Fixing “full path disclosure” issues

Whether you’re running a web service or a blog, you should always keep your software fully patched to prevent attacks and minimize your attack surface. Another smart step is to prevent full path disclosures. For example, if your blog or service throws an error like

“Warning: require(ABSPATHwp-includes/load.php) [function.require]: failed to open stream: No such file or directory in /home/horace/public_html/wp-settings.php on line 21”

then by noting the full pathname from that error, an attacker could reasonably infer that your username is “horace” and use that try to guess your password. It’s not the end of the world if your attacker has that information, but why not make an attack as hard as possible?

For WordPress, here’s a couple ways to prevent full path disclosure vulnerabilities:
– In a php.ini file, you can add a line like “display_errors = off” (without the quotes).
– In an .htaccess file, you can add a line that says “php_flag display_errors off” (without the quotes).

It sounds like the php.ini approach might be slightly better, because some web hosts run PHP in CGI mode which might not allow php_flag or php_value directives in .htaccess files.

After you’ve made this change, php errors shouldn’t be shown to web clients. If you’re developing live code on a PHP installation, that can make debugging slightly less easy. But if you’re running (say) a blog, it’s probably better to turn off display errors for a little extra protection against attacking hackers.

Hack your iPhone: install a toolchain

This “hairball” post is ancient and unfinished. Would anyone care about this now? Probably not. Maybe some future data archaeologist will care.

In my previous post I covered what a toolchain is and why you need one to cross-compile applications for the iPhone.

I’ve seen rumors that there will be a Windows toolchain soon, and in theory you can create an iPhone toolchain on older Apple computer with PowerPC chips, but most of the iPhone development these days seems to favor the newer Intel-based Apple computers.

One of the best resources for all iPhone related info is the iPhone dev wiki at (unlinked because the wiki maintainers aren’t sure that they can handle lots of visitors and request that people not link directly). The toolchain page at has a lot of details, and the talk page (look for the link labeled “discussion”) gives even more background. But those pages are really terse.

Here’s a little more background info, and I’ll include some additional links at the end.

Getting gcc

Did you know that recent Apple computers (and even the iPhone) ships with a solid UNIX-based kernel? You might have heard that. Something I didn’t know is that Apple computers don’t ship with a compiler such as gcc pre-installed. It should be on the DVD that came with your computer; Apple calls its developer tools Xcode, and Xcode includes gcc.

You can also download Xcode/gcc from the web. Visit and sign up for a (free) developer account. After you sign up, the “Downloads” link will become clickable. Click that, then click the “Developer Tools” link. I downloaded Xcode 2.4.1, although there is a beta of Xcode 2.5 available as of today. The download is a DMG file, which stands for “Disk Image.” Double-clicking on the .dmg file will mount the disk image and open a file folder that includes the file “XcodeTools.mpkg” and if you double-click on that package, you’ll get a window that guides you through the installation of Xcode Tools. When you’re done, you can type “which gcc” in a Terminal window and you’ll see that gcc is installed.

Downloading toolchain code

Are you tired yet? Then you might want to take a break, because things are just getting started. For example, the first thing you’ll read on the wiki toolchain page is:

To use the new toolchain, check out the latest branch (as of this writing, 0.20):

svn checkout svn://

And you might be thinking “What the heck is svn?” It’s a program called Subversion, and it lets you check out source code across the web. Here’s a page about how to install Subversion on a Mac. The short answer is that there’s a couple ways. First, you can install a program called Fink that in turn helps you install more UNIX-related programs such as Subversion. Or you can download a Disk Image file, click the .dmg file, and install svn directly.

Getting Libstreams

The next thing to do on the iPhone dev wiki page says

Download libstreams from Apple’s web site, compile it, and install it.

And I’m thinking “Could they get any more terse?” Plus the dev wiki is locked down to prevent wiki vandalism, so only a few people can edit that wiki. Thanks a lot, wiki spammers, you jerks. Now everybody has to interpret terse instructions on their own and can’t update the wiki with more detailed instructions.

To get/install Libstreams, it looks like you can fetch the correct source (PowerPC/PPC or Intel/x86) from or

You’ll have to log in with an Apple ID. Once you log in, you see about 20 files. Download each one in turn into a single directory, and make sure that you save the files as raw files, not html. Do that by mousing over a file, doing a control-click on the filename, select “Save Link As…” and make sure to change the “Format:” drop-down selector from “HyperText” to “All Files.”

Once you have all the libstreams files in one directory, open a Terminal window, cd into that directory, and type “make” to make the libstreams.a library. Then type “sudo make install” to install the library into the right location on your Apple computer.

Are you still with me? Because we’re really just getting started. Next the wiki says

Get a copy of the iPhone system software, and set the environment variable HEAVENLY to its location (export HEAVENLY=/path/to/iphone/software).

Unless you’re a real geek, you’re probably thinking “What the @#$% does that even mean?” Well, review my toolchain and cross-compiling post. In order to build a proper toolchain, we need some of the software that is only found on the iPhone (header files? libraries? I’m not 100% sure). Since we’re cross-compiling on (say) an Apple computer, that means that we need iPhone software on our Apple desktop machine. That’s a little bit of a problem. In theory, you could copy your iPhone’s filesystem to your computer. There’s even a program called Toolchain Helper mentioned at that does that. But Toolchain Helper doesn’t run on a pristine iPhone; you need to “jailbreak” your iPhone first. You can also run AppTapp/ to let you install the Toolchain Helper.

There is another way to get the iPhone software onto your computer. Apple provides the disk image (DMG) file for iPhone software. Woohoo! Except that it’s encrypted. Bleah. But someone figured out how to decrypt the software! Woohoo! Except that some people worry that decrypting the software might be a violation of the Digital Millennium Copyright Act (DMCA). Bleah. But lots of people believe that reverse-engineering software for the purposes of interoperability is legal! Woohoo! And the DMCA contains an explicit exemption for unlocking cell phones in some circumstances. Woohoo! If you’re at all nervous about decrypting a DMG file, then don’t. Consult with your local lawyer to see what your comfort level is.

The best instructions I’ve seen to extract the iPhone DMG contents are Landon Fuller’s post. He has a link to some modified source code to a program called vfdecrypt, but for some reason when I compiled vfdecrypt it wouldn’t work for me on the DMG file. There’s a precompiled vfdecrypt file to be found at inside of the phonedmg12.tar.gz file on that page.

And that, sadly, is as far as I’ve gotten so far. I haven’t managed to compile a working toolchain myself yet. I’m using an older PowerPC Mac, and trying to compile things caused errors for me. I enjoyed playing around with toolchains for a day, but I don’t have much more time to invest in this. It’s clear that building a toolchain is still not for the weak of heart. On the bright side, once you have a working toolchain, it looks like there are a ton of cool applications you could write.

My blog needs to cough up a hairball

My blog is almost eight years old, and I’ve published just under a thousand blog posts in that time. Along the way, I wrote about 100 draft notes that I never published. Sometimes I just didn’t finish the posts. Sometimes I thought they were too boring. Sometimes I wrote a blog post to debunk a misconception, then decided it wasn’t worth tackling that specific topic. A few times, I wrote something snarky about another company and then thought better before hitting submit. And a lot of posts were more like notes I kept as I customized some piece of software.

All those draft blog posts were starting to bug me, so I decided to do some spring cleaning this weekend. A lot of the draft posts I just deleted. I transferred some stuff into personal Google Drive files. I was left with a dozen or so blog posts that mostly fit into the “very boring” and/or “half-finished” category. But I kept thinking that 1-2 people out of the two billion or so people online might actually run across a post and find it helpful.

So I’m going to just throw a few of semi-boring, semi-finished posts onto my blog. Feel free to ignore these.


I was glad to see that the FTC unanimously approved new guidelines regarding endorsements and testimonials. The updated guidelines affirm the principle that material connections behind endorsements should be disclosed. This seems like a great time to offer my own disclosure information.

As of December 31, 2016, I am no longer an employee of Google. I no longer own any shares of Google stock.

I don’t accept any money or other gifts of value from any companies or individuals. I don’t accept speaking fees, consulting fees, honoraria, or trips. I don’t accept free, discounted, or loaned products. When I receive unsolicited gifts of value from companies or individuals in the scope of work, I give away those gifts.

When I speak at a conference or event, I generally do not pay a registration fee for that event. Some conferences also waive registration fees for that event for one or more of my colleagues or a traveling companion. Either my organization or I pay my own travel and hotel expenses when I speak at an event.

I do not run advertisements or otherwise receive any monetary compensation from the operation of my website.

A few years ago my now-late wife and I formed a non-profit foundation, which we later switched to a donor-advised fund. Neither of us were paid a salary from the foundation. Example groups that the foundation donated to included the Electronic Frontier Foundation, MAPLight, Change Congress, the Sunlight Foundation, Free Press, the Poynter Institute for Media Studies, Committee to Protect Journalists, Public.Resource.Org, Khan Academy, Code for America, charity: water, and Room to Read. The Employer Identification Number (EIN) of our foundation was 203865461.

Also, I have invested in Perfect Third (the company that makes the WakeMate), Zencoder, Cardpool, Tasty Labs, Drchrono, Grubwithus, PoundPay, Apportable, Mailgun, and Parse. I have also invested in CircuitHub, PlanGrid, Pixelapse, Gusto,, Zenefits, True Link Financial, Lumi, Bankjoy, Tynker, Jewelbots, Begin, Eligible, Nuzzel, Unima, X-Zell, TRAC, Boom, Taplytics, Meter Feeder, Airfordable, Elemeno Health, a property investment through OpenPath Investments, Start on Day One, RideAlong Labs, Outvote, Tall Poppy, BrainHi, OSH’s Affordable Pharmaceuticals, Inventables, Reach, and PlanetScale.

I have also invested in Lowercase Capital (Lowercase Ventures Fund I), Y Combinator (Y Combinator Fund II), Lowercase 140, Lowercase Spur, O’Reilly AlphaTech Ventures, and OpenPath Investments.

Funny spam email, June 2009

I enjoy posting some of the funny emails that I get. This one made me laugh:

You don’t need to %SI3_rnd10 rod’s %SI3_rnd11 and %SI3_rnd12 %SI3_rnd13’ jokes!
This is a %SI3_rnd14 for %SI3_rnd15 your %SI3_rnd16! It will %SI3_rnd17 in seconds after she %SI3_rnd18 and %SI3_rnd19 as good as if it was a %SI3_rnd20 rod!
No more jokes – you will always get %SI3_rnd21 and moans! The huge pack costs less than 30 %SI3_rnd22!
%SI3_rnd23 can be a %SI3_rnd24! No one will know about your %SI3_rnd25!
%SI3_rnd26 now and save more than $10 regardless of your order’s size!

I think it’s spam about embiggening a specific body part. But the spammer clearly didn’t set up their spam template correctly. 🙂 Anyone have guesses about which email spamming software package this is?