isnoop.net blog

I’m working on PCI DSS (Payment Card Industry Data Security Standards) compliance for my company and one of the bigger hurdles we’re looking at is cryptographic key rotation. Our biggest concern is rotating keys for data stored in a DB. It seems we have two solutions and one theoretical option available:

1) 3rd party vendor
There are several companies offering appliances that are essentially crypto proxies which act as a middle man between data and logic.

2) Home brew
We’ve considered storing a key version number next to the encrypted column in the database. When one key is to be disused, a new one is generated and every value stored with the old key revision number is decrypted and re-encrypted with the new key. Meanwhile, all of the data is still accessible as the old key is not invalidated until all rows using that ID have been updated.

3) Theoretical crypto magic
I’m no cryptography expert, but it seems that there should be some means of generating several symmetric keys that result in the same encrypted data. Those keys could then be split into a shared/private pair where the system requesting the data only knows the shared portion; the private portion is a secret known only to the machine performing the encryption. The private key can be invalidated on demand and a new pair generated. No machine need ever store the complete key.

I don’t know if this last scenario is possible. If it’s not out there yet, this may be an interesting market for such a scheme. If there is a workable solution, this may be the ideal solution.

Are there other solutions I’ve overlooked? If you’ve implemented key rotation on DB data, what method did you use?

This morning, I completed the final step to activate my iPhone Developer Program membership. The last news I heard about this program indicated that it was (I assume it continues to be) a fairly exclusive program and they are only allowing small numbers of people to join at this time.

I didn’t apply for it until late last week, and I didn’t download the SDK until late in the day it was released, so I’m not sure how I got in so easily. Perhaps they’ve opened the gates to everyone or maybe I just got lucky. I did write a couple of mac apps in the past: MacSaber and WiiSaber. Perhaps they saw those uploads in the Apple Software site and took an interest.

No matter the reason, it’s a bit of a mixed blessing for me. For one, I’ll have to drop my fantastic T-Mobile cellular plan and go legit with my iPhone to run the dev software. I’m currently paying $45/mo for 1500 minutes, unlimited data, and no contract. I’m looking at $79.99/mo for a comparable AT&T plan.

What’s worse, as much as I’d like to, I just don’t have the time to write iPhone apps right now. Heck, I haven’t been able to find enough time to update this blog in months!

Boo hoo, right?

Well, I’ll just have to make the time to write some apps. I have several promising ideas, and I’ll need to sell at least one of them to help justify the increased monthly cost of the new service.

Check out the Google Code Project.

Available soon: WiiSaber source as well as several of my most popular PHP utilities.

Many websites offer the flexibility to display the same page via both SSL and HTTP. The major problem with offering this is the possibility that embedded content will not be served via the same protocol; many browsers will throw an error if an SSL page embeds HTTP images.

However, there is a simple and W3C valid solution to this problem. Simply omit the protocol and colon from the URL:
<img src="http://isnoop.net/sa/av.jpg">
becomes
<img src="//isnoop.net/sa/av.jpg">

This works with embedding images, links, javascript embeds, and other link types.

The drawback to doing this everywhere is that you must be conscious as to whether the resource you are linking to is available on both SSL and HTTPS. Embedded scripts from services like Google Analytics are well served by this technique. If your enterprise uses a dedicated image hosting server, this is also a highly appropriate solution.

Due to the popularity of MacSaber and WiiSaber, I have received several requests to write iPhoneSaber. Now that the accelerometer has been unlocked, this has become a distinct possibilty.

There’s just one problem. I don’t have an iPhone.

To be honest, I just bought a house and my finance manager (wife) won’t allow the purchase. Therefore, I turn to you. I’m not one for begging, but I have been convinced this is for the greater good.

Thank you for your consideration.

Update
Thanks to everyone who helped! See next post for more information.

Below is an email I got through Zend’s certified engineer website. The questions posed by the writer below are not uncommon, so I have posted his letter and my response for general consumption.

Hi,

I am an aspiring PHP programmer. I need some advice from the right people like you before taking a plunge into PHP. I know to know what the future holds for PHP in the web development sector. Why is there more demand for ASP.net or Java than PHP when PHP is the best option available for web development. I have heard that PHP professionals are some of the least paid people in the industry, is this true? why should I not go for ASP.NET or Java as compared to PHP? I know it all comes to one’s interest but knowing a stable path for career is also essential. Please help me and my many other colleagues who want to join the PHP community. Your kind help would be highly a appreciated. Please be frank to give your advice.

–Vibhor S.

Vibhor,

Thanks for your email. From my point of view, I am inclined to believe that PHP is actually in higher demand than ASP or Java. However, the latter two are likely to be more common for large companies. I believe this is mostly the result of corporate decision making and the antiquated belief that PHP is not enterprise class. Companies like Facebook, Flickr, and Digg are rapidly dispelling that myth.

The roots of the enterprise class myth also help to explain the question of compensation. PHP started off as a hobbyist’s language. From there, it became the de facto scripting language for low-cost web hosts. As a result, a lot of personal and small business websites sprung up with PHP as a back end. Lacking the project and budget size of medium and large companies, most jobs available to PHP developers were (and perhaps continue to be) for less pay. This is not to say that there are not good paying PHP jobs available. I live in Seattle and am one of a group of 6 PHP developers for a medium sized company. I believe we are competitively compensated compared to the industry at large.

The other part of the compensation problem might have to do with the experience curve of PHP programmers. I have seen many developer resumes and the large majority of people who claim to be PHP experts are in fact novices or even beginners. PHP is a very simple language to learn and become comfortable with, but that comfort is not the same as knowing (and using) best practices, OOP, or even PHP5. Many PHP developers haven’t had any experience working in a collaborative environment and, frankly, may not be suitable for full-time work in a group of developers.

On the question of why one should choose PHP over ASP.NET or Java, I cannot answer. I chose PHP as my language of choice for personal and perhaps arbitrary reasons. I like that it is open source, works best on *NIX systems, is in active development, offers a tool for just about any job, and has a wide and varied user base. It also helps that the language happens to have a sustainable number of companies offering full-time work for PHP developers.

One might just as well choose Java, ASP.NET, Ruby, Python, Perl, C++, or any other popular web language for their own set of reasons. You’ll find ample work with any of these under your belt. Some might have a brighter future than others, but you’ll still find COBOL programmers out there making pretty good money despite the dwindling need for their chosen skills.

I hope this helps. Good luck with your programming.

–Ian

Last year, I tested and passed the Zend PHP 4 certification. Once again, I have overcome great adversity and climbed the highest figurative mountains in order to qualify and quantify my bountiful PHP skills.

Ladies and gentlemen, I would like to announce my acceptance of Zend Certified Engineer: PHP 5.

Tune in this time next year for my PHP 6 hat trick.

There was once a time when having a Gmail account made you part of an exclusive, trendy club among some subcultures. Having Gmail invites at that time made you even more popular. During those days, I ran a Gmail invite spooler that distributed over 1.2 million invites, making it the most popular Gmail invite service. Two years after pulling the plug, it is still the 4th most popular non-Google Inc. search result for the word Gmail.

Over the past few months, I’ve been asked several times to set up a similar service for Joost. After much procrastination, I’m now dusting off the invite spooler service, giving it a new face, and adapting it for Joost and other invite services.

This is where I need your help. I’ll need at least one invite in order to test the updated tool. If you have a joost account and have invites to share, please send an email to joostinvite@isnoop.net.

After just one or two revisions, your site’s CSS can get pretty cluttered with redundant content and inconsistent formatting. I’ve written a simple tool called the CSS Superdouche that programmatically rewrites your CSS, removing all superfluous elements and reformatting it in an attractive manner.

The CSS Superdouche is capable of streamlining already highly optimized CSS. It attempts to detect whitespace-stripped code and, if necessary to shrink file size, it will do the same.

Check out the CSS Superdouche

You might recall an application I wrote earlier this year called MacSaber. If so, my new Cocoa application should be quite familiar.

Hiroaky just released a handy bit of code that adapts the Nintendo Wii’s “WiiMote” wireless controllers for use on the Mac. I have taken his idea and merged it with the magic that made MacSaber to bring you a new breed of audio Lightsaber simulator.

This application looks and works just like MacSaber, but the input device is the WiiMote instead of your Apple laptop. I plan on adding more features including more visual response and multi-controller capabilities soon, so check back again later.

Download WiiSaber 1.0 Beta 1 Here