The main difference between Perl and PHP, is writing maintainable, intelligent Perl is only slightly more work at first than writing horrible Matt’s Scripts style Perl. With PHP, writing decent PHP is possible, but it’s incredibly difficult. The majority of the PHP I’ve come across is code written by a web developer with no programming experience and the language design and direction accommodate that demographic. PHP’s language design gets in the way of writing sane, maintainable code. It’s not impossible, but you have to really, really want it.

When you write good Perl, the programming experience becomes easier, and more fun.

I’m trying to get back to my programming projects, and thus back to writing more on Perl. For now, understand that if you think Perl and PHP are the same beast, you’re wrong. I’ve been paid to develop both for periods of years. Perl is much more eloquent, evolutionary, and intelligent.

This needs to happen. Justice must be swift and unrelenting. Back when the RIAA conned Metallica to lead the charge against Napster, they killed a significant portion of the internet. I’d go as far as to blame them for being the catalyst of the dotCom Bust.

Both the RIAA and MPAA need to shut the hell up and embrace new technologies.

(I promise I’ll post the Proxy Evasion Article as soon as I can get my Virtual Machine running!)

You see, the graph approaches positive infinity as you approach zero from the left, and negative infinity as you approach zero from the right. A group of us in the back of the classroom started playing with the justifications that division by zero was possible and yielded a result. Our teacher made the mistake of using this graph as a foray into the Fundamental Theorem of Calculus. If division by zero is possible, it collapses the Fundamental Theorem of Calculus.

Well, today a guy made a number and assigned it to be the value of dividing by zero. Hold there bud, me and four of my friends did that in AP Calculus at a private high school in Bel Air, MD in 1997. Had our results been taken seriously, we should have been excused from our AP Calculus course.

I can get more into the theory, but as you can see from the Way Back Machine, we documented our theory online as early as 2001.

This annoys me almost as much as Imaginary Numbers.

There’s also a new movie coming out called “Catch a Fire” that deals with what happens when you torture the wrong people. Turns out, you pissed them off and they tend to seek retribution.

Hard to imagine anything could go wrong with this Administration allowed to define “curel and unusual.”

America is all but lost. I hope this pisses you off. Careful with your disgust and anger, misguided and it will seal our fate.

Also, the House of Representatives passed the warrantless wire tapping bill. Granted, this isn’t quite as wild wild west as previously pitched, but the concept is disturbing. Besides, even if all the objectives aren’t met, we’ve significantly lowered the barrier to entry for more ridiculous legislation in the near future. I’d be surprised if more tyrannical legislation is not imposed in the coming 2 years.

Both of these bills embody the forces and ideals that drove our forefathers to forcefully over throw their tyrannical rulers. Yet, today we’re sitting by on the side lines, blogging about how this might suck. I’m just as guilty as you are. Consider this introspection, and try to learn something. I know I am.

The Bush Administration is incredibly good at manipulating the American populace. The fact is, collectively, we’re apathetic morons. You think it’s a huge coincidence that gas prices started plummetting so close to Midterm Elections? People, look at what it’s done to the approval rating of the Administration. It’s in every newspaper and on every TV station. They’re waiving it in your face and you’re still sitting there and saying “well, the news guy told me it was because it’s winter.”

What do we do about this? This cannot stand in this country. Aren’t we the land of the free and home of the brave? Why don’t we pull our heads out of our asses and stand up to this dictatorship?

There are two interpretations of this memo.

• Encrypt the ENTIRE disk.
• Encrypt just the files containing the data.

So, what’s a lowly security administrator to do?! Choices are bad! Obviously you encrypt the entire disk! Right?! no? Why not?

Well, recently concerned has been growing in the media over “Personally Identifiable Information” being recovered from stolen laptops. Sadly, they’ve missed the point. You see, most of the identity theft perpitrated results from malware, with a smaller number coming from physical security breaches, involving mostly server hardware like backup tapes, hard drives, and entire computers. OMB and the Presidential mandate don’t deal with any of these issues, so their mandates can be viewed as little more than knee-jerk reactions to news coverage on the stolen VA Laptop.

Essentially, the media is now responsible for dictating Federal IT Security Policy. This is what happens when you have governing bodies like OMB that don’t rationally evaluate threats or understand the technical aspect of IT Security. It takes maybe another 10 minutes of searching through the archives at Emergent Chaos to realize that most breaches are the result of software breakins. However, that’s not gonna stop the Federal Government from shelling out millions, possibly billions, to address the threat of data being stolen from a laptop that’s shutdown.

I don’t know about you, but the last time my laptop was shutdown was, well.. that one time it ran out of battery and I was miles away from a power adapter. Otherwise my PowerBook just gets folded up and goes to sleep. Full Disk Encryption decrypts the disk at BOOT. So, since I’ve already booted, my entire drive is already booted, I gain nothing unless the battery dies.

“Full Disk Encryption” is also a pretty intimidating mouthful for most computer users. Uninitiated, and some who think they’re initiated, sporting CISSP’s, would be lulled into thinking “HEY! My WHOLE disk is encrypted! I’m secure!!!!!!!!!” Unfortunately, this does nothing to protect your data from the software threats that are much more common. You see, the disk is decrypted at boot, and then any programs just use the disk without even knowing that it’s encrypted. So all the viruses and malware you’ve accumulated surfing the net for discount shopping and myspace.com updates on IE, is able to read ALL the data on your drive.

You haven’t really secured things from the most common threat, however, you have added another layer of complexity to the user’s experience.

So what is the solution? Well first, it’s time to start investigating new methods for virus detection. The Big 3 Vendors (Symantec, McAfee, and Trend Micro) have miss rates of 80% because Virus authors are testing their virus against them. Closing this hole in the organizational structure will eliminate 80% of the threat to Identity Theft.

Horrible programming practices are usually to blame for the majority of personalized attacks that have leaked information in the past. Managers should be encouraged to hire talented programmers and work with the programmers to create an atmosphere of cooperation. The programmers should be involved in the design process. They should also be given the right to veto or question their managers decisions. Source control systems should be in place and encouraged. Peer reviews should be factored into the development process. The more eyes on the code, the more likely something will be caught. The organization should adapt Best Practices based on recommendations by the development team. These best practices require the same peer review that the code base gets.

This sounds like a lot of work, and it is. Additionally, it’ll only fix like 1% of the Identity Theft problems. However, it will raise the quality of the code, thus the product. It might initially introduce some overhead, but that overhead will pay for itself and prove more cost effective as the products developed more accurately reflect customer desires.

If you have people with sensitive data on laptops or other portable media, you’re gonna need to deploy some form of encrypted mechanism for storage. Personally, the encryption schemes that come builtin to Mac OS X and Windows XP should suffice for most intents and purposes. Even OMB could’ve saved some money by leveraging this had they paid attention to their own rules. Apple and Microsoft are both in process for attaining the coveted FIPS-140-2 compliance that is required for productions imploring encryption of federal data. The Apple and Microsoft solutions have no cost overhead as they’re already installed on all the Apple and Microsoft laptops in production.

Folders with sensitive data should be encrypted in such a manner that there’s a an inactivity timeout, and the files must be decrypted when required. Apple’s Disk Utility allows a user to construct an encrypted disk image that can be mounted like a regular DMG. I’ve been told that Windows XP has a similar utility. There are also free products out there like TrueCrypt that allow you to hide the encrypted image in a JPG or other benign file. For most people, the built-in encryption tools should be sufficient.

Users need to be trained to use the built-in features. That’s where the money could go. A simple PowerPoint presentation would satisfy most users. I’d recommend that people routinely working with sensitive data be instructed on proper ways to store that data on their local machines. You can pretend it won’t happen by making it a violation of Policy, but policy is a horrible place to hinge your IT Security Infrastructure on.

Don’t be sucked into the hype. Think about things rationally and don’t make mandates that affect all government organizations without figuring out if there’s a potential threat there. Realize, in my organization, we have over 300 users with laptops and in two years, we’ve had 0 lost or stolen laptops.

It’s really that simple. Stop being terrorized. Stop being scared to live. Stop taking life so seriously, you’re never gonna make it out alive. We don’t need billions of dollars of security screening software/hardware. Anyone with a week of spare time will be able to circumvent it anyways. This security is just a show, and I’m not entertained in the slightest.

I’m not flying again until these ridiculous regulations stop. We know we’re accepting a risk getting onto a plane. We’re 30,000 feet in the air, and if something mechanical fails, that’s a LONG way down. You’re accepting even more of a risk when you get in your car to go to work. You’re a billion times more likely to die in a car accident than a terror attack. So why aren’t we campaigning against ridiculous bullshit by insurance companies and state legislations that waste your tax dollars to make them money instead of fixing problems with automobile safety?

It doesn’t sell papers.

Update: It now appears that some people with some experience in Chemistry have questioned the plausability of the terrorist plot.
Update 2: More information about the acquisition of the information that led to the arrests and wide spread media terrorism.

To frame this, I just got back from YAPC::NA. I learned all kinds of new techniques and tricks from MJD, chromatic, brian d. foy, Randal Schwartz, Damian Conway, and countless other acquaintances. What’s not to love about Mason, DBIx::Class, and the brain bending functional tricks you can learn from MJD and chromatic? I never knew that @INC could contain a subroutine reference, did you? I also never thought of something so clever as recursively calling an anonymous sub ref contained in a scalar by using another anonymous subroutine that dereferences that ref at runtime.

So now, after refactoring a TON of my code to Perl Best Practices, I’m back into the land of PHP temporarily. Our administration group at work is looking for a project tracking system. After favorable experiences with dotProject a year ago, I suggested that. I hadn’t touched dotProject or PHP since dotProject’s 1.x branch. They’re now at 2.0.4 and it seems there just might be a few more hands in the pot. The code is not as coherent and refreshing as I remember it.

I’ve been spending time building a module for additional “fund” tracking. PHP seriously gets in my way. Granted, I have a very heavy bias against anything but Perl, but my god, there’s a reason why this Google Search exists. They’re not lying. I’m dealing with PHP4, so perhaps PHP5 has gotten better, but I harbor serious doubt that even by getting “better” that PHP5 would approach anything a serious computer scientist / programmer would consider usable.

The language is a patchwork of functions. There’s no real defining factor or consistency. As a matter of fact, the only thing consistent is the fact that regardless of what library in PHP you’re using, chances are the function names and argument orders lack consistency in that module and in the whole picture.

Don’t get me wrong, PHP is great for web designers and novices. There’s a very low barrier to entry. However, we now have a landscape littered with horrible PHP applications that expose servers to vicious attacks from outsiders. PHP is not by any means a language that should be taken seriously by any serious developer. Please invest your time elsewhere. I’d even recommend Python over PHP. Ruby would be a more worthwhile excursion.

PHP makes simple things simple and hard and obscure. Hard things are impossible. The biggest hole in the language from the perspective of a Perl or Lisp programmer is the complete lack of lexical scope. I know, inside of a function there’s a lexical scope, but it’s not really a lexical scope, it’s a hack. You have your choice between global scoped variables, or variables scoped inside of a function. No other closure provides an effective measure to force destruction and garbage clean up. More importantly, certain techniques become ridiculous without proper lexical scope.

Early version of PHP3, maybe even “late” versions, had no scoping even for functions. This became a problem to anyone used to using recursion to solve recursive problems. Recursion relies on the fact that each call to the function can resolve independantly of the rest of the call stack. Modifying variables that are still in wait on the stack can cause some “unexpected” behavior.

There also seems to be a problem with ternary operators. Unexplainably, if the false condition of a ternary construct is in itself another ternary, the false is evaluated. In order to “nest” ternary operators, you need to enclose each INDIVIDUAL ternary in its own set of parentheses. Find precident for that illogical BS. Why in the hell are we evaluating the false condition if the current ternary operator has returned “true” ?

It’s been a painful process, but in order to program in PHP, I’ve learned that you absolutely need a function reference. It is impossible for a human being to formulate a logical function naming convention (is it “noun then verb? verb than noun? do I separate with underscores, or just smash it together”?) let alone the argument order even inside the same “module”. Just peruse the function reference on the php.net site to see what I’m talking about. Zero consistency. Please, pick an interface and stick with it.

Bottom line, PHP is a good place to start, but don’t stop there. Pick up another language. I recommend Perl. I’ll even teach you. I’m gonna be teaching at NIH in the near future and I’ll be sharing my course material here.