» 2006 » January

I recently upgraded a client’s PHPAudit install from v1 to v2. First let me say, I have no problems with PHPAudit’s software itself and v2 is a huge improvement over v1. It is now a full software store bundled with a licensing server for web applications.

The problem is their new version broke backward compatibility with all v1 integration code. The integration code is snippet of code you place in your application to validate the license with the licensing server. To allow for existing applications to use the new licensing server the integration code would need upgraded on each of the existing installs. How is this feasible with a few hundred installs, let alone others who I’m sure had thousands? To make matters worse, this snippet is usually embedded in an encoded file so the end user cannot remove the license checks. A simple cut and paste won’t do it. Several files would need replacing depending on how the software author integrated the validation code.

PHPAudit’s tech support was not helpful and insisted on steering the support requests away from the specific questions asked to their ’solution’ of upgrading all of the software’s installs or maitaining both v1 and v2 versions of the licensing server to allow older installs to continue to validate. Maintaining both versions of the licensing server is further complicated because SolidPHP dropped all support for PHPAudit v1 shortly after the release of PHPAudit v2. If one of your official solutions is to maintain the older software, how can you drop support and end of life it?

At multiple points in the support transcript I requested links to documentation explaining that the validation code would need upgraded in all PHPAudit v1 applications. Full disclosure would have allowed developers to make an informed decision if an upgrade was viable for the particular use. No links were provided.

PHPAudit’s support stated it was too difficult to maintain backwards compatibility while moving forward with their new version. I questioned that statement as I was able to produce a server-side validation script that worked with both versions. If anyone else is finding similar problems with their PHPAudit upgrade contact me.

If a version to version upgrade breaks backward compatibilty, an application ought to be renamed. At the very least, a big bold caution to upgrading customers of the potential problems. Upgrade, to me, implies new version, fixes and more features not start over with more features. But hey, maybe I’m asking too much.

Popularity: 11%

Share This

I recently had a hard time installing Zend Optimizer on a CentOS 4 server. When starting Apache after the install, this was logged to the Apache error_log:

Apache started up and ran, but no Zend Optimizer listed in the phpinfo page. Further weirdness had CLI PHP (command line PHP) showing the optimizer installed:

A little Googling found this post over at the Zend forums.

Recompiling PHP without versioning corrected the problem and allowed the Zend Optimizer to load up in Apache/PHP.

Popularity: 25%

Share This

n.
The fear of peanut butter sticking to the roof of the mouth

Popularity: 9%

Share This

John Gruber over at DaringFireball.net had an interesting take on an independant software developer’s aspirations and pitfalls.

I have traversed the full life cycle, startup, grow, build company, grow more, leave company. Now that I’m moving back to the independant thing I feel renewed. For me the fun is in the birthing and maturation phase. Once its running on its own, the challenge is gone.

If anyone has an idea for a new killer app or project, I’m all ears.

Popularity: 10%

Share This

These snippets are all options in the sshd_config file, located at /etc/ssh/sshd_config on most Linux distros.

In order of increasing security

1. Dissallow SSHv1 and force SSHv2 connections
   Protocol 2

   SSHv1 is now considered unsecure.

2. Limit the number of SSH connection attempts at one time
   MaxStartups 2

   or

   MaxStartups start:rate:full

   From the sshd_config manpage

   Alternatively, random early drop can be enabled by specifying the three colon separated values "start:rate:full" (e.g., "10:30:60"). sshd will refuse connection attempts with a probability of "rate/100" (30%) if there are currently "start" (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches "full" (60).

   This one is good to slow up automated brute force password bots.

3. Dissallow direct root login
   Permit no root login attempts
   PermitRootLogin no

   or
   Permit root login attempts only via keys in authorized_keys file

   PermitRootLogin without-password

   This is the method I usually go for. It prevents brute-force root attempts but still allows for easy enough access. If someone has your private key, you have more problems anyway.

4. Change the port SSH listens to. If a hacker cannot find what port SSH is listening on, he cannot very easily try to brute force the password. Change the default port 22 to random non-used port number
   Port 22

   All valid users will need to adjust their SSH connections to use the new SSH port.

5. Disable all password authentication and rely solely on public key authentication
   PasswordAuthentication no

   All valid users must have a public/private key pair installed on the remote host and their local workstation or any other client that they will access the remote host with.

Make sure you load these changes by restarting the SSH server. On most Linux systems this can be accomplished with:

or

More information on each of these settings can be found in the sshd_config manpage

Popularity: 23%

Share This

I hate the fact that while I am logged in to my Adwords/Adsense account and I do a Google search from the same browser (different tab or window) that my searches show that I am logged in to Google too. What about all of the times I forget to explicitly logout of a Google property? We know they log as much about each search as possible, if they have your login profile too, the searches can be linked to you, your address, email, SSN.

If the Feds succeed with their subpoena Google’s search logs it will make it easy to put together a full search profile for users tracked by their various accounts with Google; Gmail, Adsense, Adwords, Analytics.

Another thing, why does my login to Adwords or Adsense eventually expire (”You must login again to view this page”) but it never seems to with searches.

Popularity: 24%

Share This