Premature Optimization

I was giving Zend’s on-line “security for developers” course to some customers last week, and as usual Cross-Site Request Forgeries (XSRF) was one of the hardest topics for me to explain and for other people to understand. This made me spend some time thinking about XSRF again, coming up with code demos and such to make it more clear.

Incidentally, I came across a php.ini directive today, which I’ve never noticed before: “session.referer_check”. According to the docs, you can set the value of this directive to a substring of the domain name you’re using. PHP will then check every HTTP_REFERER, if set, to contain this substring. If the referring address exists but does not contain the value of session.referer_check, the embedded session ID will be marked as invalid.

I didn’t test this - but if it works as it’s supposed to, it might be a good quick-and-dirty defense against XSRF - because it will not allow you to continue your session if the requested URL was referred from another domain (through an IMG tag, link, form submission and such).

There are several reasons why I think it’s quick-and-dirty, to name a few:

• It will not help you if the XSRF was launched from your own domain - for example through exploiting an XSS vulnerability in your site
• Not all requests referred to your site from other domains are malicious - for example, I might want to have a “Digg This” or “Add to Facebook Profile” button on my site - if you click those, you’ll be referred to Digg / Facebook from my site. In most cases you’d want your sessions to stay active on those sites, handling the request properly, and not treating it as XSRF
• As the experience of magic_quotes_gpc taught us, trying to solve code-level problems in the engine level will probably end up in a half-baked solution, providing mostly the false sense of security

On the other hand, it’s nice to know PHP has that option (and that it’s turned off by default) - if you’ve just found out your site is full of XSRF vulnerabilities, and you know it will take you a while to fix them, you might just want to turn in on as a temporary solution.

Be careful though - it might break some of your functionalities. Also, there’s a popular Hebrew saying that “nothing is more permanent than temporary solutions” (my own translation here..) - so FIX YOUR CODE if you can.

Yesterday we had the first meeting of the newly founded Israeli group of PHP users, or “Kvutzat Mishtamshey PHP Beysra’el” as one might say.

The meeting was held at Zend offices, and there was a pretty good turnover - ~20 non-Zenders showed up with ~10 more Zenders joining in. I gave a presentation (slides are in Hebrew but you can get them here if you read that funny language) about the past, present and future of PHP. There was also a trivia quiz (yes, I stole some ideas from a PHP Norge meeting I attended some months back) and we gave a book and a couple of T-Shirts (and a PHP stress ball) to the winners.

Boaz took some pretty good pictures as well.

It was lots of fun and good socializing which was exactly what I hoped for. The general idea is to have a meeting once a month or so - hopefully, next time I will be sitting and asking questions and not presenting.

Thanks everyone for coming, and if you happen to be in Israel, and do PHP - you should come as well!

A few days ago my work Thinkpad T43’s screen started flickering (not flickring, actually flickering). I immediately dismissed it as some kind of broke-my-Gentoo thing I always do, but after rebooting to Windows (yeah, it’s still there - IT demanded I keep a Windows partition), I realized it’s a hardware problem - something is fucked up with the backlighting or something. It got worse until a couple of days ago it started going blank for hours, and only coming back randomly for 5 minutes every time.

Now, this would all be fine if I wouldn’t be in the middle of a training engagement in India - and a week from returning home. Projecting still worked - so I could go on training, but I couldn’t do anything except for that - plus it doesn’t really feel nice that during breaks all your students can still watch your desktop

Anyway while not giving up to hardware, I found out that if I apply pressure at certain points on my screen, it goes on - that made me spend hours massaging my screen trying to get it working, but whenever I got my fingers off it it went dark again.

I almost thought of giving up and started thinking about finding an IBM service center or something (or is it Lenovo?), but that soon realized as impractical. Since doing customer engagements for Zend away from home always feels a bit like a military operation (that’s an Israeli thing: Israeli men tend to compare hard / exciting / surreal situations in their lives to military related experiences - even if they don’t admit it out loud…), I suddenly remembered something one of my officers used to say whenever we complained our equipment or supply is crappy: “This is all we have, and that’s what we’re going to win with!”. All motivated, I started MacGyvering, trying to get my screen working back with a toothpick and some chicken curry (that’s mostly what I have here).

Finally, I came up with this solution:

In case you’re wondering, that’s one of my Zend business cards I always carry and hardly use

Off topic: yes, I’m in some kind of photo-taking craze. Perhaps I was bit by a Japanese vampire or something.

I had some troubles yesterday importing images from my new Canon EOS Rebel XTi to my Gentoo - I installed UFRaw and gtKam and was trying to import RAW images into GIMP. For some reason gphoto2 wasn’t seeing my camera (although it was listed with lsusb) and so I couldn’t import photos from it using any application.

After several attempts (and very little information on Google), I gave up and went to sleep. Today I tried again and a solution came surprisingly fast: The problem was probably that I didn’t compile libgphoto with ptp2 support. What I did was:

- Add ‘CAMERA=”canon ptp2″‘ to /etc/make.conf
- Emerge libgphoto2, gphoto2 and hal again (I’m quite sure libgphoto2 was enough).

Now everything works and I’m off to play with some RAW images with GIMP.

It’s been a week since I got to Hyderabad, India - but today was the first day I actually got to hang around a little bit and not only work. So first of all, I’ve posted some pictures to my flickr page - check them out! They’re not incredible - it turns out I was overexposing most of my pictures today until I noticed I had a crazy shutter set… Still getting used to the new camera.

Anyway my colleague and friend Massi and I are here for some work (I’ll stay a week and a half more, and Massi leaves in a few days). Everything here is amazing - the culture is nothing like anywhere else I have been of course. I’ll probably be posting some more photos and write some more about it in the next days. The food, the clothes, the people - it’s all incredible.

Dirty, polluted - that’s true, but also incredible. It’s all very contrast in many ways.

Zend/PHP Conference 2007 is over - it was lots of fun and lots of work, and I enjoyed it even more than last year’s ZendCon. San Francisco was as beautiful as always, meeting colleagues from all over the world (some of whom I get to see only once a year) was fun, and of course, you get to learn from the smartest people of the PHP world, and also get drunk with them!
[more...]

ZendCon07 is going very well so far. I’m done with both of my talks, and it’s all very fun. Great people, great atmosphere… Also, I just got my new camera - my very own Canon Rebel XTi - I’ve been playing around with it all day and will probably post some pictures soon.

Anyway I just uploaded the slides of my “Building Scalable Development Environments” talk to SlideShare:

The talk is basically a set of tips and best practices I picked up over the time for building a healthy, scalable development environment. It covers several topics such as coding style standartization, SCM / Branching models, Bug Tracking, Peer Training etc.

I hope you’ll find it useful, and if you have any comments, I’ll be happy to hear them.

My colleague Massi and I landed here in San Francisco yesterday after an exhausting 15 or so hours in the air (Tel-Aviv -> Frankfurt -> San Francisco). Trying to minimize the effects of jet lag (is that actually possible?) we did our best to not go to sleep and spend another 8 hours or so doing some sightseeing and just hanging around with some friends from the team (Zenders from Israel, Germany, France and the US). We also watched the Blue Angels air show that was on yesterday - it was nice, but not too exciting (after all, growing up in northern Israel I got to see enough real fighter jet action…).

Today we’ll do some more sight seeing (it’s my second time in SF, I have some family here and I really love the city). I’m staying at the conference hotel - so if you’re around, come and say hi.

As some of you might know, the beginning of year 5768 of the Hebrew calendar is being celebrated in Israel these days - and for the new year, me and some friends decided to try and organize PHP-Israel - a local PHP users group in our land of milk and honey (or was itblood sweat and tears?).

So now we have php-israel.org (sorry folks, it’s all in Hebrew). It’s been around for less than 2 weeks and we already have ~40 or so subscribers to the mailing list - quite allot are Zenders but the majority are not, which is good. We also have some traffic - people are designing a logo and talking about a first meeting.

I’ve always thought there’s no PHP community in Israel - now I know there isn’t one because nobody tried to organize the quite numerous individual PHPers into a community. Hopefully, by next year, we will have a thriving local community of PHP users, spreading the word of the free web in Israel.

Shana Tova, PHP Israel!

I’ve just stumbled upon a great idea named “reCAPTCHA”. The idea is that you use their CAPTCHA challenges to protect your site from spammers and bots, or to hide people’s email addresses - but the cherry on top is that when people solve CAPTCHAs on your site, they also help digitize books by filling in words that OCR could not process.

According to the creators (from the site: “reCAPTCHA is a project of the School of Computer Science at Carnegie Mellon University “):

About 60 million CAPTCHAs are solved by humans around the world every day. In each case, roughly ten seconds of human time are being spent. Individually, that’s not a lot of time, but in aggregate these little puzzles consume more than 150,000 hours of work each day. What if we could make positive use of this human effort? reCAPTCHA does exactly that by channeling the effort spent solving CAPTCHAs online into “reading” books.

So they take the words OCR programs fail on (meaning: those are hard CAPTCHAs for bots to solve in the first place) and ask humans to solve them - and when they do, they use the words to fill in the OCR blanks. Now how cool is that? I’m definitely going to look deeper into this when I have a few free moments.

They even have API libraries in several languages, including PHP.