Skip to content


Back online

I was unfortunate enough to be running a vulnerable install of cvstrac about a month ago and this server was hacked. Thanks to my brother (who noticed some strange goings on), I was alerted to the problem and had booted the intruder off within 45 minutes of them starting to mess around.

Post mortem analysis of the cvstrac log showed that the initial intrusion and installation of zbind took place a week earlier. Ouch. Slap my wrists for not noticing it sooner. Curiously, the intruder did not appear to have managed to gain root. This is curious because for that 45 minute spell, everything on the box was reporting permission denied and no logins were possible. I verified the system with chkrootkit and the rpm checksum validation; no sign of problems. Weeeird.

I decided to rebuild the box from scratch, just in case, and I've been crafting this new installation for a couple of weeks in my spare time; everything is chrooted and locked down, so if a new vuln is announced, the impact should be minimal.... fingers crossed.

I'd like to thank my hosts John Companies for their excellent service; in no time they had a fresh install of a newer Red Hat for me to rebuild my system, and kept my existing server up and running for me to transfer across the data--at no extra charge. I'm pleased with their level of service; they're not quite as quick to respond to your inquiries as their testimonials suggest, but they are fast enough, and you're dealing directly with people that know what they're doing.

They also offer an OpenSource contributor discount, so if that's you and you're looking for root@your-own-box on fair hardware (dual PIII 860 Mhz on my server) but don't have oodles of cash to throw at it, go take a looksee at JC.

It's worth noting that these are Virtual Private Servers, so you are technically sharing the hardware with other customers, but not the filesystem or other services; you have control over everything except for the kernel. You hardly notice that it's a VPS if you're running efficient, long-lived, server applications; it is a tad slower if you're firing off new processes though (such as CGI or compiling stuff), as the scheduler is geared towards the former and not the latter.

thebrainroom is dead, long live thebrainroom!

This weekend I stripped out my office (affectionately entitled The Brain Room) ready to have it redecorated in such a way that it doesn't look like something the borg created, and that will have a positive effect on the sale of the house.

My nice (cheap and elderly) L-shaped desk fell apart during the move--luckily after I moved the 17" and 22" monitors that sat upon into a spare room--phew!, and I've powered down half the machines I was running in there.

I also had the "pleasure" of sorting through the last 2.5 years worth of the MSDN universal far east pack... on CD media. I dutifully scratched 9 boxes full of CD's (although, to be honest, finding someone around here that could actually make use of Japanese, Korean and Chinese MS developer software is probably a tall order) and took them to the recycling centre, where they were unable to recycle them--doh!

So, I'm now working in the new Brain Room, a 6'x8' ish little room we had spare on the other side of the house; it's cosy and isolated enough that I have been even more productive here than the old room.

Moronic 12 line .sigs are evil

Particularly on a mailing list. Indulge me in this analogy:

Picture someone coming into your home one day, armed with a megaphone. They walk up to you and start to read out their signature, speaking through the megaphone. Annoying huh? Now picture them leaving and heading to the house of one of your colleagues and repeating the process.

Hang on, isn't that the same thing as "direct mail" (aka: spam)?

Now, you might forgive someone for doing this once (maybe they are a newbie), but when they next have something to say, and do it again, it's really really annoying.

Nettiquette suggests that you should not use more than 4 lines for your signature. I agree, but (after a few years experience) I would even go further; you don't need a signature at all, except perhaps during an initial round of communication with a new client. Why? Once they know who you are, shouting your name and other junk at them isn't interesting.

If you really need to advertise which company you're working for on an open source mailing list, set the Organization: header in your MUA so that it includes that information in the meta data. There is no need for any other information. If someone wants to know more, they will email you and ask.

If you have a .sig, please please please get rid of it, at least when you post to mailing lists.


PHPScript is PHP's own ActiveScript interface. In practical terms, this means that you can use PHP from within any application that can host ActiveScript engines. The list of known hosts includes, and is not limited to:

  • Windows Scripting Host (WSH), cscript.exe/wscript.exe
  • "Classic" Active Server Pages
  • Microsoft Scripting Control, and by extension any application that loads that control
  • psvActiveScript Control for Delphi applications
  • Weaverslave an IDE
  • Kapsules a desktop widget engine


  • Download and install PHP 5
  • Download PHPScript and put it in your c:\\php5 directory
  • run regsvr32 c:\\php5\\php5activescript.dll


Windows Script Host

Create a .wsf file like this:

   <job id="test">
       <script language="PHPScript">

or invoke your .php script directly from cscript.exe or wscript.exe using the //E:PHPScript option.

ASP (untested)

    <%@language=PHPScript %>
    <%$Response->Write("Hello"); %>

Script Controls

Set the language property to PHPScript

Script Components / IE

note: it is very dangerous to deploy PHPScript inside IE

Simply use <script language="PHPScript"> for your script tags.

Developers Notes

If you are developing code to run under PHPScript, you need to keep in mind the following differences from regular PHP:

  • echo doesn't have any practical effect. You need to call methods of the host to output information. You may still use output buffering etc., it just won't go anywhere if you flush it.

  • global objects added by the host are created as super-globals, so you need not reference them using the "global" statement.

  • PHPScript will not search for a default php.ini file. It will look instead for php-activescript.ini inside the folder of the .exe process that launched it.

Electric Sheep

It's gotta be the coolest screensaver ever, electric sheep is a continually evolving flame fractal animated screen saver, where your idle cpu cycles are used as part of a distributed computing network to render frames towards the next phase in the evolution (known as sheep).

The name is a little strange, but if you consider idle cpu cycles as dreams, and consider the novel "Do Andriods Dream of Electric Sheep", you'll get the idea. (If you're more into movies than books, "Blade Runner" is for you).

It is a little slow to pick up the first "sheep", but that appears to be a bandwidth problem on their central server. Perhaps they should also distribute the sheep downloads among mirrors, or even peers (Bit Torrent style)?

Anyway, the coolest thing about this screen saver is that is subtly changing the whole time; I have it running on a spare computer next to me and its fascinating.

Bouncing around the USA (again)

A couple of years back, we attended the wedding of my sister-in-law (Aimee Macauley) in Hawaii. We decided to extend our stay and were treated to a big cock-up on behalf of United Airlines that involved flying from Hawaii->SFO->Boston->NY->NY->LHR, instead of the somewhat more sane Hawaii->SFO->LHR.

Well, I've just been visting George (for business, and as it turns out, pleasure too) and my "travel-luck" (those are Dr. Evil finger-quotation-marks) strikes again. The flight from BWI to Boston was delayed enough by some weather (presumably the same lightning storms that delayed my inbound flight a couple of days earlier) to mess up my connecting flight back to LHR (you know; the important one).

This time I'm flying American Airlines and I have to commend them for much nicer service than United. I'm currently sitting in Chicago O'Hare waiting for my alternate flight to LHR. My arrival time has been delayed approx 5 hours, but it turns out that this actually a better schedule for both myself and Juliette+Xander; I get more time to "sleep" on the plane (Dr. Evil finger-quotes again), and they don't have to get up at 4am to collect me from the airport.

Dead laptop disk == more linux hacking

Update2: moved code to

Update acpid now handles the brightness controls, displays the battery status in the ps list and emits power warnings once you're down to 15 minutes of power. I've also added a little non-root acpid client that will allow you to run your own stuff in response to hotkey events.

I suffered a dead (nearly; it's on its way out) laptop disk almost a week ago, and have been clawing my way back to normality.

As a side effect, I now own a Toshiba Satellite M30, which apparently has slightly more linux friendly hardware than my other Satellite (the one that's having issues).

One of the cool things is the toshiba_acpi module; it works in this model and allows access to the hotkeys so you can map them exactly as you like. Since running a standalone daemon for this sucks (you can choose either a python script or a slightly-overweight fnfxd), and since there was a feature request on the ToshibaAcpiDriver page for it, I've written this patch that adds toshiba key support to acpid (1.0.3).

Toshiba keys are exposed as button/toshiba events, followed by the 16-bit hex code for the key that was triggered, so stick some scripting magic into /etc/acpi/events and you're happily-a-mapping those keys.