Andrew Que Sites list Photos
Projects Contact
Main
   I have to plug my friend Ryan Cullen's site called Reel Opinions.  Most every movie I've gone out to see lately has been a disappointment (given, I went to see movies like Doom, but what do you want?  I loved that game).  So when I wanted to know if the next video game movie was worth considering, I went to the guy more critical then I am.  He sees and reviews everything that come to the big screen.  And when a movie is crap, Cullen will detail how bad it smells.  I find it's more useful then Yahoo movies' feedback like "it sucked really, really bad".
   Gina and Rosey
   Went from 21 gig free to 118 gig free on the Red-Dragon's terabyte RAID-5 array.  The was accomplished in large part by deleting unused software.  We have a habit of downloading the latest version of software and leaving the older version installs on the drive as well.  This can get big quickly when you have several Linux distro ISOs laying around.
   Kristy on the dock

April 28, 2006

PHP bug prevents logins

   For those who attempted to post comments the last few days, I apologise.  There is a bug in PHP 5.1.2 that did not exist in 5.1.1.  I installed the new version of PHP on the 19th.  It turns out there is a bug with the "unpack" functions which appends a "0" to the end of the string—prior versions of PHP didn't do this.  The pack/unpack functions are used to generate password hashes, which prevented anyone from logging in.  This include comments on the root of DrQue.net and the member's area.  I submitted a bug report as well as a quick fix to the PHP developers.
   The work to fight off SPAMers continues.  This time, an on-line casino was spaming the e-mail form for the King's Quest walk through site.  After a quick search, it spears most of the references to their casino are found in guest books, forums and comments they've spammed people with.  I'm fairly certain this spammer is unrelated to the other guestbook spammer I fought off.  Again, a captcha was implemented to protect the e-mail form and should prevent future attacks.
   The RSS feed from DrQue.net was broken—yet again I forgot to add"htmlspecialchars" filtering, this time on the title of articles.  My topic on "objects" invalidated the RSS XML data and most RSS feed programs simply ignored the feed.
   Picture today is from my shoot in Madison on Monday.

April 26, 2006

Security measures

Tyson and Azrael

Tyson and Azrael

   I had a request for a group I'm working with for a shell account on my server.  It would simplify testing during site development.  I don't really have a problem with this, but I don't really have much in the way of internal security.  I patched up the two biggest holes today. 
   First, with entire directory for webpages was read/write for nobody/nogroup.  While I'm not too worried about any of the scripts on my site, someone with shell access could do whatever they felt like to any of the sites.  To fix this, I created and user and group"webpages".  Everything in the web directory is owned by "webpages" and normal users can't even get a directory listing now without having been granted permission.
   The second and larger problem is windows networking.  The first part of the problem was to secure the Linux window's shares.  The second part involved making permissions for the server's mounts to window's networked machines.  The original setup was wide-open so each could do whatever they wanted.  I changed things so only specific users have access now.  That plugs most of the holes, but windows is and has always been a vulnerability—so while I'm fairly comfortable the Linux server won't get exploited, I'm not so sure about the non-Linux machines.  Of coarse, I'm only giving access to a limited number of people, who's only interest is testing for a web site.  I don't have too much to worry about, but I like to be thorough anyway.

April 26, 2006

Mail scam

   So while everyone is use to getting e-mail SPAM, getting it via snail-mail is a little more rare.  This (page 1, page 2) scam appears to be the work of a group in Madrid, Spain who have been doing this for quite sometime.  Reports date back to June of 2004, although usually with e-mail.  This scam has obviously been making money, since this time, it cost the sender almost a dollar (€0.78 or about $0.97 USD) to send out.  The letter is also hand-signed, judging by the indentation on the back side of paper.  I find it interesting how much international corporation there is for tracking down pear-to-pear networks.  When it comes to things like rip-off artists however, they operate (case and point) for years.  Of course, in this case, the victims are individuals, not multi-million dollar corporations.

April 26, 2006

Seven operators and 35 minutes with Charter Communications

   I got a letter from Charter Communications (our ISP) saying they are unable to process my "recurring credit card payment this month". Alright, something must be wrong, I'll just call the number on the letter can see what the problem is. I'm not kidding: Seven people and +35 minutes latter I'm finally speaking to someone who's willing to look at the reason I received this letter. The first number, the one on the letter, wasn't for business customers—pretty sad but this is typical. Even the sales rep. I talked to when signing up gave me a number to call that wasn't for business customers. She did this 3 times before I told her you couldn't reach her at the number she was giving people. The first operator gave me a new number and transfered me to those who deal with business accounts. Operator number 2 took my information and found I was in Wisconsin. This was a Minnesota call center. I was transfered back to the first number I called since I received the same recording. I informed operator number 3 I had likely been transfered by mistake and was trying to reach billing for business accounts. They concurred I had been mis-transfered and gave me a number to call—the same number the 1st operator had told me to call. This operator said the transfered system wasn't working and I'd have to hang up and dial myself. When I hung up, the phone said this call had lasted 16 minutes.
   So I called the number. I asked operator number 4 if they could deal with business accounts. She took all my information: my name, the account name, account number, address and transfered me. Operator number 5 told me I had again reached the Minnesota call center, and couldn't help me. He gave me a number, the number the first operator had given me and the number I called the second time. I explained this to him and I was transfered. Operator number 6 had been giving information about my situation and said he would figure out where I needed to go. After a long holding period, I was transfered. At long last, operator number 7 pulled up my account information. Some automated system gave a cryptic error message. For whatever reason, they couldn't make the credit card transaction. Since I had a bill, I asked if I could pay over the phone. He took the same credit card information I used for the automated system (I only have one card) and it worked fine. After placing that information back in the system I was done.
   I've debt with some bad call centers in the past, but this experience strikes me as particularly bad.  I have a "Business class" account.  I pay 2.5 times what a standard customer pays and get less bandwidth.  With more then 2 hours of logged downtime since I got service 2 months ago, I at least expected preferential treatment when trying to pay a bill.  Despite being a business customer, I was bombarded with mindless digital cable ads and pay-per-view commercials.  I hate advertisements to start with.  Being treated like this only solidifies my hatred of Charter Communications and cable companies in general.  Even as a residential customer, I was not treated like this with TDS.
The Evening's Sushi

The Evening's Sushi

   Took a trip down to Rockford to get a new inner-tube for my rear bike tire and get it turned up for the summer.  I decided to swing by Tyson's house and we went out for sushi.  Afterwards, we went over to a computer electronics store and I picked up some 250 gig parallel ATA hard drives.  The 100 gig RAID-1 backup drive for photos is full, and I haven't stopped shooting.  So, I'm going to replace the 80 gig RAID-1 array with the 250ies.
   Space is becoming an issue on the Red-Dragon as well.  Out of 910 usable gigabytes, I have under 21 gigs free—about 2%.  While 20 gigs is a notable chuck of space, the fact is I can consume a gig a day with good photo shoots.

April 24, 2006

Using GnuPG with PHP

   In the continued efforts to bring the site up to XHTML 1.0 strict compliance, we worked on the e-mail forum.  When I first wrote the e-mail forum script, I tried adding support for encrypting the message to my PGP key using GnuPG.  I never got it to work.  Today, I revisited that idea and got it functional. 
   To encrypt the message, the PHP script needs to call 'gpg'.  This can be done using "shell_exec".  By default, GnuPG places all it's data in ~/.gnupg.  This is fine for normal users.  But the web server runs as "nobody", and "nobody" doesn't have a home directory.  There isn't a command line parameter (at least, not one I can find) that allows you to specify a custom keyring.  The only other option was to override the home directory in the environment variables.  This worked.  So the command from PHP looks like this:
      $Message = shell_exec( "export HOME='/webpages/Certificate' ; echo '$Message' | gpg -ear www.DrQue.net" );
   The first part of the commend is changing the home directory environment variable to the location.  The Certificate directory is where the SSH certificates are placed.  There is really nothing else in there.  So, I copied the .gnupg from root's home directory into the Certificate directory.  Make sure to change ownership of these new files to "nobody:nogroup".  Now, the message is piped to gpg, which is told to encrypt the message to www.DrQue.net's public key.  The encrypted text is returned in $Message.  The remainder of the script runs as normal, connecting to the e-mail server and sending the message.
   It is pretty pointless to have gpg encrypt the message if the post was done over an open channel.  The script only encrypts the message if the form was requested over an SSL connection.  This way, the message text is sent to the server encrypted, which in turn, encrypts the message for e-mail.  This adds once weakness: there are now two channels of encryption, adding two places an attacker could target.  Why I don't expect an attacker would ever bother, it's something to keep in mind.  In fact, my use of encryption in general isn't needed.  However, I use it out of principal-- I believe we have the right to private correspondence.
   Tazz and I road tripped to Madison, WI today.  We haven't gone out shooting in quite sometime.  As the weather warms up we should be getting out more.  Our original plan was to find an industrial area to photograph.  However, we ended up just shooting downtown instead.  I proofed a lot, but really didn't capture anything I found extraordinary.
   Pictured is a chalk drawing on the side of a building in downtown Madison.

April 23, 2006

XHTML 1.0 strict

Kristy on the River

Kristy on the River

   So back when I made DrQue.net XHTML 1.0 compliant, I only made it translational and not strict.  Having done all my drag-and-drop work in strict, I decided I should bring the site up to this standard as well.
   Turns out there's a good deal of work getting pages from translational to strict.  Two items that required some research and clean up is the tag <table align="center" ...> is no longer valid.  I've found no better way around this then putting the table to be centered inside an other table like this:
   <table width="100%" cellspacing="0" cellpadding="0">
     <tr>
       <td align="center">
         <table ...>
         ...
         </table>
       </td>
     </tr>
   </table>
   It's a lot of work just for centering a table, but I've found no other way around it.  The second item is links with 'target="_blank"'.  The 'target' attribute is no longer part of the "a" tag.  The quickest way around this is javascript.
     <a href="..." onclick="window.open(this.href,'_blank');return false;">
  
It works, but now requires javascript to be enabled.  But so much of my site now requires javascript, I'm not too upset about this.
   Today, Kristy decided to take her boat to the river.  It's part of Garage tradition; boating on the river.  It started with the discovery a large beached piece of polystyrene (most people know it by the name brand Styrofoam), likely once part of a dock.  We took it across the river using brooms for ores and it started a tradition of boating around the river on anything we could get to float.
   Kristy's boat turned out to be quite tinny, but sea worthy.  Pictured is Kristy ported just off the dock.

April 22, 2006

The tag
The Garage Kitchen

The Garage Kitchen

   In working with the drag-and-drop system in AJAX, I ran across a problem: locations seems to come up different in IE and Firefox.  I'm not surprised, but it is a problem.  One issue is that the positions are absolute—that is, not relative to the division they are in.  To fix this, I thought about using a system were the DIV tags are initialized by javascript to be relative to the parent DIV tag.  That's not difficult, but I wanted a system that used some type of XML object to store this information.  I searched for embedding XML into an XHTML page, but didn't find anything.  Seems most people want to to the reverse-- embed XHTML into XML.  I did, however, find a tag that is helpful: <object>
   Each <object> tag has a variable number of <param ...>, which have the attributes "name" and "value".  That's enough to pass all the information to the javascript for each drag-able object. I spent a bit of time on it and got everything working.  I'm still mulling over how the finial system should work, but I know using <object> tags for information storage functions and is valid XHTML.
   Things still don't look the same between Firefox and IE—but that seems to be the story of my web design life.
   Pictured is the Garage kitchen.  Due to the limited space, layout is key.  I continue to refine the setup to make use of as much space as possible.  Something as simple as a drywall screw to hang a pan can free up useful counter real-estate.
   RRLUG meeting tonight where I learned about VideoLan Client and a bit on attacking your own server to check for security.  VLC (VideoLan Client) I've attempted to play with once before, but I never got it to do what I wanted.  During the demo, I managed to get a stream going between my laptop and Pluvius's laptop.  I've wanted to get a system of video-on-demand going for sometime.  There is a ton of video footage of the Garage days from 1999 though 2000.
   During the demo on security, I tried some of the software against DrQue.net.  One thing I found interesting is xprobe2 reports back that DrQue.net is likely running some microsoft operating system.  This isn't true—our server is a Debian Linux box.  My guess is the software is either getting confused by the NetGear router or something our ISP is doing.
   Pictured is Echo giving us her gangster impersonation.