Conor McDermottroe

I finally got around to doing some work on this site. It's been quite a long time in the making since it's been more of an interesting experiment than a serious project. The front page should update from Flickr and Instagram so it shouldn't be quite as stagnant as the old site.

The code behind this site is all available on GitHub so feel free to criticise and/or copy anything you find interesting or objectionable. There aren't any comments on this blog, so feel free to use Twitter or GitHub Issues as appropriate.

Today I wanted to automate the upload of some code to a new Amazon EC2 instance. I've been scripting the rest of the job using Boto but when I was lazily looking for an example of how to do SFTP with Boto there wasn't anything obvious in the first few pages of Google's results. So, here's the snippet for any other lazy coders out there:

import boto.manage.cmdshell
 
def upload_file(instance, key, username, local_filepath, remote_filepath):
    """
    Upload a file to a remote directory using SFTP. All parameters except
    for "instance" are strings. The instance parameter should be a
    boto.ec2.instance.Instance object.
 
    instance        An EC2 instance to upload the files to.
    key             The file path for a valid SSH key which can be used to
                    log in to the EC2 machine.
    username        The username to log in as.
    local_filepath  The path to the file to upload.
    remote_filepath The path where the file should be uploaded to.
    """
    ssh_client = boto.manage.cmdshell.sshclient_from_instance(
        instance,
        key,
        user_name=username
    )
    ssh_client.put_file(local_filepath, remote_filepath)

Boto depends on paramiko to handle the SSH parts, so you'll need that installed too.

If you find yourself writing any performance sensitive code in PHP, you probably want a profiler to tell you where the slowest parts of your code are. Sometimes you can get by with educated guessing and a few well-placed uses of echo and time, but there really is no substitute for hard data. Luckily, Facebook have written and released a profiler for PHP and it's pretty easy to use.

First off, download and install it. It's a PECL extension to PHP, so it should install like any other PECL extension you have. I'm developing on top of FreeBSD, so I made a port for it. It's not yet in the ports tree, but if you're running PHP on FreeBSD, you can extract the port out of the PR I filed. It's in the ports tree as devel/pecl-xhprof.

Once you have it installed, here's how you use it:

// Start the profiler
//
// XHPROF_FLAGS_MEMORY adds memory usage data, it's quite useful.
// See the docs for further flags.
xhprof_enable(XHPROF_FLAGS_MEMORY);
 
// Put the bulk of your code here
 
// Stop the profiler and get the profile data
$profile_data = xhprof_disable();

After you get the profile data you can either save it somewhere and use the XHProf UI provided to browse the data or you can just process the data directly. I'm working on vBulletin, so I integrated it into the vBulletin debug output. If you're doing the processing yourself, the following snippet is useful for converting the inclusive times returned by xhprof_disable() to exclusive times.

require_once('/path/to/xhprof/display/xhprof.php');
$profile_data_totals = array(); // Will contain data for the whole script
$profile_data_exclusive = xhprof_compute_flat_info($profile_data, $profile_data_totals);

That's pretty much it. For anything more than that, refer to the XHProf documentation or have a dig through the XHProf and XHProf UI sources.

Recently there has been a lot of criticism of Facebook for changing its privacy policy again. While I have no problem with criticising a company for muddling through a policy/terms of service change without talking to its users, I do have an issue with people giving them all the blame for revealing private information.

I'm in the middle of listening to This Week in Tech episode 250 and the show's host, Leo Laporte, said the following:

"Facebook made a promise to me we will keep it private unless you say otherwise. You tell us who you want to share with. That was the promise and I feel it's like a friend that I went and I told something secret to and then he blabbed it and they said, oh my bad. So I go back and said, okay, I understand you made a mistake. He blabs it again."

and later:

"To be honest, I feel like this is a bad girlfriend who three times now has revealed stuff that I said this is secret and I am not going to give her a fourth chance. I just don't think it's right."

Since when was Facebook your friend, girlfriend or confidant? Why are you telling it information you want to keep private? Sure, it promised to not reveal any of it, but why did you expect it to keep its promises? If you stopped a stranger on the street and showed them a picture of you drunk or told them that you hated your boss, would you expect them to keep it private? What if they promised you? Would that make any difference?

This is not something solely related to Facebook. Every site on the net is the same to a greater or lesser extent. If you put private information on the internet then it's not private any more, no matter how many "guarantees" you're given. For your information to remain private you have to assume that at least all the following are true:

  • The company that owns the website/social network/mail server/whatever is honest and wants to keep your information private.
  • The company will never be taken over by another company who will be less honest.
  • All of the employees of the company who have (now or in the future) access to your information will be honest (even if bribed or blackmailed).
  • The employees are so technically competent that they will never accidentally leak your information to anybody.
  • The technology used is so sophisticated that no-one can gain unauthorized access to your stuff.
  • The people running your ISP (or your employer) and the ISP of the company you're giving the information to all fulfill the same criteria as the company itself.

That's an awful lot of things to assume, and I don't think there's any person or company on the internet who could honestly make those guarantees, even if they really want to. No matter how small and trivial the online service, there are so many people involved in making it happen that some of them will be dishonest. Some of them will be incompetent. Some of them will be bribed or tricked into giving away your information. Some part of the system will have a security flaw that gets exploited. One way or another, the information you give to an online service will end up under the control of someone you don't trust sooner or later.

So how do we solve this problem? As far as I'm concerned, the only approach is to treat every internet service like you would a stranger. Sure, you might strike up a conversation with someone in a bar or at a conference or on a train, and sure, you might tell them personal information, but you're never going to tell them something you wouldn't tell absolutely any other person on the planet, right? Just don't put anything on the net that you're not willing to write on a piece of paper, sign and hand to a stranger. Yes, this restricts the usefulness of the web and, in particular social networks, but remember:

The internet is not your friend, so don't tell it anything you want to keep private.