Software Release: Homepage downtime kit for Apache v1

The bad boy in action.

When you’re managing a homepage for a while, there will be the times when you absolutely need to take your site down for maintenance – be it a hardware upgrade, code upgrade (When migrating to a new version of your/someone elses software.) or disk maintenance due to power loss or crash. But what do you show your users while the regular homepage is unavailable? Simply shutting down the server resulting in an error for the end-user is kind of boring, and gives a far less memorable expression than having a proper downtime page, all the big boys are doing it, so why shouldn’t you?

I spent a few minutes and hacked together a minimalistic “downtime kit”.

The easiest way is to temporarily redirect your page somewhere else (where you host the downtime kit) during the downtime, and there’s a multitude of ways to do so, all depending on the architecture of your hosting setup, so you’ll have to think of the best way for you to utilize this kit.

As for how it works, it simply uses the mod_rewrite functionality in Apache to redirect image requests to one central image, so that any hotlinked images you might have show a proper downtime dialogue on their respective pages. It also redirects users who want to download files and visit pages to a proper downtime dialogue.

Setting the kit up to work for your page takes less than a minute, here are what needs to be done (taken from the readme.txt file in the distribution.)

Prequisites:

• PHP5 (Should work with PHP4)
• Apache with mod_rewrite (XAMPP Lite distributions work great for this purpose.)

License:
This kit is released as beerware, a very permissive license, so do whatever you please with the code.

Download link:
zip file – (Mirror 1 / Mirror 2)

Tutorial:

1.) Upload all the files into the root of your web directory, if you want to restrict the script to a subfolder, read step 2, otherwise skip to 3.

2.) If you uploaded the distribution into a subfolder (like http://www.mypage.com/ahomepage) instead of the root (which in this case would be http://www.mypage.com) – open the .htaccess in a text editor and change the second line from:
ErrorDocument 404 /index.php
…to:
ErrorDocument 404 /<your subdirectoryhere>/index.php

In our previous example, this line would be:
ErrorDocument 404 /ahomepage/index.php

If you have vhosts that link a subfolder to a domain name (ie you can visit the page at ahomepage.mypage.com) this step is not necessary.

3.) Open config.php in a text editor and change the text
<b>Status:</b><br>This page is down!
…to whatever you wish for your downtime page to show.

4.) Optionally change the notfound.jpg image for another one that suits you or your homepage better.

5.) Enjoy!

In other news…

Cover art for “The Constants – The Foundation, The Machine, The Ascension”

In this episode of “In other news…” we’re going to talk about post-rock. It feels like such a huge topic, but I’ll just satisfy myself by saying it’s a fantastic genre of music, especially instrumental post-rock, so without further ado, here is a list of some of my favourite post-rock band, in unspecified order – click on the band names to visit their homepages/profiles.

• The Constants
• God Is An Astronaut
• The Evpatoria Report
• Beware Of Safety
• pg.lost
• s.ink

Most of these bands are relatively small, and you can find a lot of music on their respective Myspace profiles and homepages.

Experimenting with alternative CAPTCHA designs and a brief history of the modern day CAPTCHA

Examples of simple CAPTCHA designs

What is a CAPTCHA?
If you have ever registered yourself on any site (mail, social networking etc) there’s a good chance you’ve seen a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). It is a simple test to prove your humanity to the site you are visiting. In this post I will be discussing CAPTCHAs in general, and experimenting with some new designs that might further thwart spammers.

Why is it needed?
The problem stems from how HTML forms work – they’re very simple to fill out and submit. Using a specially coded software, a spammer could  create thousands of email account in a matter of seconds, these could be used for sending email spam. (Because the email sending page is essentially another HTML form.) Spamming guestbooks is also a popular SEO technique to drive up a particular sites PageRank with both Google and other search engines, which employ similar mechanisms. (As a side note, good practice is to use the nofollow attribute for all outbound links if you’re ever coding a guestbook.)

CAPTCHA systems were invented to stop spammers. A CAPTCHA is usually a generated image that shows some sort of distorted text, which the user can read and input properly. A lot of work go into crafting CAPTCHAs that are simple for the user to read and understand, but difficult for OCR software to comprehend properly. This is usually done by adding distortion of some sort. But as OCR software improves and some people actually write custom code that target specific CAPTCHA systems, more obfuscation is needed, and so unreadable examples as shown in the image below are not uncommon.

An excellent example of a horrible CAPTCHA

Therefore I applaud alternative designs. There has been a few ones including identification of cats and dogs, although these are also flawed because of their limited databases, which are subject to brute force attacks.
Here’s another one I found while researching this post that I quite enjoyed:

An excellent example of an excellent CAPTCHA

This simple substitution CAPTCHA is good because it is unbreakable by standard OCR and requires a special algorithm. This involves someone programming it, which involves manpower, which involves money, which is a rare commodity – therefore, unless this kind of CAPTCHA is run on a high-profile site it would be too much hassle breaking it, and so this kind of alternative implementations works well for smaller sites.

My experiments
I know that I’ll be needing to use a CAPTCHA for some of the projects I am currently working on, and so I sat down a few days ago and started brainstorming. Some of these CAPTCHA variations probably already exist, others are a bit more exotic. Feel free to implement and use any of these. If you do, I’d love an email on how you are using them and what improvements you have made.

– Counting upwards

This is a pretty simple idea that differs from the vast majority because the letters are jumbled – every letter has a corresponding number. You type the word by starting from one (1) and counting upward, in this case the word is SECRET, which we see if we move the groups by numerical order:

SECRET
———-
123456

This sort of CAPTCHA should work pretty well on even high-profile pages, especially if you apply some distortion to the background, because it provides two points of errors – not only do the letters have to be identified correctly, so do the numbers. This one probably requires a small explanation on how to solve it on the page where it is used.

– Follow the path

This is one of the more exotic ones, and it builds upon the idea of following the letters around the shape in the direction of the arrow, in this case we start from H and wrap around the shape to make out HELLO. There is some Lorem Ipsum text inside the shape to further fool OCR. A full implementation should also randomize where the arrow points and its location from all possible letters. Distortion could be put on the background to make letter identification harder. This almost certainly requires an explanation on how to solve it on the site where it is used.

– The hierarchy
Last one wasn’t exotic enough for you? Meet the hierarchy. The basic idea is that letters are stacked on the edges of an arbitrarily large pyramid. The example shows one with four letters on each side, but it can be of any size. Inside the pyramid is an arrow twisting upwards – now follow its path and pick up the letters on the way to spell out TEST. A full implementation should randomize the path of the arrow, and perhaps even use other shapes (squares, circles) although just switching out the letters should work well for low-profile site use. If you use this to authenticate your comment form and don’t feature some sort of explanation on how to use it you probably won’t get a lot of comments…

Questions?
If you have trouble understanding how any of the examples work (I know my explanations are usually clumsy at best) go ahead and throw me a comment or an e-mail. You can find my address on the Fair Use page.

But it’s still possible to beat them!
How you might ask? Indian slave labor. The article linked is a fascinating insight into the world of the professional CAPTCHA solvers, who make as little as 0.001 dollars per solved CAPTCHA. A truly fascinating read about how cheap manpower can be used to circulate more spam around the planet.

See you next time!
This article has talked about CAPTCHA in general and some experimental approaches to the problem, next time we’ll discuss various ways of implementing a CAPTCHA using PHP. Stay tuned!

Tinfoil Tom Series – Episode 1: Securing your web browser

“What’cha lookin’ at?!”
(Thanks to Sarah for this beautiful depiction of paranoia!)

Hi and welcome to the “Tinfoil Tom” series that I intend on running on this very blog. This series of post will be dedicated to end-user computer security – for the slightly paranoid. So it seemed appropriate to start with what you’re doing at this very moment – that is, surfing the web! (Whatever else you were doing is but your own business, in the spirit of tinfoil hats, paranoia and all.)

This guide is first and foremost directed at power-users, but it is written in a way so that (hopefully) anyone can follow it without problems.

The web browser
Try asking someone about their web browser preference and you’ll notice that many people would rather bite your head off than consider an alternative one. That being said, according to me – the power-user browser is Firefox. Opera is not far behind and may very well excel in some categories, but with the grand focus on security, the enormous community and the perpetually growing add-on library that all Firefox users can enjoy, it’s simply unbeatable, and so it will be a prerequisite for this tutorial.

With its out-of-the-box configuration Firefox is one of the most secure browsers, but we won’t stop there! To make your experience even safer – read on for some useful add-ons.

Added security
Here are some great add-ons that will help in tightening your browsers security.

Adblock Plus

Before and after shot. Unfortunately, some of that heavily
appealing “bling-bling” disappears together with the ads.

Whilst not technically a security add-on, Adblock plus make practically all ads on pages disappear, and in such way makes you less targetable to third-party exploits such as XSS attacks, not to mention those bastard animated smileys. *shivers*

Using Ad blocking software has come under heavy fire lately, with many ad-financed sites expressing heavy criticism towards the users, some sites have even started to reject users with ad-blocking software. Luckily, the number of these sites so far is very small, and let us hope it doesn’t spread. One could probably spend a whole series of posts just discussing the moral aspects of ad blocking (Which according to me has heavy parallels to downloading or TiVo‘ing TV shows, effectively skipping the commercials.) but I’ll leave it for another day.

Get Adblock for Firefox here.

NoScript

Evil script is evil.

Before you install this add-on, you should be aware of the fact that breaks almost all modern websites because it interferes (or rather completely shuts off) JavaScript support unless you specifically enable it on a per-site basis. But it also stops a lot of third-party homepages from running scripts and makes a lot of other security improvements under the hood. Although I don’t recommend this add-on for normal users, power users who often visit the same set of homepages may benefit greatly in terms of increased security – this add-on will truly make your browser an impenetrable fortress.

Get NoScript for Firefox here.

TorButton

Just watching that onion makes my eyes tear up… with laughter!

TorButton is actually a quick proxy gateway to Tor, an online darknet-like anonymization effort, but because the Tor software acts as a standard HTTP proxy, we can use any proxy server in its place, and because the TorButton add-on features many security tweaks, some similar to NoScript, even running it through a transparent server on your own computers adds security, and as far as I have noticed, TorButton breaks much fewer websites and barely requires any user attention. The only problem might be the cumbersome task of properly setting up a proxy server, but for Windows I can recommend CCProxy which I use myself. (Demo version with some non-timebased restrictions, although works fine for our intentions.)

Get TorButton for Firefox here.

Coming up!
In the next episode of the Tinfoil Tom series we will be discussing laptop security, secure file deletion through wiping and file recovery.

In other news…

Randomly speaking of video game soundtracks – the classical Unreal Tournament Score is really such a pearl. Fantastic and surprisingly mellow soundscapes with a hint of almost organic roughness. I’m pretty certain it isn’t being sold anymore (I think it was only included in the special editions to begin with.) but I found a mirror, let’s hope it stays up!