Smokin’ Web!

The first time I saw an “iMac” was on a computer magazine while I was still studying. All I could do was stare with those greedy eyes wishing I could lay my hands on one. Steve Jobs meant nothing to me at that point. I did read a few articles about him but nothing interesting enough to make him an Icon to be worshipped.

Then, enlightenment! I saw “The pirates of the silicon valley”, a movie showing the struggling phases of 2 corporate giants Apple and Microsoft. The story seemed to be narrated by 2 individuals, Steve Wozniak who explains parts of the Apple story, and Steve Balmer who comically seems to appear every now and then whenever “History was being created” on the Microsoft front.

If that was not enough “Icon: Steve Jobs” book made me realise the ultimate truth. Steve Jobs was human. He had flaws. Many people disliked him, he would lie to his own colleagues for monetary gains, he was a fruitarian, he used to stink at his job for not having a bath for days (in his belief that being a fruitarian, bath was not necessary). But at the end he learnt from his mistakes, he was stubborn at first, perhaps normal for a kid who grew up not knowing his real parents, and getting used to the word “adopted”. Fact remains he came back with a bigger bang. He grew up from all the difficult scenarios he faced. Basically he was a fighter! In this big bad world that’s exactly the kind of attitude one must have.

Few things did surprise me though, e.g. the phase where he refuses to acknowledge his daughter. That was a bit of a disgusting piece of information to swallow, especially keeping in mind how eager Jobs himself was to find his real parents. How can he impart the same pain he went through that literally haunted his life to his daughter.
I wont write up much about him but recommend everyone to read “Icon - Steve Jobs” and watch “Pirates of the Silicon Valley”.

legends, movies Apple, Icon - Steve Jobs, Pirates of the Silicon Valley, Steve Jobs

Websites which have sensitive information need to be patched to ensure its not exploited because of session issues.

In earlier versions of apache cookie reliability was not assumed and hence the default method was always using url-rewrite which meant every url link, every form submission etc would have a PHPSESSID=<sessionid> passed along to inform the server about the active session. New versions have turned this off using

session.use_trans_sid = 0

in the /etc/php5/apache2/php.ini file.

Reasons?
Well one might safe the offline page as a bookmark or pass the link across to others not realizing that the session id information is also sent. So someone who quickly accesses these pages could possible get logged on, this was also true wrt search engines, and I guess in some cases it being seen as duplicate content as the same page will have a different session id every time the robots scan the website.

But having this set does not mean you are protected. Let me explain.
What prevents me from presetting the session id! Assume there is a banking site www.example.com which has a login screen at www.example.com/login.php
I can send you can email with a link to the bank site as http://www.example.com/login.php?PHPSESSID=12345
When you click on the link it presents the session id as 12345 rather then asking the server to generate a new one. This is called session fixation. Keep in mind even with session.use_trans_sid = 0 this will work as this sets it only not to use url-rewrite. To prevent this altogether set session.use_only_cookies = 1 which ensures that only cookies will be used, but this could cause problems when dealing with transaction which involve switch sites, i.e. siteA forwards to site B for payment which forwards to siteA for thank you, in which case a phpsessid inform might be used to revive the old session.

A good approach would always be to at the login screen and immediately post login to force a new session id generated using random numbers

session_start();
$newsessid = somerandomnumberfunction();
session_id($newsessid);

you can also use session_regenerate_id() function to generate a new id

session_start();
session_regenerate_id();

Also its always good to ensure every valid session is checked against an ip. One good method is to store the session id and remote ip information in a table once the user logs in and ensure that this is continued for remaining pages for security. This ofcourse wont work when users use the same office or shared network as the ip to the outside world is the same.

https is always a good idea for sensitive sites, but keeping it persistent for all pages which use session is important if you really want a foolproof system else anyone can always sniff your packets.

So to quickly go through the bits

• set session.use_trans_sid = 0 in /etc/php5/apache2/php.ini file.
• Ensure you always use a new self generated session id on successful login attempt.
• Try setting session.use_only_cookies = 1 and check if all works fine.
• Use https throughout to ensure no one can sniff your session id.
• Store session id, remote IP information and compare for successive pages

guidelines phpsessid, security, session fixation, session hijacking, session.use_only_cookies, session.use_trans_sid, sessions

Windows vs Linux is such a heated debate, and I have friends which are total “die hard” fans of each and they literally hate the other group. I take a much more diplomatic route and feel that both have their role to play, and normally switch sides depending on the opponent, with a Linux friend and I become a windows defender, and with a windows pal and I become a Linux lover.

Basically everyone must accept the fact… that windows got PCs to be user friendly. Today Personal Computers are a household item and infact have now become a necessity rather then luxury thanks to windows: because of the ease of use etc… etc… Many people argue that that’s a stolen design from Mac, Xerox… well I don’t care.. the point is finally it was windows that become popular… and I owe my bread and butter (nike, ipod, … ) thanks to it.

Linux on the other hand.. hats off to its stability, reliability, strong forum support, and now… its beautiful interfaces, ease of use. I just installed ubuntu 8.10 and it was an experience. I have installed Linux as late as 1999 (not late for you guys but for me yes) and it was a pain to install. Configuring X windows to work was a pain. the drivers were not available for many hardware etc… etc… basically a total nightmare. Over the years I have seen it transform itself, but I always felt it could never beat windows. Now, I must say it beats windows for sure. Why.. well it started when…
- I downloaded ubuntu 8.10 from the internet from www.ubuntu.com (64 bit edition which would work well with my “intel 6600 quad core” processor with 4GB ram and 256 nvidia graphic card).. (am not exactly boasting.. its one year old now).
- Burnt the image and tested the live CD (basically without installing anything on the disk, it would load ubuntu.. this would give me an idea if it works well)
- After the live success, I decided to install it, questions were very basic and simple, and it detected almost all the hardware connected. Once installed, it gave me the option to install the nvidia drivers (3d) which are not open source, which I installed, and also the option to upgrade softwares which I did. See the beauty of Linux is that unlike in windows where if you need any software you have to buy it on a CD or go to its specific website and download it etc…, in Linux we have something called repositories, they are basically a collection of all trusted and compatible applications for a version of Linux, and using package managers you can select from these and decide what you want to install.. its a very very exhaustive list, goes just endless. I went through and selected a few popular ones.

See I always had 2 misconceptions.
One that Linux is never meant to be a desktop OS, I used to always argue, that’s its amazing as a server and will always have an upper hand as far as servers are concerned because of its stability, but desktop I always though.. no-one has the time to sit and try to make things work in Linux.. but now, it works so awesome, it detected my HP printer installed drivers applications and viola I can print in Linux!, my extral hard disks were auto detected (yes its plug and play!), my joy-pad configured.. what else could I ask for. I do admit that it took me some googling to understand how to install the correct codecs for mp3 and divx but basically I had to select the correct package for it that’s all. So as a desktop it rules now. You get everything, you can burn your disks, chat on yahoo, aol, skype, msn. Firefox is your default browser. Open office for word/excel/powerpoint like features .. and its compatible with microsoft office files, so .doc and .xls etc… files open here. And for those odd windows programmes, I installed wine which basically allowed me to install them. Yes install an exe file!

The 2nd misconception was that Linux is not a graphic system, you want to work on graphic related stuff, high graphic games etc… then linux is not the right os, well I was wrong again, at one point I decided to install some games. (Love games.. played those real old Atari console games and the latest crysis etc…. ones, but am not exactly a “die hard fan” .. yeah I admit I would chicken out and apply cheats if required). I was impressed with some of the games, Open-Arena resembles Quake, and Warzone 2100 is a good strategy game. Alright I do agree that its not comparable to the latst games available in windows, but then its reaching there… almost!

One specific bit you will love (I did) and which made me laugh at windows was.. well Vista boasts of something called Aero. Its like these tiled windows you get win you want to select between multiple windows on your screen. They think its such an extra ordinary thing that they have it available only on the higher vista editions (my home basic which I got with my laptop does not have it). I finally saw it at a friends place, and it looked nice, different from the usual style. But ubuntu has got “compiz fusion”, and it beats aero … I mean there is no comparison. I have a snapshot for you to see.

Cool na?

One of the reasons for me to write this blog was, a close friend of mine, argued with me when I told him how beautiful ubuntu is, and that aero sucks! that if its so good how come he has not heard about it… and he is right.. these guys absolutely have no idea that Linux can be so beautiful.

So cheers ubuntu/Linux! keep up the good work!

say again Aero, compiz fusion, linux, operating systems, ubuntu 8.10, windows vs linux

The story is simple, 12 jury members have to decide the fate of a boy who is charged with the murder of his father.

The sets are simple. almost 100% of the movie except for the small bigining and the end is in a room with a table.

But what sets this apart is the intensity. The way the 12 main characters play thier role is outstanding. Some are polite, some harsh, some just dont care what the outcome is, some ready to have a battle to force everyone to agree with them. Henry Fonda does an amazing act of a guy who wants to reason things out, not necessarily force anyone to believe in him though, but I loved the intense acting of Lee J. Cobb more. Definately one of my best movies. I think that the name is perfect it could have been “Justice”, “The Jury” etc, but someone decided this whats its going to be.

Too bad it did not win any Academy Awards, reason being “The Bridge on the River Kwai” took them all away that year (Another great movie). The other reason could also be that this was a B&W movie as compared to the others which were colored, and hence stole all the limelight away from it.

movies 12 Angry Men, 1957, movies, recommended movies

If you index your fields, you will notice it will show the cardinality for each index. This basically shows how unique the entries are within this field. Helpful when a query has to decide between an index of 2 fields e.g. we have a query which says,

Select * from users where city_id=2 and country_id=5

If both city_id, and country_id are indexed, which one should it use?
Now assuming there are 2 countries in the database so the max cardinality at any point for country_id is 2, similarly if each country has 100 cities, the max cardinality for city_id could be 200, hence for this query it would select the higher cardinality index i.e. city_id as its more unique and hence the resulting subset after the index has been applied will be smaller.
A field showing a cardinality of one, means that all entries in that field are the same for all records, and hence its index wont be of much use as it would return all the rows after the index has been applied anyways.
The cardinality of a primary key will always be equal to the number of records in the table as the values are unique.

I also realised that Cardinality values are lost after too many inserts deletes etc and hence one should use analyse table.. but it could be a pain to run this on each table.
Hence we use a cron mysqlcheck -Aa -uroot -p<mysqlpassword> to analyse all tables at one go.

how does it work cardinality, database, mysql, mysql cardinality

Not an expert at all in security but I do know of some few simple steps. I will extend thsi as and when I remember

• Log/sql available via web? Why?
  Log paths, sql dumps should never be web accessible and hence should be at the same level as public_html or htdocs folder. Sql dumps should ideally be deleted after use. The concern is that search engines at times does manage to spider these making it accessible to everyone.
• Test accounts?
  Do not use test account like test:test123, on any system
• Default paths for admin, 3rd party softwares a no-no.
  Scripts available on paths like /admin, /administration, /phpmyadmin, /phpinfo.php, info.php, /phpbb etc are prone to attacks and hence should never be setup that way, eg phpmyadmin folder can be renamed as myAdmin34223
• dont put sensitive folder names in robots.txt file. Some of us (I too in the start) add sensitive folder names which we dont want others to see in the robots.txt file so that it cannot be indexed, but anyone can access your robots.txt file thus exposing your directory paths.
• password in the database always encrypted. Some argue .. hey our site is simple.. we dont have sensitive information and if someone breaks the password its not a big deal. The problem is that people tend to keep the same password for virtually everything, for emails, for orkut, and for net banking. So if you allow passwords to be stored as plain text it can be misused. Best to encrypt it using SHA1 or MD5

guidelines database, logs, md5, robots.txt, security, sha1

This love story made in 1967, centers around an evening.

White lady meets negro gentleman during holidays in Hawaii, and the scene starts with them heading girls home to tell thier parents they are getting married.

Amidst humours backgrounds, it shows how parents react to thier decisions, with initially everyone not happy with it. But the perfect-man character of Sidney Poitier seems to convince them later.

Spencer Tracy dies few days after the shooting ended.

movies Guess Who's Coming To Dinner, movies, recommended movies

Improving site security involves many steps, and https implementation is one important progress towards this goal. It helps secure the transport layer by ensuring the data exchange between the server and the client is encrypted and hence prevents eavesdropping. You can see its implementation wherever you see sensitive information being exchanged, like credit card transactions, authentication systems etc..

The setup process is simple to implement. All you need is a unique IP as the certificate binds to a specific IP, you cannot use 2 certificates for different domains on the same IP. Something we learned using the hard way! The process is as follows

Step 1: Information Gathering

For creating the key you need to collect the following information

Country: eg GB
State: eg Goa
Location/City: eg IT Park, Verna,
Organisation: eg My Company Ltd
Common name: (it needs to be the same as the domain name for which you want the https implementation) eg www.mydomain.com
emailAddress: eg xyz@mydomain.com

For the ssl signing request to Verisign/Thawte you need the following info
 
Domain name: (it needs to be the same as the domain name for which you want the https implementation) eg www.mydomain.com
Firm Address: eg My Company Ltd, IT Park, Verna, Goa, India.
Name, Surname, email address, telephone number and position of the concerned person in this firm
and have a webmaster@…., admin@….., ssladmin@…….  address since the certificate comes to this email address.

For virtual host entry you need

Unique IP: eg 1.2.3.4
Domain name: (it needs to be the same as the domain name for which you want the https implementation) eg www.mydomain.com
Port: eg 443 (which is the default)

Step 2: Create the key on a Linux system

mkdir /etc/apache2/ssl/www.mydomain.com
cd  /etc/apache2/ssl/mydomain.com

# Create the Private Key

openssl genrsa -out www.mydomain.com.key 1024

# Create the certification request for sending to Certification Authority
# It will prompt you for various inputs, eg email etc.
# most imp is common name. This should be same as the domain name you are applying for. eg in this case it would be www.mydomain.com
openssl req -new -key  www.mydomain.com.key -out www.mydomain.com.csr
# To verify the certification request
openssl req -in www.mydomain.com.csr -noout -text

By default one uses port 443, but of course you can force it to use any port.

Step 3: Send request to Versign/Thawte

Contact Versign/Thawte and pass them the following in an email

• Domain name
• Firm name and address
• Name, Surname, email address, telephone number and position of the concerned person in this firm
• Indicate it’s a Apache modSSL implementation
• Indicate the email account created eg webmaster@…., admin@….., ssladmin@……
• Attach the CSR file which you just created

Step 4: certificate file creation

Create the www.mydomain.com.crt certificate file, by copy pasting the certificate text given by Versign/Thawte.

Step 5: Virtual Host changes

Copy the virtualhost block used for port 80 between <VirtualHost 1.2.3.4:443> </Virtualhost>

And add the following entries

EncodingEngine on
NormalizeUsername on

# SSL Setup
SSLEngine on

# Get the SSL details from here:
SSLCertificateFile /etc/apache2/ssl/www.mydomain.com/ www.mydomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.mydomain.com /www.mydomain.com.key

Restart the apache server and you are done!

guidelines https, security, ssl

Many people just don’t understand the concept of normalization, and I guess the textbook definitions really does not help. But normalization is really simple. A series of logical steps will ensure you don’t go wrong.

In a relational database tables can be related to one another in one of the following ways.

• One to one
• One to many
• Many to one
• Many to many

Many to one can be converted to one to many by just interchanging the objects.  

Lets start with a simple case of 2 objects customers and accounts.

Initially lets say every customer can have just maximum one account which cannot be shared. This would be one to one relationship, and one can have a table like.

CustomerAccounts

Keep in mind id field which is a primary key (its important that all your tables have primary key except for probably tables which show many to many relationships)

Now ideally a customer should be able to hold many accounts at one time. Since this is one customer related to many accounts but one account used only by max one customer we have a one to many relationship which is shown by 2 tables with the foreign key in the table representing the “many” end.

Customer

Account

Here ids are the primary key in their respective tables and cust_id is the foreign key in Accounts table pointing to the relationship to Customer table.

Next we decide we need to also allow a single Account to be shared by multiple customers (joint accounts)
This becomes many to many. Cause its both one customer having many accounts and many customers owning a single account. Many to many relationship is always shown using 3 tables. 2 represening each of the objects (customer, table) and one showing the relationship

Customer

Accounts

Customer_Account

This shows that David and John have a joint account (account number 1) and David also has another FD account (account number 2).

So key bits to remember

• Every table needs a primary key
• Try to understand the relationship between different entities/objects in your system
• For one to one relationship they can be in the same table.
• For one to many there will be 2 tables, one for each object and a foreign key in the table representing the many end which points to the other tables primary key
• For many to many relationship there will be 3 tables, one for each object and one for the relationship between both these objects which will have 2 foreign keys, each one representing primary key of a table.

how does it work database, normalization

Internet is stateless. When a server receives a request from a client A it just serves it and forgets about the client. When the next request comes from the client A the server has no idea it’s the same client that made a request few secs back. So how do we solve this problem? Via web sessions.

Every client which makes a request is given a unique id called the session id which is generated by the server. Along with every request that the client makes the session id also gets passed on to the server, of course except for the first request, as its only after the first client request does the server generate a session id for it to pass next time.

How does the client pass this session id each time? Well there are 2 ways, URL rewriting and cookies. Cookies are much safer to use from security point.

In case of url rewriting when the server gets the first request from the client and it generates the session id it simply rewrites all the urls in the request page to have session id values. Eg links like http://www.somesite.com/contactus.php will change to http://www.somesite.com/contactus.php?PHPSESSID=12345 where eg 12345 is the session id. Even form posts are changed this way. Hence whenever anyone clicks on the urls which are rewritten by the server, the session id gets passed automatically.

But this is very costly as it consumes server resources. Hence the server also tries to see if it can write a cookie on the client request. So along with URL rewriting the server sends the headers information to the client to start a cookie with name as PHPSESSID and value as e.g. 12345. If this was a success then the next request which the server gets from the client will also have the cookie information, and the server will know it need not do URL rewriting anymore. If it’s a failure it continues with URL rewriting.

Currently eg Apache 2 server configuration turns url rewriting off by default and relies only on cookies as a safer more secure option.

Session variables are stored on the server against a session id.

Server assign these values, and then refers to it each time using the session id to fetch the correct record/file with the variables/values.

say again cookie, php session, phpsessid, sessions, url rewritting