Niall’s Weblog

I just realised that posting of comments was broken on my site for at least a while. I had been wondering why there was nothing in my moderation queue for some time.

The exact reason is interesting. First of all, this site is hosted under a chroot()-ed Apache, with mod_php5, running on OpenBSD. Because of the prevalence of PHP vulnerabilities - especially in terms of using them to send out spam and so forth - we’ve locked down outgoing connections from the apache user at the packet filter (PF) level. The exact rule is: block out log proto { tcp, udp } all user www. However, the captcha service I use - reCAPTCHA - requires that the webserver connect to its hosts to verify input. I had therefore explicitly allowed Apache to connect to the specific reCAPTCHA host for this purpose.

It turns out that the DNS for the various reCAPTCHA services had changed, so I needed to update my PF rules. Sorry for the outage!

For a long time I’ve considered Word Press to be an awful pile of poo. Simply consider that its written in PHP, a bad, buggy language, and is futher full of security holes of its own making. I was thinking about writing my own implementation in Python (maybe TurboGears or Django or my own thing) or C. If I was doing it in C, I could use the BSD-licensed undeadly.org code and plug in Clearsilver templates or somesuch. It would be incredibly fast and perhaps a bit of fun. The problem is not so much the software side of it - its trivial to throw a simple schema together to represent posts in SQLObject - but more the display and interface. Writing good forms and UI and so forth is highly time-consuming and I just couldn’t be bothered. HTML and CSS and JavaScript are hard. Word Press also has a ton of extra features which I probably wouldn’t have time to implement, yet could potentially be nice for my site. I decided I would leverage the scalable nature of the Internet Word Press community, all those hundreds of people working on little plugins and tweaks etc. Even if the average quality is pretty low, in the end it should work “well enough”. Much as I like polish and perfection, sometimes its nice to be lazy and accept the warm sludge vomited up by the PHP-abusing masses. So yeah, I went with Word Press.

Well, at least its running in a chroot()-jailed Apache, with some pretty strict PF rules blocking outbound connections by the Apache user in case yet-another-PHP hole comes out before we can patch our server.

I also decided to try out the reCAPTCHA WordPress plugin to protect my posts from spam-comments. reCAPTCHA is a very clever idea - take a huge amount of old books, OCR them, and then use the words that the OCR software failed to recognise as a starting point. Next make captcha-solving help digitize these old books. I like that it encourages a kind of “arms race” between those cracking captchas (effectively the same thing as OCR) and those making better captchas which in the end, no matter what, will benefit the effort of creating digital copies of old books.