TCP/IP

Do you know that feeling?

Do you know that feeling when you have more expertise than those helpdesk employees you're trying to explain your problem? But you need them to set your call through to someone who does know shit? And they are trying their best to help you but have absolutely no idea what you're talking about or what to do with it?

That feeling, I wonder if there's a name for it...

Now excuse me while I'm going to kill someone
throw my phone against the wall
punch someone in the face
shout
cry.

Half Duplex ADSL Modem

Since my girlfriend and I are expecting another baby due around 20 November, Brecht will move from here current babyroom to the room that was used by me. So all my computers had to move as well. Last weekend we redid the wooden floor again (oiling), this weekend I moved my computers to the second floor. I rewired the PSNT/ADSL, moved my computers (closed the current case of Willt, this website since it had one harddisk outside), did the switches, the wireless etc. Then I booted and sure enought Linux was comming up fine. And even the ADSL worked, like a charm. Or so it seems.

The connection was very very slow. I open standard some 20 sites in firefox on my laptop and they loaded like when I had PSTN or even worse casema cable in the late 90ies. Showing Pat and mat videos to my doughter (buurman en buurman for the Dutch) from youtube, I found out that the loading took longer then the display time, not normal for the quality connection I have to XS4ALL. Doing some speedtest I saw that my download speed dropped from the normal 4Mb to 200Kb while my upstream capacity stayed at 600Mb (no torrents in the background).

And even worse, when I was doing a huge test download, the ADSL connection dropped after 10 seconds I had a link, so I had to shut the interface on my Linux box or my ADSL modem just to have 10 seconds of slow internet connection. Try to troubleshoot your connection without having a one!

Since I did some netmastering back in the 90-ies, I knew I was going to solve this one. The first thing I saw was that not the ADSL connection was dropping but the ethernet from my Linux box to my ADSL router. So it was local and should be easy to solve. Somehow, the link on my eth1 going to my modem was 10Mb full duplex auto negotiate. Now autonegotiate is bad and if you know the wirespeed on both sides, never use it!

So once I did a

ethtool -s eth1 speed 10 duplex half autoneg off
and the line was stable and fast again! I dont know how the wrong speed was changed. But I am sure glad to be online again. And I might have solved some other problems my website has as well. I'll keep you posted.

Drupal coding: How to handle text in a secure fashion

When I did my first Unix system administration back in 1996 or so, I immediately did have a lot of respect for the beauty of Unix and system adminstrators who know, eat, sleep and dream Unix. Shortly after I got my first root prompt, there was this buzz, there was an option to bring down any Unix (and every other BSD TCP/IP stack) system with just one simple "ping command".

This was later knowns as the Ping of Death. This was an attack against the network layer of the OSI stack. Soon followed by even easier Denial of Service attacks like flood, smurf and the likes.

A couple of years later, attacks moved to a higher level, all the lower stuff was less easy to "hack". So we saw a lot of "buffer overlow" attacks in the late 90ies. This kind of attack is still happening, but most attention is now focussed to once again a higher level. So a couple of years back, we saw a lot of attacks on the application level.

For webservices, Cross Site Scripting (XSS) was the most used one. Most CMS-es, including better ones like Drupal did have these vulnabilities in them. And still, there are some Drupal modules that still have this kind of potential abuse in them. So when you do coding, it is not so hard to make code that can do what is should; match the functional requirements thet you or your customer defined. It is hard to make code that wont do what you dont want. Most customers are very good in describing what they want; to come up with a functional design. But nearly all of them fail to define what shouldnt be possible.

If you think you or your customer didnt define what shouldnt be possible, make sure you read the "How to handle text in a secure fashion" page on Drupal.org

When handling and outputting text in HTML, you need to be careful that proper filtering or escaping is done. Otherwise there might be bugs when users try to use angle brackets or ampersands, or worse you could open up XSS exploits.

In a year or two we will be done with these XSS exploits and label it as yesterdays news. But will we still suffer from "even higher" attacks like SQL injection with the automated test tools that are available for good or evil now?

XS4ALL heeft nu tijdelijk gratis VOIP dial out

Nadat de beste provider van Nederland, wellicht de wereld, gratis VOIP telefoons nummers aanbood, nu gratis dialout gedurende de zomer.

Van 7 juli t/m 31 augustus kunnen alle XS4ALL abonnees via hun XS4ALL VoIP Out account gratis bellen naar populaire vakantiebestemmingen en naar alle vaste telefoonnummers binnen Nederland. Voor VoIP Out betaalt u geen extra abonnementskosten; het is gewoon inbegrepen bij uw huidige abonnement. U betaalt slechts voor de gesprekken die u voert. En nu veel gesprekken gratis zijn, kunt u flink besparen op uw telefoniekosten.

Dank je XS!

Tuning Apache and PHP

On this thread o drupal.org some very good links to articles regarding tuning PHP and Apache (and IIS).

For example an article on how to optimize your PHP code and configurations. Here you can find some more thoughts about how gzipping webserver pages (both IIS and Apache) work. And this last excellent PDF is very lenghty but has some good points on why /not/ to use mod_gzipping or Zipping of pages in general. If you ever wanted to know anything about why and how to optimze, please read the articles in these links.

XML feed