decisions, too.


[*] Although I have an older edition, so I left out one of the new authors: Alan Schwartz.

Collaborative Distributed Data Entry

Many piles of <a href=”information on the Internet have been compiled by loosely affiliated interested amateurs.

There are great advantages to this method, in particular harnessing the complementary knowledge, motivation, and energy of lots of different people.

But there are drawbacks, too: concerns about the accuracy and completeness of the information and the timeliness with which it gathered.

What kind of research (formally or informally) has been done to analyze different approaches in this area? Are there “best practices” for how people are admitted to the editor community, oversight and approval of contributed data, etc.?

Recording Phonecalls

Apparently, customer service is shoddy or nonexistent nowadays. When I make calls to straighten out a bill or other problem, I try to keep notes about when I called, to whom I talked, and what we talked about.

It would be even handier if I could have an automatic library of recorded phone calls. And the automaticness of the library creation could be even easier on a mobile phone than on a regular land line, since “mobile phone” is just shorthand for “tiny computer that has many features, one of which is to let you talk to other people with it.”

Here’s how my ideal setup would work:

- when you make a call on your mobile phone that you want to record, you press some button on the phone to activate recording. This can happen as you’re starting the call or during the call

- the phone records by streaming the digitized audio of the call to a (web) server set up somewhere running some software to accept the digitized audio

- the outgoing stream from the phone is timestamped and annotated with the phone number (and other info, if available) of the other end of the call

- the phone automatically handles any legal or regulatory requirements (on a state-by-state or country-by-country basis) such as announcing that the call is being recorded or generating a periodic beep.

- the server that stores the streamed recordings lets you browse, sort, and annotate them. That way, on a future phone call with whatever soulless corporation refuses to refund the $2.96 they owe you, you can easily make reference to previous calls

- the server that stores the streamed recordings (and your phone) also work together to let you play back previous calls (or sections of previous calls) into a new call. So when the rep from the aforementioned soulless corp. says that surely there was no way that Charlie told you on your last call that you are not allowed to speak to a supervisor because it is their policy that anyone can talk to a supervisor whenever they want, you can play back the bit about Charlie telling you to stuff it.

Does this exist already for any mobile phones? If not, can it be built? If not, why not?

Media convergence, Jon Udell style

Jon Udell writes about his cooperative use of TiVo, Amazon, and online library catalogs.

Nicely done. Makes (TV and TiVo-less) me want to rig up something similar with the downloadable videos from the BookNotes web site.

OSCON 2004 Talks

I’ll be giving three talks at OSCON this year:

  • "Learning PHP" - An applied introduction to PHP: instead of a 3 hour tutorial that chugs through all the vocabulary and punctuation you need to memorize to be a PHP wizard, we'll build a community calendar and learn PHP by doing.

  • "PHP Forms Made Easy with HTML_QuickForm" - HTML_QuickForm is one of my favorite PEAR modules. It makes robust forms easy with excellent default value handling, automatic user input encoding, flexible validation, and a configurable layout engine. This talk tells you what you need to know to use HTML_QuickForm in your apps.

  • "Cleaning up SOAP" - SOAP is supposed to be simple, but usually it's pretty complicated and not always so interoperable. This talk tackles common SOAP-related tasks with PHP like: generating WSDL, creating custom datatypes, using SOAP headers and attachments, debugging, and adding authentication to a SOAP server or client.

PEAR DB 1.6.0 at NYPHP

Dan Convissor gave a talk last night at NYPHP about the newly released PEAR DB 1.6.0.

The big changes/improvements seem to be mostly focused on portability: testing is standardized across the different backends and there are a number of DB_PORTABILITY_* options that smooth the differences between various databases.

In almost every conversation about database abstraction layers (including last night) this question comes up: “So what if it makes it easy to switch the database my app runs on? That happens so infrequently!” Dan made the interesting point that a system like PEAR DB is useful for folks (like him) who are distributing apps they’ve written and they want those apps to be useable on as many databases as possible. Individual users aren’t switching databases, but the application (sort of) is.

2004 Emerging Technology Conference

I’m at the Emerging Technology Conference this week and am writing about it on the O’Reilly Network. I’ve posted entries about the Digital Democracy Teach-In on Monday and about general conference whatnot on Tuesday.

LinuxworldExpo in NYC

Adam, Chris, Geoff and I had lunch at noon and then headed over to the convention center. On the way, I found a keyboard-less Apple II (II+? IIe?) on the street. No one in the .org section of the expo floor wanted to add it to their raffle prizes, so I pulled out the CPU and the 64K memory card as nostalgic souvenirs and tossed it in a trash bin at the show. I’d like to feel special, but somehow I don’t think that half of an old Apple computer is the weirdest thing that ends up in the garbage at a Linux trade show.

Aside from some general wandering around, I spent most of the day at the NYPHP booth and the O’Reilly booth. Adam gave a XML and PHP 5 talk which was pretty well attended. XML handling is totally overhauled in PHP 5, so it’s a prime reason to upgrade when PHP 5 goes final. We signed a few books and talked to some nice customer folks. Often people I talk to at trade shows that are thinking of buying PHP Cookbook are complete PHP beginners and I have to let commerce give way to honesty and tell them that PHP Cookbook is not the best book for them to start out with. However, everyone I talked to yesterday had a small-to-medium amount of PHP experience, which made them perfect for PHP Cookbook.

After the expo floor closed, Adam and I wandered downstairs to go to a BOF about eBay’s Developer Program. Getting to the BOF room required passing through an area that Oracle had commandeered for some kind of install fest. This was fine, since they were serving food and drinks.

eBay has some neat web service APIs for listing items and searching listings, although their license terms currently make it impossible to distribute an open source application based on their APIs without first buying a “commercial” license from them for a few hundred dollars. Perhaps this will change in the future.

Book Signing at LinuxworldExpo

Come say hi at LinuxworldExpo. Adam and I will be hanging around LinuxworldExpo next Wednesday. He’s doing a short talk on XML and PHP 5 at the O’Reilly booth at 2pm and then we’ll be signing books. I’ll probably also spend some time at the NYPHP booth.