Skip to content

Evil Blog

Evildesk 0.9.0 released

I uploaded release 0.9.0 of EvilDesk tonight. I realized that I hadn't made a release in over a year, so I tidied up a few bits and pieces and uploaded it. Feel free to review the changelog if you're curious.

Highlights include an improved dock style toolbar, a launcher plugin (type the name of a program or document to find it and run it, instead of poking around the start menu), simpler configuration of the toolbar positioning, translations for German and French, less bugs and support for 64-bit Windows.


Authentication services

When I designed the back-end for this blog, I built in the capability for understanding multiple authentication sources. It currently supports three different sources: one of which is local and the other two are CVS servers. By supporting remote authentication sources, I spare myself from having to implement a lot of the user management gumph that is needed to support it (email address verification, password management and so on). While this is good for me, if the authentication is perceived as happening on my site, people don't feel quite so comfortable entering their off-site credentials, because they don't really know what I do with their data.

I'm currently going through one of those phases where I'm thinking about what I'd put into "netevil 2.0", and one of those things is adopting support for authenticating against well-known external sites. Ideally, I'd like people to be able to login to Yahoo or Google and then have some way for my blog to determine a subset of their profile data when they post a comment.

This single-sign-on (SSO) concept is nothing new; Microsoft's passport has been around for quite some time now, and there are newer open specifications being designed by SXIP and the Libery Alliance. Both of these projects are working on IETF draft standards for identity management and federation protocols to facilitate SSO. SXIP is very open and has an implementation in PHP that you can download and use. Liberty feels somewhat closed, and has no reference implementation in any scripting language, which immediately creates quite a high barrier to entry for a large portion of the web developer population.

So, we have one established SSO provider (MS passport) and two entities developing SSO technology. Why haven't I seen any sites, aside from passport enabled sites, using anything like this stuff? I think part of the problem is that SXIP and Liberty are providing the technology but not providing the actual authentication services. Taking SXIP as an example, if I want to SXIP enable my site I need to direct users to a SXIP homesite where they can create an identity, and which can then authenticate them with my blog. The problem is that there aren't really any SXIP homesites out there, so I'd need to implement one myself, and we're back at square one.

I think it would be a huge thing if the big guys (yahoo, google) could implement something like SXIP and allow third-party applications to authenticate users against them. Yahoo is almost there already--if you look at the Flickr API you'll see that you can have flickr authenticate users and provide your application with an authentication token (subject to approval from the user). From that token you can obtain the name of the user, and use that to render the name of the person submitting comments to your site.

It'll be interesting to see what, if any, developments are made in this area.

Trying out feedburner

I've redirected my feeds via FeedBurner so that I can get some idea of how many people are reading this stuff. If this causes some burps and "re-runs" of my earlier posting in the various aggregators out there, I apologize.

I've also added a limit on the number of items that wind up in my feed, so you won't have to fetch my entire blog history when polling for new articles.

The feedburner migration should be transparent; no action should be required by subscribers; the URL is the same.

blog spam - a solution

Today, this blog got its first ever spam, via the trackback interface. How annoying. Here's how I've stopped it (yes, the regexes could be better, and the parse_url() call eliminated, but its late and this is a quick hack):

function ne_rbl_check($ip) {
   static $lists = array('');
   $ip = gethostbyname($ip);
   foreach ($lists as $bl) {
      $octets = explode('.', $ip);
      $octets = array_reverse($octets);
      $h = implode('.', $octets) . $bl;
      $x = gethostbyname($h);
      if ($h != $x) {
         return false;
   return true;
function ne_surbl_checks()
   $things = func_get_args();
   foreach ($things as $thing) {
      if (preg_match('/^\\d+\\.\\d+\\.\\d+\\.\\d+$/', $thing)) {
         if (!ne_rbl_check($thing)) return false;
      if (preg_match_all('~(http|https|ftp|news|gopher)://([^ ]+)~si',
            $thing, $m = array(), PREG_SET_ORDER)) {
         foreach ($m as $match) {
            $url = parse_url($match[0]);
            if (!ne_rbl_check($url['host'])) return false;
   return true;

These two functions implement RBL and SURBL checks. RBLs, as you probably already know, are real-time block lists; you can look up an IP address in a block list using DNS, and if you get a record back, that address is in the block list. The first of the two functions implements this, in a bit of a lame hackish way.

The second function implements content-based checks, commonly known as SURBL; the text is scanned for things that look like IP addresses or URLs; those IP addresses or host names are extracted from the content and then looked up in the RBL using the first function.

Why is this good? A comment spammer will typically want to inject a link to their site onto your blog, and you can be fairly sure that their site is listed in a good RBL. The RBL used in my sample above is an aggregation of the SBL and XBL lists which contain known spammers and known zombie/exploited machines, so it should do the job perfectly.

Now to hook it up to the blog; this snippet is taken from my trackback interface:

if (!ne_surbl_checks(get_ip(), $_REQUEST['excerpt'], $_REQUEST['url'], $_REQUEST['blog_name'])) {
   respond('you appear to be on SBL/XBL, or referring to content that is', 1);

get_ip() is a function to determine the IP address of the person submitting the page; I haven't included it here for the sake of brevity; it's fairly simple to code one, but keep in mind that it needs to be aware of http proxies. respond() returns an appropriate error message to the person making the trackback and exits the script.

And that's all there is to it; you can do similar things with your comments submission and pingback interfaces.


Blog API and blogging tools

After reading George's solicitation, I decided to take a look around for win32 offline blogging apps. The two I looked at this morning (w.bloggar and SharpMT) didn't work with my old 'zlog, which is a bit annoying. From what I could see, w.bloggar uses methods not supported by s9y and SharpMT is broken (the correct responses were being sent, it just kept thinking that there was an HTTP violation).

Is there good, bloat-free (or at least, not over bloated) app for win32? Is there one for linux ?

Evil Genius

Looks like I need invest in a copy of Evil Genius by Vivendi Universal Games.

By a quirk of timing, this coincides with me adding the evil photograph taken of me by my evil assistant during my evil vacation on my evil moonbase (see evil box-out to the right on my evil blog).

An Evil Blog??

Dr EvilFor a long time now, I've wanted to do this; build up a fairly simple (yet powerful) Blog/Wiki/CVS/Bugs/Shopping-list/whatever manager. I was going to try to use Serendipity as the base for this system, but when I sat down to do so, I discovered that s9y has gotten a bit too large for my purposes.

So, here we have a totally new system, hand coded by yours-truly and running from an sqlite database. So far it's a Blog/Wiki, but support for other more useful tools will be forthcoming.

Err, but why is it an Evil Blog?

I was fishing around for a new domain name, in anticipation of a change in employment sometime this year, and I found this one and thought it sounded cool. So, in the spirit of thinking up a cool name and then trying to justify it, my gimmick is this:

I'm motivated by power, so I'm always seeking to make things better, more functional, or even just getting them so that they work. If I had as much uninterrupted time as I needed to finish everything, I could take over the 'Net/world.

Sadly, I don't have that time, so my attempts are on a par with a certain Dr. Evil--both in terms of execution and effect. Yes, it's a pretty lame link, but I like it.