I uploaded release 0.9.0 of EvilDesk tonight. I realized that I hadn't made a release in over a year, so I tidied up a few bits and pieces and uploaded it. Feel free to review the changelog if you're curious.

Highlights include an improved dock style toolbar, a launcher plugin (type the name of a program or document to find it and run it, instead of poking around the start menu), simpler configuration of the toolbar positioning, translations for German and French, less bugs and support for 64-bit Windows.

Enjoy!

When I designed the back-end for this blog, I built in the capability for understanding multiple authentication sources. It currently supports three different sources: one of which is local and the other two are CVS servers. By supporting remote authentication sources, I spare myself from having to implement a lot of the user management gumph that is needed to support it (email address verification, password management and so on). While this is good for me, if the authentication is perceived as happening on my site, people don't feel quite so comfortable entering their off-site credentials, because they don't really know what I do with their data.

I'm currently going through one of those phases where I'm thinking about what I'd put into "netevil 2.0", and one of those things is adopting support for authenticating against well-known external sites. Ideally, I'd like people to be able to login to Yahoo or Google and then have some way for my blog to determine a subset of their profile data when they post a comment.

This single-sign-on (SSO) concept is nothing new; Microsoft's passport has been around for quite some time now, and there are newer open specifications being designed by SXIP and the Libery Alliance. Both of these projects are working on IETF draft standards for identity management and federation protocols to facilitate SSO. SXIP is very open and has an implementation in PHP that you can download and use. Liberty feels somewhat closed, and has no reference implementation in any scripting language, which immediately creates quite a high barrier to entry for a large portion of the web developer population.

So, we have one established SSO provider (MS passport) and two entities developing SSO technology. Why haven't I seen any sites, aside from passport enabled sites, using anything like this stuff? I think part of the problem is that SXIP and Liberty are providing the technology but not providing the actual authentication services. Taking SXIP as an example, if I want to SXIP enable my site I need to direct users to a SXIP homesite where they can create an identity, and which can then authenticate them with my blog. The problem is that there aren't really any SXIP homesites out there, so I'd need to implement one myself, and we're back at square one.

continue reading …

I've redirected my feeds via FeedBurner so that I can get some idea of how many people are reading this stuff. If this causes some burps and "re-runs" of my earlier posting in the various aggregators out there, I apologize.

I've also added a limit on the number of items that wind up in my feed, so you won't have to fetch my entire blog history when polling for new articles.

The feedburner migration should be transparent; no action should be required by subscribers; the URL is the same.

Today, this blog got its first ever spam, via the trackback interface. How annoying. Here's how I've stopped it (yes, the regexes could be better, and the parse_url() call eliminated, but its late and this is a quick hack):

<?php
function ne_rbl_check($ip) {
   static $lists = array('.sbl-xbl.spamhaus.org');
   $ip = gethostbyname($ip);
   foreach ($lists as $bl) {
      $octets = explode('.', $ip);
      $octets = array_reverse($octets);
      $h = implode('.', $octets) . $bl;
      $x = gethostbyname($h);
      if ($h != $x) {
         return false;
      }
   }
   return true;
}
function ne_surbl_checks()
{
   $things = func_get_args();
   foreach ($things as $thing) {
      if (preg_match('/^\d+\.\d+\.\d+\.\d+$/', $thing)) {
         if (!ne_rbl_check($thing)) return false;
      }
      if (preg_match_all('~(http|https|ftp|news|gopher)://([^ ]+)~si',
            $thing, $m = array(), PREG_SET_ORDER)) {
         foreach ($m as $match) {
            $url = parse_url($match[0]);
            if (!ne_rbl_check($url['host'])) return false;
         }
      }
   }
   return true;
}
?>

These two functions implement RBL and SURBL checks. RBLs, as you probably already know, are real-time block lists; you can look up an IP address in a block list using DNS, and if you get a record back, that address is in the block list. The first of the two functions implements this, in a bit of a lame hackish way.

The second function implements content-based checks, commonly known as SURBL; the text is scanned for things that look like IP addresses or URLs; those IP addresses or host names are extracted from the content and then looked up in the RBL using the first function.

continue reading …

After reading George's solicitation, I decided to take a look around for win32 offline blogging apps. The two I looked at this morning (w.bloggar and SharpMT) didn't work with my old 'zlog, which is a bit annoying. From what I could see, w.bloggar uses methods not supported by s9y and SharpMT is broken (the correct responses were being sent, it just kept thinking that there was an HTTP violation).

Is there good, bloat-free (or at least, not over bloated) app for win32? Is there one for linux ?

Looks like I need invest in a copy of Evil Genius by Vivendi Universal Games.

By a quirk of timing, this coincides with me adding the evil photograph taken of me by my evil assistant during my evil vacation on my evil moonbase (see evil box-out to the right on my evil blog).

For a long time now, I've wanted to do this; build up a fairly simple (yet powerful) Blog/Wiki/CVS/Bugs/Shopping-list/whatever manager. I was going to try to use Serendipity as the base for this system, but when I sat down to do so, I discovered that s9y has gotten a bit too large for my purposes.

So, here we have a totally new system, hand coded by yours-truly and running from an sqlite database. So far it's a Blog/Wiki, but support for other more useful tools will be forthcoming.

Err, but why is it an Evil Blog?

I was fishing around for a new domain name, in anticipation of a change in employment sometime this year, and I found this one and thought it sounded cool. So, in the spirit of thinking up a cool name and then trying to justify it, my gimmick is this:

continue reading …