* Posts by Marcus Bointon

32 posts • joined 27 Apr 2007

Hate 'contact us' forms? This PHPmailer zero day will drop shell in sender

Marcus Bointon

Re: Not sure the article is accurate...

Just a little late follow-up - I'm the maintainer of PHPMailer. Actually it would. PHPMailer validates all address it uses automatically - The problem was that the attack string can be a fully valid email address - that's why it got through and why it affected other email libs too. What's safe and valid in an email address isn't necessarily safe in a shell command *even if you escape it*. The exploit example is contrived, but if you don't set a Sender address explicitly it uses the from address, which is normal MUA behaviour (e.g. both Outlook and Apple Mail do it).

In order to fall victim to this you had to be using the mail() function for sending (PHPMailer's default behaviour, rather than its SMTP client, which is both faster and more flexible), using the form submitter's email address as the from address (which all the PHPMailer docs and examples tell you not to do, because it's forgery and will cause SPF failures), and not set an explicit envelope sender address.

While I'm sure the PHP critics will say their usual, the same problems were also found in ruby, python, and nodejs mail libraries.

OH DEAR, WHSmith: Sensitive customer data spaffed to world+dog

Marcus Bointon

At least I don't think WHSmith is the ICO...

"...had turned itself into the ICO"

That would have been quite a feat - did you mean "...had turned itself in to the ICO"?

How the FLAC do I tell MP3s from lossless audio?

Marcus Bointon

How about using some software intended for the job?

"But how the hell can that be arranged and demonstrated?"

Strangely enough you're not the first to wonder what the data compression is doing to your audio. There is a great audio plugin by Sonnox that allows you to listen to an audio source via up to 5 streams simultaneously compressed through different codecs, bit-rates and depths, and switch between them. It's important to listen to bad encodings so that you can get a feel for the type of distortion you're looking for - once you can easily identify what mp3 artefacts generally sound like, it's much easier to spot them at higher bit rates.

I'm surprised that there's been little mention of AAC, since it's the default format on iTunes. I find MP3 artefacts are really noticeable and unmusical (when they are audible), whereas I generally find AAC just gets gradually softer and slightly muffled, which is far less apparent and invasive. A killer test for mp3 encoders is quiet hi-hats with reverb; It all turns into horrible swirly mush.

In terms of demo sources, it's possible to eliminate recording distortion effects altogether by using source material from pure synthetic instruments, like Pianoteq's Play, or most modeling synthesiser plugins, and you can then get audio source material that's never been though an ADC or DAC.

'Abel, you're fired!' Hear AOL supremo axe exec during conference call

Marcus Bointon

I think I'd be pretty grumpy if I'd spent hundreds of millions and ended up with something like patch.com.

Global warming: It's GOOD for the environment

Marcus Bointon

Re: You know what's even better for the environment?

Curiously I've heard that human waste can't be used for fertiliser in the EU because it's to high in heavy metals, so maybe not so good.

Marcus Bointon

I quite agree - the original article doesn't say anything like what the reg's headline does. In other news, rising sea levels good for environment because fish will have more space to swim.

Happy birthday, Apple QuickTime

Marcus Bointon

Right. I'm sure that they should have left it to you as you obviously know so much better, then it wouldn't have been so "poorly writed", and we could all be basking in glorious NumptyVision™

Marcus Bointon

QT 1.0 was really a product of a project that Apple took on in 1987 called 'Pencil Test'. The mission was simple: produce a broadcast-quality 3D animated movie entirely on Macs. There were a few obstacles: personal computers had never done it before. http://www.youtube.com/watch?v=fXPHlQuXWR0

There's little point in comparing QT with other container formats because they simply didn't exist at the time and almost none of them make any attempt to do anything other than playback. Pretty much every decent (i.e. not AVI) container format since has followed QT's basic design (MPEG-4, Matroska).

QuickTime Player (up to 7.x) on Mac OS was one of the most underrated apps ever - it had comprehensive multitrack editing with as many simultaneous video/audio/text/arbitrary data tracks as you like, codec/frame-rate/colour-depth/sample-rate conversions, variable frame rates, timecode support, live arbitrary scaling, skewing and rotation, real-time audio mixing and eq, colour correction, video and audio effects, simple non-destructive copy/paste editing and compositing of video (without recompression). All this from an app that many thought was an equivalent of dumb playback-only apps like WinAmp and Windows Media Player.

QT completely dominated the world of digital editing for a long time, mainly because it was (is?) the only viable interchange format, and because of the massive array of applications and codecs that supported it. There have probably been very few movies made in the last 20 years that have not involved QT at some stage of production.

QT for Windows was always the runt of the litter - I know, I was Apple UK's QT for Windows support guy in 93/94. Much of this was down to the fact that QT depended heavily on the rest of Mac OS, so QT for Windows incorporated ports of large chunks of Mac OS, which made it very big and didn't really fit on top of Windows APIs very nicely. All the nice things like the Mac Sound Manager were severely hampered by Windows' dismal media support at the time (such as lack of sample-rate conversion and inter-app sound mixing). On top of that, there were of course almost no video apps for Windows save for playback; There was simply no market for professional video software on Windows back then.

While QuickTime's open file format was the basis for the MPEG-4 file format, much of the promise of QT was lost in translation - we're still waiting for all those MPEG-4 part 10 authoring apps. HyperCard was supposed to become QT's interaction layer, but that never got off the ground, and we all ended up with Flash instead (which QT could play to some extent too).

Apple pretty much gave up on promoting professional use of QT after 7.0. QT X has been relegated to being an iTunes appendage and headed off into playback-only land, and is no longer interesting. QT was so unbelievably good at what it did that it's almost criminal that Apple starved it of attention; it would have been great to see it spun out. Many of the things that made QT such a great authoring container have been lost, and the world of video is sadly retreating back to proprietary formats.

Apple shouldn't bother with TV...

Marcus Bointon


I think you must live in some parallel universe where TV-related gadgets are not universally shit. I am completely sick of 'separate devices' when NONE of them work well ("of course I'd love yes another remote with another 80 miniscule buttons just so I can hear this movie"). It's got to the point where I just don't watch TV any more, and since it's the advertisers that are paying for most of it, there is money to be had in helping people actually watch stuff instead of fighting with (almost entirely without exception) unusably crap devices. Pursuing this luddite status-quo you suggest is not the answer.

As the article says, the world of TV is where the phone industry used to be - drowning in an endless drizzle of mediocrity. Somebody, Apple or not, needs to give it a really big shake-up, and they will reap plenty by doing so. Assuming they don't fuck it up, which Apple has a reasonably good track record of not doing.

Ex-Amazon 'Master of Disaster' animates server Chef

Marcus Bointon
Thumb Up

similar, but still adds new value

Chef is mostly an evolution of cfengine, and it's a completely different approach to puppet.

The key approach of chef's config management is convergence - instead of having scripts that say 'do this', you have recipes that say 'make it like this', which mean it's much less sensitive to varying starting config - for example a script that tries to install apache and add options to a config file is likely to cause problems if it's already been done (e.g. enabling the same PHP extension more than once causes errors). Chef takes care of that. It also deals with higher-level constructs spanning multiple devices such as 'attach all servers that are configured as web servers as back-ends to this load balancer'; configuring a new server as a web server would automatically add it to the balancer (if you want that of course). It can also work backwards - simply remove apache from your config, and it will get uninstalled cleanly.

All that said, chef is still pretty new and changing fast, which makes it a little hard to keep up with, not a welcome characteristic of a config management system.

Crucial CT256M225 256GB SSD

Marcus Bointon


While sequential throughput is a nice number to talk about, what makes more of a difference is the number of ios/sec the drives can sustain, particularly writes. Intel's controllers on the 2G X25 SSDs are particularly good for this, offering up to about 8500 random writes / sec, whereas some competitors are often <200 (yes, that big a difference). How do the Crucial drives compare?

Microsoft's Photosynth falls out of cloud

Marcus Bointon

It does run in VMWare

On the installation page it says that it will not work in VMWare Fusion or Parallels on a Mac. I'm amazed they even spared the pixels to say that at all, but it's not true anyway. If you enable DirectX 9 support in VMWare 2 beta, it works just fine. I was also surprised to find that it worked just fine in Firefox too.

Seagate ships first 1TB HDD of the SAS persuasion

Marcus Bointon
Thumb Up

RPM is not all

High RPM gets you low latency, but it doesn't guarantee high transfer rates. Take a look at the Samsung Spinpoint F1 HDs - at 7200RPM they beat WD raptors at 10k without a problem, all while delivering higher capacity, consuming far less power and making less noise at less cost. They do it by increasing data density on the platter (334Gb/platter), so while the disks are spinning slower, more data is passing the head per second.

@Dr Mouse: "Wouldn't surprise me if they were, or at least will be soon, making controllers chips that do both SATA and SAS"

This is already true. Pretty much all SAS controllers can also accept SATA drives. The reverse is not true. It's nice because you can mix fast SAS drives with big SATA drives. Along with the advent of 15krpm 2.5" SAS drives (cute but expensive), you can now get 1U rack cases (See supermicro) that host 8 hot swap 2.5" drives.

Dump IE 6 campaign runs afoul of dump IE 6 campaign

Marcus Bointon

WebKit gets 100% on Acid3 as of yesterday

If you want compliance, you got it: http://webkit.org/blog/ Opera is nearly there too. Beyond compliance, either of those are way faster and better looking than IE and FF anyway. FF2 is almost unusably slow, but FF3 is much better.

With a bit of luck, since MS thankfully changed their minds about standards mode, IE8 might possibly pass acid2 at launch, and thus we might finally see the end of having to put all that extra work (which our clients pay for) into downgrading for IE compatibility.

BBC mulls dropping Flash as iPlayer meets iPhone

Marcus Bointon
Jobs Halo

H.264 is not Apple's technology

Yet again we're seeing this peculiar mindset that thinks that H.264 is some kind of weird Apple proprietary thing.

H.264 is just MPEG-4, same open spec as everyone has access to.

The main reason it's associated with Apple is that they were the only ones who noticed how much better it is than anything else several years ago. The other reason is that Apple is about the only manufacturer that makes non-crap H.264 players. I mean UMD on PSP? What a joke!

Nokia unveils the N96 and N78

Marcus Bointon
Thumb Down

Phones for small fingers

So yet again, Nokia produce big fat phones with microscopic buttons you need a biro to press. Click, bzzzzzzzzzzzzz.

Man buys MacBook Air, pulls it apart, takes pics

Marcus Bointon
Thumb Up

For all those doubters

So where can I buy this mythical PC with the same screen size, decent keyboard, faster CPU, internal optical drive, longer battery life and less weight for £1000 less than the MBA? Apparently it's stocked in every corner shop in the world, but I've not seen one yet.

As for the lack of ethernet - if you're using ethernet much, you're probably carrying a cable anyway, so the addition of 15 grams or so for the Ethernet USB adaptor is probably not something you'd notice. As it happens the Ethernet port in my MacBook died, but I've not exactly missed it.

Microsoft's smiley browser face turns sour

Marcus Bointon

Flip the meta's meaning

It would make more sense to flip the meaning of the meta tag - run in IE7 mode if it's there, otherwise run in standards mode. This way non-compliant sites have a simple fix, but sites that are doing it right work properly. It should be sites that are broken that get fixed, not the other way around.

Apple MacBook Air

Marcus Bointon

Comparing with Eee PC

Roger said: "Name one thing that the Apple Air has that the Asus Eee PC doesn't."

Um, how about:


Better screen

Better keyboard

Two faster CPUs

Better WiFi



More memory

More disk space


Much longer battery life

It doesn't look like you borrowed it from your kids

Apparently none of these features are worth anything and so should all be free anyway.

My MacBook does all this too, and more but costs less and weighs more. The trade-off works for me.

It was the MacBook Air sub-notebook

Marcus Bointon

Can't anyone read?

The battery is replaceable, just not by you, and it will cost you $129, which is not too unreasonable. Since I bought my MacBook, I've removed the battery precisely once to install RAM and HD upgrades. In a year and a half I've never burned a DVD, though I've read a couple - I mostly pull stuff across the network anyway as it's faster than the local drive.

My MacBook ethernet port died after a fall from a desk (magsafe lets go, RJ-45 doesn't, lesson learned) and I've survived on WiFi ever since, though I'm glad to see an Apple branded USB Ethernet dongle as nobody else makes drivers (because there hasn't been a Mac without internal ethernet for years). I have 2 USB ports, but most of the time I don't use either (and I can see the new trackpad being better than the majority of mice), though I do use the DVI port on a 24" LCD.

Greg said "wireless-N. Nice. So it's non-standard wireless". Wireless N is neither non-standard nor proprietary. It may not be carved in stone like 11g (not that that's worth much given its interoperability problems), but it does generally work pretty well, and is definitely worth having, especially since it's faster than 100-T ethernet most of the time. Micro-DVI is not non-standard either - it's just not as common as fat and crappy VGA. You'll probably be complaining it doesn't have parallel and game ports next.

All the price comparisons also fail to notice (as usual) that the US prices do not include sales tax, which varies between 0 and about 16% depending on where you are (which is why they don't quote it inclusive).

And yes you can run Windows XP and Vista on it (or linux), either with BootCamp or Parallels/Fusion.

So, missed facts aside, I don't see any great advantage of this laptop for me. If I was some executive travelling a lot with hand baggage only, I'd be grateful for the weight saving and battery life, and getting that at the same time as having a really nice screen makes it actually usable, unlike most 10" screens, especially if your eyesight isn't great.

Steve Jobs' Macworld Expo spiel spied on web?

Marcus Bointon
Thumb Down

Mac Pro specs are wrong

The Mac Pro specs are those for the previous update. Neither 7300GT nor Quadro 4500 are available as an option. I'm surprised about the Mac Mini stuff, but the 320Gb drive option can't be real. Very suspicious, but interesting otherwise. I doubt that a consumer keynote would spend so much time on the iPhone SDK.

Amazon SimpleDB: a database server for the internet

Marcus Bointon

Not the only one

Out of the box, MySQL does little in the way of ensuring consistency either, and its default tables do not support foreign key constraints or transactions, yet many web apps built on it survive well enough. InnoDB tables solve many of these problems, but even its replication features are not transactional - if you write to a master then immediately read from a slave, there's no guarantee you will get what you just wrote.

Microsoft loses battle of the piggybacking passwords

Marcus Bointon

Adobe was doing this ages ago

Both Adobe and Macromedia did this well before 1998. When you got an upgrade to something like Director or Photoshop, it was standard practice to have to enter a previous version's serial number (i.e. activation code) before entering the new one. I believe it was also normal to have to have supplied that serial number prior to ordering the upgrade, and thus entirely feasible that the new serial could be dependent on the old one.

With one bound, Apple is free of 54 security bugs

Marcus Bointon
Dead Vulture

Pay attention

>>These are patches for 10.4 aka Tiger. How long has that been around now? These should have been taken care of before now don't you think?

Um, the article is about patches in 10.4.11 and 10.5.1. How long 10.4 has been out is nothing to do with the patches - the next time MS releases a patch for XP are you going to complain that it should have been fixed in 2001?

The patches also contain some major upgrades - in 10.4.11 Safari 3 came out of beta, and it's heading for becoming the best browser available anywhere.

Reality distortion for Java on Leopard?

Marcus Bointon

At least it has it at all

Just a minor point: out of the box, neither Windows nor Linux include Java at all, so this is a pretty dumb complaint. To install Java on Linux typically requires you to enable "non-free" repos in your package manager, which many people don't like to do (and the GPL Java hasn't trickled all the way through yet). It's true that OS X Java releases trail Sun's releases by a bit, but count your blessings - it used to be a good 18 months behind in OS 9, and at least it includes something reasonably modern out of the box, unlike anything else (except possibly Solaris?).

iSales prop up Apple results

Marcus Bointon

Wish you had Apple shares?

"Prop-up" does indeed have negative connotations, only a breath away from the old Apple journo mainstay of "beleaguered". Apple does indeed seem to be doing something right. Take a look at this:


Wish you had shares?

> "Apple products have an extremely poor build quality"

Compared to? They're not perfect, but they are extremely good. My MacBook shows no signs of discolouring, and my PSU has outlasted three Dells. The Dell laptop I had literally fell apart (at least parts are cheap, though unfortunately in every sense), My HP PC is a mire of incompatible drivers and defective graphics hardware, but at least Ubuntu works on it better than Windows ever did.

No-humping 20mph limit for London

Marcus Bointon
Dead Vulture

Re: Gee Whizz

A friend of mine was done for doing 40 in a 30 limit, on his bike. Admittedly, down a steep hill...

Yahoo! Teams! With! eBay! And! PayPal! To! End! Phishing!

Marcus Bointon
Gates Halo

Plain text doesn't fix it

Because plain text does unicode, and is thus susceptible to unicode phishing attacks: http://www2006.org/programme/files/xhtml/p63/pp063-fu-xhtml.html

SPF still rules.

Microsoft vs European Commission: the verdict

Marcus Bointon

Apple's stuff is replaceable

Sure Apple bundles stuff, but it's all done using open APIs and pretty much every piece of it is completely replaceable. Hell, most of the OS is open source anyway. No anticompetitiveness lurking in there.

You can run different browsers on Windows, but now try replacing the internet explorer control (as used in things like Outlook 2003 to render HTML) with firefox. Well, I'll save you the bother - you can't. Apple's webkit is way more flexible, and again, it's all open source (it's probably running on your Nokia phone by now). There's nothing preventing anyone from rolling their own renderer and installing it in place of webkit (though they'd be dumb to do so as WebKit is such a great bit of software!). Most of the OS works that way, with a few exceptions for things like Quartz which remain closed.

ISPs turn blind eye to million-machine malware monster

Marcus Bointon

Blocking port 25 not a good idea

By blocking port 25, ISPs effectively nullify one of the few decent tools that is available for combating spam - SPF. If SPF records have to be extended to include the very ISPs that are spam sources, then they are rendered useless. Anyone with any sense is using SPF with -all set and fetching their email over POP or IMAP with SSL and authentication only from their permitted servers anyway.

There's also the possibility of password exposure - because ISPs may transparently redirect SMTP connections to their own servers rather than blocking them, they will get failed logins to what users think are their own servers (if they don't use properly signed SSL certs), which exposes their passwords - it's effectively a man-in-the-middle attack by the ISP.

Strong laptop demand drives Apple US retail share to 13%

Marcus Bointon

Hackday spells it out

At hackday London, weekend before last, around 500 mostly invited hackers descended on Alexandra palace for a spot of spontaneous coding. Of those, I reckon easily half used Apple laptops, and pretty much all the ones I saw were running OS X, and if not, Ubuntu. Of the rest, Windows as primary OS probably accounted for less than half, i.e. <25% overall - of the 20 or so people I sat with, 3 ran Windows (and XP at that). That the supposed pick of the web development community is spontaneously endorsing Apple so heavily says to me that they're doing something right.

Dillon - What are you on about? Apple Laptops have had gigabit for years.

Mectron - You've clearly never used OS X. If it runs on Linux, it probably runs on OS X too. Linux on the desktop is still a distant dream. Ubuntu is cool and all, but it's not close. Parallels is a joy to the x-plat developer.

$1bn lawsuit takes novel approach in fighting spam

Marcus Bointon


Of course address harvesters are automated. Why do you think things like wpoison exist? http://www.monkeys.com/wpoison/

I've certainly had addresses harvested off web pages.


Biting the hand that feeds IT © 1998–2020