Monthly Archives: November 2009

mod_security handbook

I’ve just download a preview of Ivan Ristic’s latest work: a handbook for mod_security.  Readers will recollect that Ivan is both the original developer of mod_security, and author of the most comprehensive existing book on Apache security (reviewed here), so his handbook should be worth a look.  He was also tech reviewer for my apache modules book, so I guess I owe him any feedback I can find time for!

As befits a handbook, it’s a lot shorter than his previous book: currently about 100 pages, though that’s with gaps that’ll grow the page count quite a lot when filled.  It comes with the promise that it will be continually updated, which clearly favours electronic distribution, though paper will also be available.

The first question I usually ask about a techie book is: what does it add to the documentation available online?  A glance at this book suggests, quite a lot.  My impression of mod_security hitherto has been that it’s interesting (especially after seeing Ivan’s talk at ApacheCon 2008) but under-documented compared to httpd itself: this book fills a gap.  It could become the One True reference work on the subject for anyone deploying the module.

For my part, I’ll be looking with particular interest at how he deals with rulesets.  They’re the aspect of mod_security that’s outside my core competence as developer and in the realm of the sysop.  I don’t believe I have a use for mod_security myself, but a new insight into how he maps use cases to rulesets might provoke me to re-evaluate that.

I have one reservation about reading this: I have several ideas for the apache core that very probably duplicate things mod_security offers.  No, they wouldn’t be in competition with it, they’d just be offering comparatively minor features: for example, extending the “RequestHeader edit” feature of mod_headers (apply a regexp search-and-replace to incoming request headers) to a security feature.  Reading the book runs the risk of my ideas becoming ripoffs of mod_security.

Bank charges are what it says in the contract

Banks in the news again today.  This time, they’ve won a supreme court ruling that the OFT has no power to interfere with certain charges (although it might nevertheless have powers to review their overall packages).  So-called consumer groups outraged: lots of people won’t get refunds unless their banks acted unfairly in making charges.

I beg to differ.  I’m as pissed off as the next taxpayer about my money going to bail out banks[1], but on this matter I’m with them.  If a bank’s terms and conditions say that going beyond an overdraft limit will cost you £x, then they’re fully justified in charging £x when customers do that.  And variants on the theme.  The key points are:

  • You signed up to a deal that includes charging for some things you might do.
  • You have ample opportunity to complain and get refunded if you incur charges due to a bank error, or in cases of reasonable doubt as to whose fault it was.
  • You’re taking out money that isn’t yours.  That makes you a high-risk customer for the bank.  After all, if you were a responsible customer, you’d have arranged it, and avoided the charges.
  • Above all, banks offer different terms and conditions, and if you don’t like one bank’s charging regime, you can take your business elsewhere.

Yes, it’s possible to go into the red inadvertently.  I’ve done it myself (most recently in 2002).  I cursed at the charges, but I didn’t go whining to some collective-nanny “consumer” group with an agenda to abolish the value of money by encouraging everyone to spend what they don’t have.  Fortunately my own current account is with Nationwide, whose charges are a lot lower than those spoken of by the campaigners.  If you find £35 outrageous, stop whinging, and take advantage of Nationwide’s £20.  Or some other bank … I believe the Coop is usually competitive, for instance.

The meeja reaction is slightly satisfying: they’ve been campaigning along with the “consumer” groups and had assumed it was everyone-vs-the-banks, and that the banks would lose, so they’ve been caught on the back foot.  It’s encouraging to hear them now acknowledging a huge volume of correspondence from the hitherto-silent majority, siding with the banks and today’s ruling on this issue.

Savers and taxpayers – especially future taxpayers – are being robbed blind to bail out borrowers, above all mortgage holders.  But today we’ve at least been spared bailing out one bunch of chancers.

[1] … and I was about a year ahead of the chattering classes in saying so, on this very blog … see for example September 2007 (here, here), or more explicitly here.

Confidence trick

Today’s news about the government supplying an additional £60 billion to the Scottish banks last autumn is shocking, but not surprising.  The explanation is that it was done on the quiet so as not to damage confidence.  Or in other words, it was a con trick.  We hear they repaid the money a few months later: it’s not yet specified, but I guess they drew on the funds that are now taxpayer shareholdings.

Now I’m no lawyer, but I understand that obtaining money by deception is fraud, and is a serious crime.  That’s why public companies are required to publish accounts and to have them audited: so that people dealing with them can assess the financial risks in doing so.  That includes shareholders.  Was anyone who bought RBS or HBOS shares while the loans existed defrauded?  Seems like they should have a case.

But the time that was happening was also the time when safe-and-solid Lloyds bank, with an excellent dividend but without the spectacular gamblers’ returns of the Scottish banks, was taking over the zombie HBOS – the biggest basketcase of all.  Lloyds went from being the healthy bank that hadn’t needed a rights issue to being itself a basketcase needing a government bailout.  Contrast Barclays: they were in worse shape than Lloyds pre-crash, but came out on top by buying Lehman’s assets from the receiver, as Lloyds should’ve done with HBOS.

We know Lloyds shareholders were seriously shafted by some combination of Lloyds own board and government pressure.  But Lloyds shareholders also had a vote.  Not a very useful vote, given that the big institutional shareholders were also HBOS shareholders who stood to see those holdings wiped out.  But nevertheless a vote, and that was taken in the absence of financial information that was clearly as relevant as it was huge.

The inescapable conclusion seems to be, Lloyds shareholders were defrauded.  Massively!

I was a Lloyds shareholder myself when all this started, and indeed, these shenanigans turned me from a long term buy-and-keep shareholder to a trader, as I took advantage of the wildly-fluctuating market.  Since I’ve made a net profit trading Lloyds shares during and since the crash, I’d be hard-pressed to demonstrate a loss, so I don’t see mileage in my joining a class action, or anything else that might be about to happen.  But I can still be pissed off by this dishonesty.


I’ve just been to view a cottage I feel quite positive about.  Blogging here in the hope it’ll help reach a decision on it.  It’s a living room and a kitchen/diner downstairs, with bathroom and three bedrooms upstairs.  The overall size is just about enough to be comfortable, with the pleasant dining area and better second-bedroom size being clear advantages compared to the current place.  Above all, it’s going to be quieter than here.


  • Solid cottage build with thick walls, modernised to a decent standard and in good decorative order.
  • Meets all my basic needs without serious shortcomings.
  • Village location presumed quiet (except for the church which is right next door, and tolled the hour while I was there).
  • Easy cycling into the city, and walkable to Tesco.  Also edge of Dartmoor.
  • Adequate ‘phone signal (though no 3g) and ADSL.


  • No outdoor storage, so the bike has to occupy indoor space.  The current tenants have one bedroom as a storage room with bikes, surfboards, etc; I’d have to do similar.  So no spare room, just one bedroom + one office.
  • No gas: electric heating for hot water, and night storage heating.  Can’t see myself using that and having it hot all day (unless I were to go down with a lurgy sufficiently bad to need warmth) which loses the convenience of being able to turn the heating on if I have visitors who expect it.  As against that, there’s a working fireplace in the sitting room that could serve, in principle at least.
  • There’s a horrible built-in oven and hob.  The latter (which is what I mostly use) is solid electric.  This is what I’ll find a daily pain 😦
  • The garden is going to be hard work, with an expanse of very uneven lawn to manage.
  • Lacking a few nonessential nice-to-haves, like real views, or space for a dishwasher, or a w.c. separate from the bathroom.

So do I take it, or go on looking?

Text spam

Dear Lazyweb, is there any way of fighting text-message spam?

I’ve already tried ‘phoning O2 and asking them, but they tell me they can’t (or won’t) do anything. Do any of the other UK providers offer a service that’ll block a sender, or block on a keyword in the message (like, everything that starts with FREEMSG)?

Or if I can’t block it, how about as a poor second-best, programming my ‘phone to drop them without bothering me?  The ‘phone is a Nokia E71 (Symbian s60), so any hints for that would be ideal.  Kind-of, procmail-for-text-messages or similar.  Or if I could do it on Maemo, that might help incentivise me to go out and buy a tablet ‘puter, though I’d still want to use the E71 for day-to-day use as it’s more comfortable in the hand and the pocket than something bigger.

Oh, and if any legislators are reading, how about legislating for us to be given a rejection button for junk phone calls and texts, that’ll cause the sender to be charged real money (e.g. £5 per call should mount up, though £50 would be better).  Money to be collected by the telco and donated to charity – less a small administrative fee to be determined by ofcom.

p.s. if any reader has power to do anything with it, the number that just spammed me to induce me to write this is 07833 992283 (UK) or +44 7833 992283 internationally.  If publishing the number here attracts any kind of inconvenience to that shit, then good.

Forthcoming Concert

Britten and Goodall, next Sunday (Nov. 22nd) at the Guildhall, Plymouth.

For our next concert, we’re rehearsing Britten’s St.Nicholas and Goodall’s Eternal Light, and much enjoying both of these lovely works.  Should be well worthwhile for music lovers within evening-out distance of Plymouth.

The Goodall is a new work first performed in 2008, when the Rambert Dance Company used it as the score for a new ballet.  They toured with their own small orchestra, but invited local choirs to join them in each tour venue.  A subset of the Plymouth Philharmonic, including me, sang with them in Plymouth and hugely enjoyed it.  This is a modern work that is neither the challenging avant-garde of much of the 20th century, nor the vacuous junk commonly pushed by the so-called “music business” under a “classical” label just because it involves traditional instruments.

It can perhaps best be described as a non-traditional requiem.  Like the Brahms, it is a consolation for the living more than a rite for the dead.  Like the Britten, it blends the Latin requiem with English poems, though the similarity ends there.  It’s a rather lighter work than either of those, but it’s also new and genuinely different.  And if it hasn’t gone stale with me after a full week of performances and a year, it must be good[1]!

Britten needs no introduction, but St.Nicholas may be less familiar: it was new to me when we started rehearsing.  It’s a cantata (for want of a better description) that puts together a bit of history and a bunch of legends – some dramatised, some just sung – into a life of St Nicholas.  The title role – the only Principal – was written for Peter Pears, and both adult and youth choruses take different semi-dramatic roles.  Quite strikingly in terms of story (given that he is the saint and the hero) Nicholas himself comes across as a rather obnoxious prig.  But that doesn’t detract from music, which is vintage Britten: glorious, exciting, always fresh.

[1] Another modern English comparison is Rutter, who I respect as a composer of light music that is real music and not trivia.  I’ve enjoyed singing his requiem and magnificat (the latter more than once), but I think the Goodall has more power than those to sustain my interest.

Filesharing is the new porn

We all know that the old-meeja go on at length about filesharing, copyright theft, internet piracy, call it what you will.  So it was no surprise to hear it rehashed on the beeb yesterday evening.  Usual format: an interviewer, and two people with opposing views to debate it.

I only caught bits of it: I was cooking my supper and not really listening.  But one thing struck me: one of the debaters said that everyone fileshares.  This was quite an emphatic everyone, and he clearly intended to distinguish the sense from a typical apologist’s appropriation of everyone to a manifest falsehood like “everyone supports the olympics”.  Nor was it an Orwellian with-menaces everyone, as in you’re misogynist racist pedophile terrorist scum and beneath contempt if you dare to question us.

Since it clearly is an apologist’s everyone, that must be a bit of willy-waving (“my everyone is bigger than your everyone”).  But more striking is that neither the interviewer nor the opposing debater made any attempt to challenge it: indeed, they seemed to agree with it.  Perhaps it really is true in meeja-luvvie circles?

Then it struck me: this is exactly like the meeja discussion of online porn was ten years ago.  We’ve got used to the Beeb being our (UK’s) self-proclaimed leading website.  But for a few years after they first noticed the ‘net, you’d never hear it discussed without someone blathering about online porn.  If you didn’t know better, you’d have thought that the ‘net revolved around porn and everyone was into it.

As someone with an altogether different vision of the ‘net, I found the association rather distasteful, and some aspects downright offensive[1].   Like, ratings for websites having an implicit assumption that every site might need them, without even a default category for “no sex or violence not because we’ve toned it down and pitched it at children, but because this website is all about coffee, computers, or astronomy”.  Should I declare my websites as having mild/inoffensive sex and violence (the lowest PICS category) just to avoid the risk of being blocked by family-safe services that block unrated sites to protect children?  Absurd and offensive!

Worse, the association with porn put barriers in the way of those of us who wanted to promote the ‘net for altogether good, constructive purposes.

So if filesharing is the new porn, what lessons can we draw?  The optimistic view is ignore the hot-air and it’ll go away, just as the meeja’s porn-fixation went away when the BBC decided it was going to be top-website itself.

But maybe it’s not the same: the porn message was rooted in the ‘net being a “new frontier” for the meeja and their mass audience, while the filesharing one is driven by powerful commercial interests, some of whom are the world’s biggest unauthorised profiteers from other people’s efforts (“thieves” or “pirates”, in their own language).  And I don’t just mean things like Disney famously copyrighting everything from common cultural heritage (fairytales) to african music in the lion king: people better-informed than I describe altogether more sinister practices like identity theft.

On the other hand, Big Pirates never succeeded in getting the photocopier or the cassette tape banned.  I expect those who persist in fighting technology will continue to fight a losing battle, and the meeja attention will indeed blow over.  Just as it did with porn on the ‘net.

[1] Nothing against pornographers.  Just so long as I’m free to steer clear of their work, it’s live-and-let-live.  Same principle as when I was doing research in a department right in the red light district: we (geeks) didn’t bother the ladies of the night, and they didn’t bother us.  But I’d have been mildly pissed off if the world assumed that the reason I worked there was because of them, and seriously so if my work was belittled or dismissed on that basis.

Revisiting Apache 2.0 proxy

I have today revisited the reverse proxy on Apache 2.0 (for which mod_proxy_html was originally written).

The good news: the current versions of mod_proxy_html (3.1.2) and mod_xml2enc (1.0.3) build and work nicely with Apache 2.0.  I have hitherto recommended Apache 2.0 users mod_proxy_html 2.5 as the ‘safe’ solution.

The bad news: working with Apache 2.0’s proxy just seems incredibly limiting, and calls for a whole bunch of hacks/workarounds.  I’d forgotten that …

(not that 2.2 is free of them – looking forward to 2.4 and the expression engine).