Some quick PHP performance stats: suPHP vs prefork+mod_php vs itk+mod_php

I have been doing lots of research on how to properly secure PHP on a shared server, especially with regards to finding the best way to sandbox users. On stock apache installations, the apache user must have access to web content in order to serve it which has the unfortunate side effect that every user on the shared hosting server can read the files of every other user.

The solution to them is "sandboxing" them, or in other words having Apache serve each user's web files as that user. I will post a tutorial relatively soon detailing how to do so (along with configuring many other services) but in the mean time here are some benchmarks:

prefork: 2.720166 seconds
suphp: 13.621006 seconds
itk: 4.263002 seconds

These benchmarks were generated using the "ab" benchmark included with the httpd server. They represent the time it took to load the front page of my blog 200 times:
ab -c 1 -n 200
prefork is the standard apache MPM working with mod_php. It's the fastest, but for the reasons outlined above also the most insecure. suPHP tackles the problem by using a SUID executable and running PHP under CGI, but it is extremely slow - even for this modest drupal site, it is just over 5x slower than stock. I compiled the ITK MPM for Apache which also offers the feature of running files under different users but it is based on Prefork and uses mod_php. The performance is still worse (2x slower) than stock, but much better than suPHP.


The sequel to my Ubercart i18n adventures

It has been a while since I last wrote about Ubercart, but I'm still working on some multi-lingual stores for clients. I have opted for disabling the stock Catalog module and using Views instead since Views is so much more flexible and easier to theme. I have a very simple setup; some terms in a vocabulary that is localized per-term, and then a custom View that takes a term name as an argument and returns nodes belonging to that term and displays them in a nicely themed grid.

Recently, I ran into an irritating issue where the View would return results from the wrong language if two languages had the same term name. After hours of investigating (and learning all about how to implement View handlers and plugins), it seems that the stock taxonomy term argument validator for Views cannot differentiate between terms of the same name in different languages. So if multiple languages contain the term "Stewart Adam" for example, the view will just returns nodes for whichever term (and therefore language) comes first in the database query. To be fair, the i18n module adds the "language" column to the term_data table so it's not really View's fault... Nonetheless, I was surprised that the i18n module had not already corrected this issue.

I've just reported Drupal issue #832100, Taxonomy term argument validator should not validate terms defined in other languages that includes a fix to the problem by limiting query for term names to terms within the active language. It's not the greatest way to go about solving it since it essentially just copies the original validator and makes two tiny modifications in the SQL query, but it's better then modifying the View module directly.


XMLmind's XML Editor

DocBook is a great tool for any documentation writer, but it can be a real pain to get adjusted to. I had decided to use it for the fwbackups 1.43.2 user guide the end result was great (less a few spelling mistakes), but coding it by hand took a long time and isn't something I would want to do again

I have been using XMLmind's XML Editor to rewrite the documentation for fwbackups 1.43.3 in DocBook 5 and it's been great. It has a WYSIWYG interface and although the program has a small learning curve, once I got used to the hotkeys my productivity went way up. Version 4.6.0 (released about two weeks ago) also includes a new Link tool can be enabled in the Preferences (under General > Features) that is excellent for creating cross-section links in your documents. After giving a section an xml:id name in the Attributes section, highlight a piece of text and select Edit > Add or Change Link... from the menu. All of the document's xml:ids for will be listed and selecting one will create the link automatically.

The license for the personal edition license allows XMLmind's XML editor to be used to write documents for any open source software (as defined by the OSI) - if you need a quick way to write great looking documentation, consider paying XMLmind's website a visit.


Random thought

In any of my future classes related to operating systems, I want to try saying "sudo" instead of "please" and see how many people get it :P

I'll keep you updated.


Some hidden gems in the iTunes 9 visualizer

It's more or less well known that the stunning visualizer in iTunes 9 is actually a modified version of The Barbarian Group's Magnetosphere. I recently downloaded a copy of the original magnetosphere visualizer, and one thing I enjoyed was the ability to control the amount and intensity of the particles (the glowing, moving dots). The following is displayed in the visualizer's help screen:

+/- Increase or decrease the intensity
A/S Add or Subtract particles (100 at a time)

While these commands are not listed in the help screen of the official iTunes version of the visualizer, to my surprise I found that they still work! They've proved useful for when the iTunes visualizer seems to get stuck for a bit with one of the big black stars blocking the view.


My thoughts on Java after having used it for 2 months

One thing that has always annoyed me during my CEGEP studies is that although my CEGEP actually offers a computer programming profile, I can't take it. It is much easier for me to study pure & applied sciences in CEGEP and then apply to software engineering or computer science at university afterwards than it is to take the computer programming route at CEGEP because then I would be stuck catching up on a bunch of the requirements like calculus and physics after CEGEP.

You might ask, "Pure & applied sciences aren't so bad... So why is it annoying?" It's annoying because I cannot take more than one computer science-related course throughout my two years of studies at CEGEP in pure and applied science. Anyways, that ranting just to say that I've been saving that one computer-related class for my last semester, so this term I've been attending Introduction to Computer Programming in Engineering.

To my disappointment, I found out that we were going to be using Java throughout the entire class in class (I was hoping for a more modern programming language like Python, which I think would have been better suited for programming beginners). I've also always hated Java. Up until now I didn't really have a solid foundation for the hate - I just didn't like anything about it.

Now that two months of the course have gone by, I can say that I still dislike Java. I'll keep my reasons quick and to the point, but keep in mind that I'm saying this from the perspective of designing user applications to be run on a desktop machine:

  • For the longest time, Java was closed-soure and remained under the sole control of Sun Microsystems (now Oracle). Although most of Java has now been open sourced, the OpenJDK implementations are still incomplete.
  • Have you ever seen a GUI Java project? Even with a good deal of theming, they tend to look terrible next to some of the C++ GUI projects using Qt or WxWidgets for example. I'm a big fan of ease of use and good user interfaces, and Java does this very poorly with very little integration with the OS running the JVM. This point alone is enough to make me never touch Java again.
  • Java has much of the complexity of C or C++... So why not just program in C or C++? Doing the bit of extra work to handle garbage collection and getting it to work on multiple platforms will just make you a more experienced and better programmer in the long run. In addition, if you decide to use a toolkit like Qt or WxWidgets then much of the multi-platform work is done for you already.
  • Java has many annoying quirks:
    • Only one public class per file allowed
    • The filename must be the same as the name of that one public class
    • For all functional purposes it doesn't matter, you cannot make a simple, global "subroutine" in Java; everything must be a method and belong to a class.
  • It's clunky. If you start to add in GUI, networking and a few other components to your program it starts to get pretty large and resource-intensive. A C++ equivalent of the same program would be more efficient.

And there you have it: why I don't like using Java for real world application programming. Java certainly has its place - I think that it takes care of the mobile market/niche wonderfully - but for desktop applications Java is the wrong tool for the job.


Securing your online identity

Within the past month or so, I find it odd that the occurrence of friends who have had their Hotmail, Gmail, Facebook or other online accounts hijacked has roughly tripled... Probably some new social engineering technique or malware is behind it, but I took the time to write this up since preventing account hijacking from happening to you is easy and probably won't take more than 5 minutes to make the changes to your online accounts.

Choose secure passwords

Part of basic online security is choosing a good password. Remember that many password crackers are loaded with dictionary words and common variations thereof (replacing a letter with a number, adding numbers after a word) - choosing a simple password makes your account is an easy target. Any secure password should be at least 8 characters in length, include letters (upper and lower case), numbers and even punctuation when possible. Below is a quick 5-step process for choosing a secure and memorable password:

  • Choose any word
  • Add two numbers to the end of the word at random
  • After the two numbers, add a punctuation mark or symbol such as: ! @ # $ % & * ( ) _ + - = [ ] \ { } | ; ' : " , . / ?
  • After the punctation mark, add another word related to the first
  • Choose one or more letters in your password and make them uppercase

For example, I like chocolate ice cream. I choose the number 38 at random, used an exclamation mark and made any letter "c" my password uppercase. The end result is ChoColate38!iCeCeam. It isn't very difficult to remember, but that would be extremely tricky to guess!

Do not answer any "secret question" with the correct answer.

Many websites (and even some banks) employ the "secret question" technique to verify your identity. Often, you can also reset your password by giving the answer to one of your secret questions. If you have a secret question that's easy to guess, having a secure password is moot; the secret question bypasses it completely. Even worse, the attacker could change your password once they break into your account locking you out!

The answer to this problem is to choose something unrelated to the question and use that for the answer. Make it obscure enough so that you can use the same answer all the time so you don't have to remember which nonsensical answer you choose for which question... For example:
What is your best friend's name? Spoon43.
What is your favourite food? Spoon43.
What was the name of the first street you lived on? Spoon43.
What is your mother's maiden name? Spoon43.

Be conscious of what you post publicly

Be careful of what you post online. Nobody thinks identity theft could ever happen to them, but happens much more often than you would expect. As well, with the rise in popularity of social networks it has become easier and easier to track people down and lift information from profiles.

  • Tighten down your privacy settings. Is there really a need to let everyone know about your personal life? Hide information that you don't want the world to see - your cell phone and home address are good examples. In Facebook's case, you also want to set all privacy settings to "Friends only".
  • Think about what you publish before you hit the button. As a general rule, don't publish to social networking sites or your blog what you wouldn't want everybody to know about you.

Do not store sensitive information without encryption

Encryption is a technique that turns information unreadable to anyone without a the key or passphrase. You should only store your sensitive data if it is encrypted as it will make it much more difficult for hackers to get at:

  • Mac OS X: All the tools you need are preinstalled. Open Disk Utility (in Applications > Utilities) and then select File > New > Blank disk image... from the menu. In the dialog that appears, select either the 128-bit (faster, less secure) or 256-bit (slower, more secure) AES methods.
  • Windows: Not all version of Windows support file encryption (Windows XP Home Edition doesn't, for example). However, you can download TrueCrypt for free. As of writing this, it supports Windows XP to Windows 7, both x32 and x64.

Additional information: How do the hackers get in?

There are many ways for them to break into your account. I've explained some of the common methods below:


Keyloggers are a type of computer malware that people often call "a virus," but it is very different from your ordinary virus. Keyloggers infect your computer and show no symptoms; they will not make your computer slower, delete your document or crash programs. Instead, they record what you type on the keyboard and send it to the hacker who wrote the keylogger. For hackers, this is a very appealing method since it has the potential to not only catch your passwords, but also your credit card numbers, online banking PINs and more.

Malwarebytes Anti-Malware is a free tool that is extremely effective at removing malicious software from your computer. The scan only takes 10 or 15 minutes, so I recommend running a scan at least once a week. Remember to update (click the "Update" tab) before running a scan!

Social engineering

To quote Wikipedia, social engineering is "the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques." The spam messages you get from a fake "PayPal" or "Your online bank" asking you to visit some random site and enter your credit card and password to confirm your account are a good example of very basic social engineering. Since social engineering is based on sneaky and dirty tricks, it is also the hardest to prevent since there is no real solution other than keeping a watchful eye.

Brute force attacks

Brute force attacks break passwords by trying different combinations over and over again until it finds the right one. This is why having simple passwords based on dictionary words are bad, since it would be a trivial task to find by brute force.


v1 blog offline

My "v1" Joomla 1.0.15 blog is almost a year old now and support for 1.x has been phased out, so for security reasons I think it's a good idea to finally take it offline. I've been able to import the old content here and I've also setup URL remaps, so you shouldn't notice a thing. Although if you are having trouble with a specific URL, please leave a comment and I'll fix the hole in the regex remapping rules.


Some new features

My trial enabling node comments went pretty well, I did have to handle the inevitable comment spam but there was nothing outrageous - only about one bogus comment a day. With comments being published only after approval they're extremely easy to spot as well, since typically the spammer will post the same comment twice or more once they realize "hey, it hasn't appeared on the page yet!"

So because of comments are functioning well I've just enabled some new features for my blog - namely, you can now leave your name & homepage when you leave a comment, although due to homepage spamming I've disabled all homepage links in the site theme until I find a better solution. As well, you'll notice the new rating widget (thanks to VotingAPI and Fivestar) on every node - feel free to leave any feedback or ratings on any of the blog or tutorial posts. Thanks!