Wednesday, October 24, 2012

Catch-all post about solving setup issues with PhpStorm, Composer, and Symfony2

I had to do some preliminary work over the last week or so to create a workable PHP development environment before diving into some moderate-to-heavy work making a small e-commerce site.  I've had a VirtualBox install of Linux Mint 12 on my laptop for a while, but it was never setup quite the way it should've been.  So, I took the time to do it right.  Unfortunately, open source software tends to have shitty documentation, so in order to prevent others from making the same mistakes I did, I'm going to list my problems and my eventual solutions.


PhpStorm is an awesome PHP IDE from JetBrains.  .NET programmers will recognize JetBrains from Re-sharper (R#).  It's not quite as all-inclusive as, say, Visual Studio.  Unit Testing and debugging don't come installed as part of the software.  Instead, it's designed to integrate with PHPUnit and one of Xdebug or Zend Debugger.

Setting up PHPUnit is fairly straightforward, but the debugger is another matter.  The (somewhat confusingly written) documentation would lead you to believe that you need to play with IDE tokens and ports and server names and other things.  Not really, at least, not in my case.

PhpStorm's debugger listener is pretty smart.  In a lot of cases it can automatically detect a debugging session.  The steps are ridiculously simple:

1. Install a debugger on your system.  I opted for Xdebug, so it was simply a matter of:

$ sudo apt-get install php5-xdebug

2. Edit your php.ini files (both the web server's and the CLI's) so xdebug.remote_enable is on, and restart your server.

3. Follow the other instructions here: Zero-configuration debugging with Xdebug and PhpStorm 2.0.  Even though PhpStorm is now up to version 5.0.2 as of this writing, the instructions here worked like a charm for me.


Composer is a dependency manager for PHP written by Nils Adermann and Jordi Boggiano (with contributions from others).  It's nice and lightweight.  A JSON config file lists the packages you want/need for a project, and it looks at both its package repository (Packagist) and Github for them, installing them in a /current/path/vendors/ directory.

My problem with Composer was that I kept running into connection timeouts.  It wasn't a network error on my end - I have ~12 mbps downstream, so that's not a problem.  After a lot of searching, I found that the issue was caused by Composer being inefficient in its searches/downloads.  Something about it looking at both the distribution version and source version of a package.  To get better performance, a --prefer-dist option was added to the command line.  Unfortunately, that switch is not mentioned anywhere in documentation, nor in the CLI's --help option.

So, to use the option, simply (assuming a global install of Composer):

$ composer update --prefer-dist

Composer now works perfectly for me.


Symfony is a modular MVC framework from Sensio.  The Standard Edition comes with a demo app, which should be removed before doing your own work.  The Standard Edition's Github describes the process of removing the demo.  Unfortunately, the instructions regarding security.yml are wrong.  Simply removing those listings results in a runtime exception.  No, instead you need to provide default values.  Nice to know now.

So, there you have it, solutions to issues not mentioned in official documentation.  Hopefully I can stop others from getting frustrated.

EDIT: Thanks to Tony Quilkey, a.k.a. trq, a.k.a. thorpe for setting me straight on Composer's lineage.

Thursday, October 4, 2012

Basic PC security Part Deux

Part 1

How can I look at things safely?

It's somewhat difficult to concisely talk about the browser and browsing habits because some of the issues are technical, and some are human in nature.  I'll focus on the technical first, because they're easier to address.

The web gets its interactivity through technologies like Flash and JavaScript.  Unfortunately, those very same technologies can prove to be harmful.  Flash, in particular, is known for its related exploits, both because its creator, Adobe, is slow when it comes to patching them, and because of Flash being the platform online advertisements are generally built on, which gives would-be attackers an incredibly wide target audience.  While it's less common now, attacker-compromised ad servers are a popular way to spread malware.

While not dangerous directly, JavaScript can be used to dynamically load other data, or bring the user to another destination that contains something dangerous.  While JavaScript can be turned off in the browser, many websites (like just about everything Google owns) require it, so removing it from the equation entirely is essentially impossible.

The solution for both problems come in the form of browser plugins and/or settings, depending on the browser itself.  For Firefox and Chrome, the plugin Ad Block Plus stops any and all adds (after tweaking some settings) from appearing.  In some cases, that can lead to some site functionality to break, but you can tell it to not stop ads on a particular site.  Similarly, for JavaScript, the No Script plugin stops all scripts except for those you explicitly allow.  That kind of granular control will allow you to customize your internet experience.

Bad browsing habits are a bit harder to curb.  Generally speaking, sites that offer free merchandise (like, say, an iPad), sites that offer free porn, sites that offer crass, edgy videos and images tend to be a breeding ground for malware and assholes.  I'm not sure if it's the same today, but back in the day sites like Ebaum's World crawled with bugs.  If it sounds too good to be true, or if the site would attract people who would have no qualms with screwing with other people, try to stay away.

Be aware of any downloads.  If you're downloading a document, it should end in .pdf, or .doc, or .docx.  Don't open anything from a source you're not familiar with.  That means email, images, files, etc.  If you don't know the source, you can't trust the source.

One final thing: be cognizant of what you share on social media.  Do you really want the entire internet connected world to know your address, number, work address, husband's/wife's/children's info, or pictures?  Information is power.  Don't let those you don't know have power over you.

I'm sensing a common theme... the human factor is key, huh?

In any system, the weakest point is where ever humans enter the picture.  We're fickle, impatient, moody, and ambitious - the perfect combination for exploitation.  Social engineering (or, in non-nerdy terms, conning/scamming) is still one of the most effective ways to compromise a system.  Attackers disguise themselves and their requests as legitimate, hoping that they're in contact with a computer illiterate mark who will be lead to give away their own secrets.  And it happens all the time.  This year's rash of Xbox Live account thefts were largely due to people duping the Microsoft employees on the customer service line.  Someone posing as Windows tech support tried scamming Ars Technica.

There are so many ways that attackers can disguise themselves, it's impossible to talk about them all in this space.  But, I can give some general tips:
  1. If something seems suspicious, it probably is.
  2. No reputable company will ever ask you to email them your login credentials.  They already have them, and don't need them to refer to your account.
  3. Be wary of any email asking you to login to fix some error.  Call the company (and be sure to use their real number, NOT what's in the email) to verify.
  4. Tech support will never call you out of the blue.  It doesn't work that way.
  5. Where available, use two factor authentication.
  6. When in doubt, ask your nerdy friend/relative.
Above all else, remember that there are people out there who would like nothing more than to get their hands on your money, your identity, and your very being.  Be cautious, be smart.

What about viruses and stuff?

Amazingly, it's fairly simple to protect yourself.  Windows' firewall is turned on by default.  The question then becomes, "What anti-virus and anti-malware software should I use?"

New computers come with a heap of useless crapware.  That McAfee or Symantec/Norton anti-virus that came with it?  Also crap.  They're bloated pieces of code that have low detection rates and cost money.  Horrible.  There's no need to pay for a quality anti-virus program.  While there are many free alternatives (AVG, Avast!, etc.), I prefer Microsoft Security Essentials.  It's absolutely free; no fee for initial download or any kind of subscription nonsense.  It doesn't take a lot of resources.  It's unobtrusive.  It has a high and accurate detection rate.  For my needs, and likely the needs of most end users, it's just about perfect.

For my anti-malware supplement, I use Malwarebytes' Anti-Malware.  It's also free, and is a no-nonsense malware detector/remover that can sniff out just about anything.

Do these programs make a computer bulletproof?  No.  But when combined with other preventative measures, like good browsing habits, they're very effective.

As an aside: those Finally ads, and any other service built around "Clean up your PC!" are selling snake oil.  There's no reason for anyone to pay for that kind of service.  With the links provided above, you already have most of the tools needed to clean up your PC yourself.  Why pay someone $60-$80/hr to do it when you can do it yourself in a weekend?

So, is that it?

Well, not really.  Security is a broad topic, so broad it's impossible to completely tackle in a blog format.  My main goal is to raise awareness and curiosity.  There's no reason to not be aware of the incredibly basic steps needed to help secure yourself.  Given our ever increasing online presence, protecting ourselves on the internet is at least as important as physically protecting ourselves, our families, and our homes.  Since the only real costs involved are time and employing common sense, there's no reason not to take preventative action.

Unoriginal title for a post about general PC security (Part 1)

First, let me preface this by stating that I am not an expert in online security.  I'm not a hacker, I'm not a cryptologist.  I'm a web programmer who tends to view security from the POV of an end user.

Okay, with that said, here we go....

I've bought this $500+ piece of machinery, but you're asking me to understand how it works?

The sad fact of the matter is that many people who own computers are still largely computer illiterate.  Some are afraid to break/screw things up with their new appliance, and others are simply not interested in learning more than how to send email, visit YouTube, and do some basic office work.  The problem is that seemingly innocuous online activity can lead to a host of problems.  Addressing them isn't difficult, but it requires a bit of effort.  Just like a car needs regular maintenance to keep it on the road, a computer needs regular maintenance to keep it running and your information safe.

It's important to note, at this juncture, that there's no such thing as 100% secure.  Cyber security is always a game of catch up.  The various hackers, malware authors, and other black hat individuals and organizations out there will always have an advantage because, in a lot of cases, threats can't be addressed until an exploit has been abused.  The best we can do is engage in behavior to mitigate risk, and be prepared if an attack does happen.

What do you mean 'P@ssW0rd' isn't a good password?

Let's start with passwords.  If you do anything online, you're all but certain to have one.  A good password is long (the longer the better), contains a bunch of different characters (letters, numbers, punctuation), and isn't based on a dictionary word, or common phrases.  They should also be unique for each account (more on this in a minute).

The problem is that long passwords not based on a memorable pattern and filled with a variety of characters are hard to remember.  They're also a pain to type.  So, what people generally do is create a short, easy to remember password and then use that for just about everything.  If an online account is compromised, who cares?  It's just an account to Fluffy Birds or something unimportant, right?

Wrong.  If login info is compromised (and many times they're compromised without one knowing about it at all), then every account that uses that info is compromised.  That could mean your bank.  Your social media accounts with all the personal information about you and your family.  Your life could be laid bare for those who wish to do you harm.

So, what can be done?  I'm a huge fan of password manager software.  This software is essentially a database of all your passwords.  Even better, most come with a password generator, giving you a high entropy password at the click of a button that you can use for any account.  The password manager itself can be protected with a password, and some even allow you to use a separate key file as a second form of authentication.

The general workflow is:

Sign up for a new online account
Open the password manager
Generate a new password with the password manager
See if the site/system will take it*
If yes, you're registered, if not, keep generating new passwords until one sticks

To log into a site that requires a password, simply open the manager, and copy/paste the password into the password field.

*The unfortunate reality is that many sites put ridiculous limits on what they accept for passwords.  Microsoft, for example, limits passwords to just 16 characters, while EA prohibits certain special characters from being used.  These restrictions are completely artificial, and really only serve to negatively affect how secure your login information actually is.

I use and recommend KeePass.  It's free, it's easy to use, and it's available on just about every operating system one would want.  I use it on my iPad, laptop, and desktop, and with it, I can hit all the important attributes of a good password:

Not based on a dictionary word
Character variety
Unique to each account

Okay, cool, now what?

I'll talk about browsing, but in a new post to keep things readable.