Introducing Scisr, a PHP Refactorer

I'd like you all to meet my latest hobby project. It's a standalone refactoring tool for PHP. I call it Scisr.

I looked around for refactoring solutions a while back when I had some tedious renaming to do at work, and was surprised by how poor the options were. This question has a fairly complete list of everything I found, which is to say, not much. And what options existed were not very powerful or, more often than not, simply didn't work at all (I never did get Zend Studio to successfully refactor anything, even in the short periods between crashes).

So like any good nerd, I decided I could do better. I had been using PHP_CodeSniffer a lot, and thought that it would make a perfect platform to start work on - while my needs were slightly different than the typical "sniffs," the tokenizer architecture would suit me very well. Thus was Scisr born.

The design goals were influenced by aspects of the other tools that I disliked. I hated the idea of installing an entire IDE and twiddling with a whole bunch of project settings just to rename something. Despite what some Java programmers would have you think, refactoring is not an end in and of itself. Refactoring is something to do, test, and move on with as little fuss as possible. You're not using Scisr for the thrill of using Scisr - you're using it because it can help you get a job done. So Scisr is a standalone tool with incredibly simple installation, and I provide incredibly simple usage instructions on the project page. It should be possible to start using it on your work in under 5 minutes.

Here's something about refactoring PHP: it's impossible to do a perfect job of it. If you are renaming the class method Foo::bar(), how would you handle the following code?
$classname = $_POST['c'];
$item = new $classname();
$item->bar();
?>
There's no right way to handle this because PHP is weakly typed. I should also mention that you would have to be a madman to use the above code in anything, ever.

There are definitely some advantages to weak typing, but it means that we will never be able to write completely precise refactoring tools. So why fight it? Instead, Scisr accepts these limitations and just does the best it can. When renaming methods, it looks for typing information in a number of places - instantiations, PHPDoc tags, parameter type hints, the comment type hints that Komodo IDE and Zend Studio recognize. And when it comes across a potential match that it just can't be sure about, it will notify the user without making a change (unless you have it set to "aggressive" mode, in which case it will go ahead and hope for the best).

I'm also not going to bother supporting actions that require individual attention. I'm focusing on the tedious refactoring tasks that can be effectively automated, and will provide significant saved effort. Currently, Scisr can rename classes, class methods, and files. In the future I may also support renaming functions and class properties. These are things that would otherwise require a lot of repetitive find and replace, or a clever scripted solution, and even then you'll be in trouble if you're acting on something with a generic name (ever tried renaming a method named 'validate'?).

So, now that you've read about it, why don't you try it out? There are installation and usage instructions over at the project page. Scisr is currently at version 0.2.0, which means it's a little rough around the edges, but it is usable. I would very much love to hear from you if you use it and find bugs, or have suggestions, or if you just enjoy using it. I'm pretty pleased with it so far, and I hope other people will find it useful too.

Enjoy, and please, let me know how it goes!

Avatar and Fetishizing The Other

Fair warning: This post may contain spoilers. However, I also feel I must point out that the foreshadowing in Avatar is so clumsy that the first half of the movie contains spoilers for the second half. So really, how much damage am I going to do?

So, James Cameron spends a decade working on his opus, and here it is. Truth and beauty in dazzling 3D, right? Wrong. I think this film is rubbish. Worse, I think this film is insidious rubbish that is a pro-establishment screed dressed in sheep's clothing of weak Iraq war metaphor. I think that continued success of rubbish like this adversely affects any hope of achieving a truly tolerant and egalitarian society.

It has already been pointed out that Avatar is another take on the classic white guilt fantasy. But the sci-fi setting gives it a weird undercurrent that I find more even more unsettling. By setting his non-whites as aliens, Cameron accidentally distills all the assumptions Hollywood makes about race, and then forces them into the cold light of day by pursuing an interspecies romance.

The Na'vi are a mish-mash of characteristics from just about every well-known "primitive" culture - feathers like Native Americans, Maori skin markings, African accessorizing (all African people are one big homogeneous tribe, if you didn't know), the hunting habits of Amazon tribes, and so on. This provides the framework for a bland allegory about evil white people - it's like indigenous peoples Malt-O-Meal. In the creation of this hunter-gatherer everyman, Cameron has provided a glimpse into the machinations of ignorant white men's minds.

Neytiri's introduction is as a howling dervish who shoots arrows mid-leap. She embodies the exotic, the mysterious, the untamed. When perturbed, she hisses like a feline (displaying her sharp, animal-like teeth). She views animals as kindred spirits. And see, what makes this a problem is that us white people have this really obnoxious habit of dressing dark-skinned models in animal prints and posing them with animals. We like to portray them as exotic, mysterious, and untamed. When we control the image, they are the Other.




Let's talk about Otherness. The idea started with Hegel, who said that consciousness cannot become self-conscious until it meets another consciousness and learns to define itself as separate from that other. Since then this idea has cropped up time and time again, because it seems to accurately describe a component of our psychology; humans have a tendency to define ourselves in opposition to other humans. Nationalism, racism, sports fans; we love to forge our identities by labeling Them and Us. It's not enough to have just an Us - if we find ourselves in a situation where there is no Them, we will quickly manufacture one.

Now, usually we take the straightforward route and just vilify the Other. Simply bicker over the prophet's cousin, or riot over those immigrants daring to live in "your" country, and get to fighting. But there's another method of oppression at which Americans in particular are becoming very adept. You declare your tolerance for the Other and talk about how much you like Others and how you have all sorts of Other friends. Meanwhile, you continue to marginalize the Other, but you make it subtle. You appropriate bits of their culture, but be sure place them in a one-dimensional box that leaves no room for growth. You pay lip service to equality but don't make any sacrifices of your own. In this way the Other can find no adversary to combat, and you can convince yourself that their failure to better themselves is due to some innate cultural deficiency. This is how we end up with black models dressed in leopard print.

What Cameron has created is the authoritative example of being ignorant and white. Not only is the appearance of the Na'vi built out of superficial elements of human ethnicities, but their entire culture is a slurry of half-baked ideas, the kind an ignorant white guy gets from paging through a National Geographic without bothering to read the articles (they are kinda long, after all). He's actually come up with some ludicrous explanation about neurons in plant matter to take the idea that "native peoples are really in touch with nature" to an extreme that has them literally talking to their ancestors through the trees or something.

There's neotribalism, and then there's this. This is not just yearning for simpler times or showing appreciation for low-impact lifestyles. This is fetishizing the Other. The Na'vi as a people are presented as strange, unknowable, yet utterly desirable. And creepily, Jake Sully plays out in concrete terms the fantasy that Cameron is playing out in the abstract. Sully is so enchanted by the Na'vi that he seeks to know, to possess, to dominate, and he consummates this quest by exerting his mastery over the natural world, hijacking control of the tribe, and having alien sex with Neytiri. And he is the protagonist because this is how ignorant white men understand desire.

We've been analyzing the movie in terms of the racial Other, but in fact the most famous application of Hegel was by Simone de Beauvoir, who applied the concept of the Other in The Second Sex, her book on the status of women:

Thus humanity is male and man defines woman not in herself but as relative to him; she is not regarded as an autonomous being... She is defined and differentiated with reference to man and not he with reference to her; she is the incidental, the inessential as opposed to the essential. He is the Subject, he is the Absolute – she is the Other.

-- Simone de Beauvoir, The Second Sex

I'd like to argue that the Na'vi are not only racial Others, but collectively they represent the sexual Other, Beauvoir's female.

It's no accident that Neytiri is the only prominent Na'vi in the film. Sure, Tsu'tey is the chief warrior, but he is practically eating out of Sully's hand by the end of the film, despite having spent the entire movie being cuckolded by Sully. He is the weak, ineffectual man next to Sully's raging pillar of testosterone. Neytiri is the only character to display any depth at all, and she is the only one who sees a considerable amount of screentime.

The support of life became for man an activity and a project through the invention of the tool; but in maternity woman remained closely bound to her body, like an animal.

-- Simone de Beauvoir, The Second Sex

Neytiri is fierce and capable, yet she displays no volition of her own. There are some weak attempts at connecting her to her land and her people, but she seems to have no personal desires, no ambition or selfishness. She spends the film at the mercy of events around her, captive to her emotions. Her involvement with Sully only further strips her of will - by the climax, she is a Harley babe riding bitch on the gigantic symbol of virility, Toruk, clutched between Sully's manly thighs (but it's okay, she's helping the war effort by cheering).

Sully definitely has the largest... dragon.

Oh sure, she turns Colonel Quaritch into a pincushion at the end. But to what end is his death? The battle is already over; the Na'vi have clearly won. So even the vague desires that Neytiri has expressed for herself - preserving her land and people - are not at stake. The only threat Quaritch poses is to Sully, who he is happily trying to murder. Her sole motivation for killing Quaritch is to save her man, and in fact, this display of devotion is the only real thing Neytiri accomplishes all film. She has cemented her own subjugation.

Now, I'm not saying Cameron tried to make a movie that was obliquely racist and anti-feminist. But he did, and he is as guilty as anyone. His crime is intellectual indolence; using superficial fairy tales instead of seeking any true understanding. Our crime is that we keep throwing money at bullshit like this instead of exploring anything that we might find difficult or uncomfortable. A movie that grosses $77 million in the first weekend is part of our culture, whether we like it or not. And if we can't even stop producing this shit, how are we ever going to flush it out of our system? Why ask ourselves tough questions about equality in this country when we can indulge our white male guilt with useless tripe? It's useless tripe, but in 3D!





Bonus: Now that I've spoiled this movie, allow me to spoil the plot of Avatar 2 as well. The humans come back. This time they just drop the bombs from space. All the Na'vi die. The humans congratulate each other and wonder why they didn't think of that sooner. The End.

Avoiding disaster when using svn switch

So I was going to be my usual negative self again this month, but I created something, so I'll share that instead. Your regularly scheduled cynicism will return next month.

The problem

So you're working away on a branch of your project in SVN, and you need to switch to a different branch. svn switch does exactly that, but there's a catch. Say your repository has a top level with a README and CLI scripts and whatnot. But you've been hacking away in the src/ folder because that's where all the real code is. And you carelessly type svn switch svn://myrepo/branches/other_branch while your working directory is src/. What you should have typed was svn switch svn://myrepo/branches/other_branch/src - notice the subtle but important difference there.

As soon as you hit Enter, you've screwed the pooch. Remember, SVN doesn't know about branches - it just thinks they're all folders. So what you've done is tell it to switch the working directory, src/, to the top level directory of some other branch. It's going to delete everything in your folder and start checking out the whole root directory into your working directory. It's going to make a mess, then yell at you about conflicts and slotting and mismatches and you're probably going to end up getting frustrated and running rm -r on the whole folder. If there's a graceful way to recover from this mistake, I have yet to find it. I've done this enough times that I usually realize my mistake as soon as the first message pops up, and I often mash Ctrl-C in hopes of preventing further damage, but honestly I think that makes it worse.

After making this mistake for about the fiftieth time yesterday, I finally decided it would be in my best interest to protect me from myself, and so I wrote a bash script. It checks the directory (relative to the root of the branch) that you're asking to switch to against your current directory and won't let you continue if it thinks you're about to screw something up.

This script assumes that your repository follows the standard SVN repo format - your code should be in trunk or branches/branchname. And it assumes you're going to run svn switch on your current working directory - I didn't write any support for more than one argument.

Installing

Because of the nature of SVN commands, we have to wrap svn and just pass arguments for the other commands through untouched. Shawn Parker gets credit for the original inspiration. You'll need to put the below code in a file and make it executable. Then edit your .bashrc to add the following line:
alias svn='/path/to/script.sh'

Worse than Nothing

Want to get phished? Don't worry, it won't hurt.

If you have an account with Vanguard, the investment firm, you can experience it for yourself right here (works on IE7, IE8, or FF3). If not, you can watch a quick screencast of me phishing myself. Note that this is clearly not the Vanguard site, and yet after I enter my username, I'm shown my personal image (mine's a canoe! what's yours?). I didn't answer any security questions, and yet that's my personal image that only my bank and I are supposed to know. And here it is on some scammer's site. That's the unique part of my attack, and the most dangerous.

By the way, that screen at the end is where the scammer has just obtained your password and is happily emptying your bank account (since I'm nice, I just display a hash and don't save it).

I don't mean to pick on Vanguard, I just happened to have an account with them. A similar attack should be quite possible on Bank of America, HSA Bank, or anyone else who uses the SiteKey system. SiteKey is a scheme banks came up with in response to the large and largely-intractable problem posed by phishing. It's sometimes labeled as a "multi-factor authentication" system, but I think that's incorrect - it's more of a "mutual authentication" system. The site proves that they are legitimate by showing you a picture that you selected when you sign up. Since no one else could know what picture you have set, this proves that the site is who you think it is. At least, that's the theory.

My attack is simple. The first page is just a static page that looks exactly like Vanguard's home page - standard phishing fare. When you submit the form with your username, I build a page with an iframe pointing to the Vanguard site, passing it the username. As long as you've logged in from this computer before, the Vanguard site happily shows your personal image. Then I create a form outside of the iframe with a password field and a submit button, and float those elements over the iframe. So while you're seeing the Vanguard site in the background, you're entering your password into a form I control, and the submit button you click submits to my page. And just like that, I have your password.

I have your password. I did this with a freakin' Bachelor of Arts degree. It took me about three hours of messing around to get the basics set up, and another few hours to spit and polish. It's a couple of dumb HTML pages with a few snippets of PHP, and a pinch of Javascript thrown in. There is nothing sophisticated here. I don't think this even qualifies as a "hack." I think you should be concerned. This attack has been possible as long as SiteKey has been in existence, and I see no reason why I would be the only person to think this up. In all likelihood, some smart phisher out there is already doing this.

I learned retroactively that this technique is called UI Redressing, more commonly referred to as Clickjacking. It's behind a number of attacks, of which perhaps the most publicly visible (although not the most dangerous) was the Twitter "Don't Click" infection. Even worse, since my attack requires no clicking on the actual hidden elements, even NoScript's vaunted ClearClick technology doesn't detect it (NoScript does offer an opt-in to disable iframe content, which sounds like it should stop the attack, but it didn't work for me).

SiteKey was weak to begin with. It's bad enough that a vast majority of site users don't notice if the image is missing. And a weaker man-in-the-middle attack that involved asking security questions was demonstrated 3 years ago[pdf]. But this is worse. A malicious site that shows you your own handpicked image will lull you into a false sense of security. Who would think twice about providing personal information when that mountain stream or étouffée or whatever you picked is staring you right in the face? The banks have worked hard to train users to look for that image, and that very training can be turned against them to make phishing attacks even more successful than before. SiteKey is not just useless - it's worse than nothing at all.

I have been in contact with RSA Security, the vendors of SiteKey, about this attack. To their credit, they were very professional about the whole thing. They treated the matter seriously (I was surprised to get a response at all), and did not try to bullshit or bully me. So they get points for understanding how to make the vulnerability reporting process a productive one. They told me they have notified their clients about the problem and suggested corrective action. I imagine this action will consist of frame-busting Javascript and a proprietary IE8 header. I can only speculate because as of this posting, neither Vanguard nor HSA Bank have done anything to prevent the attack, even though it has been two months since I reported it. These changes will help, but the headers are opt-in and only work on newer browsers, and the Javascript isn't necessarily immune to circumvention. Besides, recall what I said about my qualifications as a security researcher. If I came up with this in a few hours of spare time, don't try to tell me there aren't similar attacks that could be discovered by a motivated person - say, someone who makes a living managing a phishing operation.

There's another reason I think SiteKey is worse than nothing. It's not just users who get a false sense of security from it - banks are biting on these supposed panaceas instead of facing up to the very difficult problem of performing real security. It's all too easy for companies to set arcane password rules and shell out money for "solutions" like SiteKey, and convince themselves that they've tried hard enough. Wrong. SiteKey is like a Mickey Mouse band aid on the wrong knee. Maybe it gets the three year old to stop crying, but it's not actually doing any good.

Epilogue

I know, I know, I'm such a negative person. Always bringing other people down. Complaining about what exists without offering any suggestions of my own. What would I propose to guard against phishing? Huh, tough guy?

I have to be honest - I don't see a silver bullet. Phishing is a serious threat, and one that preys on our inescapably human failings - inattention, belief that our perceptions are accurate, and willingness to adapt our actions to what we are presented with. I don't see it going anywhere any time soon. However, I think the Firefox address bar is a great start:

If we have to train users to look for something, it should be this. Benefits:

• It's client-side. No man-in-the-middle. No UI redressing. Short of a serious Firefox exploit or SSL vulnerability, there's no faking this part of the address bar.
• It comes (I assume) from the SSL certificate, which is a pretty okay security measure, and one that any respectable site dealing with sensitive information already uses.
• It's friendly and distinctive - it's big and green and it tells you the name of the company.
• It's right next to the address bar, which encourages one to also check the URL. This is the original best security measure, and one that eBay and others have been advocating for years. I should point out that the pretty little Locationbar² plugin is helping here as well by highlighting the domain name so it stands out against the rest of the URL.

Still, this only works if you think to look. The danger of phishing is that you get caught at the end of a long day, or when you're in a hurry, or when fucking PayPal actually has deactivated your account three times in the past and you're so annoyed by the prospect of a fourth that you get careless and don't check.

I've got another suggestion, but this one is a lot further from reality. This is what I think could be, if we would spend less time on fake security and more time on real security.

Imagine, if you will, a world where PGP is commonplace. That's right, I'm evangelizing again. Imagine every email you receive is signed, and you have an extensive trust network. When you open an account at a new bank, the rep hands you a piece of paper with instructions on downloading the bank's public key and a fingerprint to verify it. Because PGP is so common, your email client actually throws up a big red warning saying "Hey! This signature is untrusted!" whenever you get email from someone whose key you haven't imported. Suddenly you have a proactive warning on every phishing email that comes through. Nobody is going to click through a message from their bank that is labeled as "untrusted." You could teach your grandparents that.

Is this a pipe dream? For now, yeah. But it's a good one - it's a world where email phishing is essentially solved.

Until then, keep checking your address bar.

Update (12/03/09): Looks like at some point in the past few months, Vanguard updated their site with some frame-busting Javascript, and now hides the pages if Javascript is disabled (bad news for accessibility, but arguably more secure). However, let me reiterate: the fact that they have stuck their finger in this leak doesn't mean there aren't other holes in the dike.

Another update: I sent this article to Jim Youll, the author of the original paper on SiteKey vulnerabilities. He emailed me back, and in his response was a remark that stuck with me: "they always say that the undisclosed back-end systems are the fail-safe for the front-end attacks. I don't think they're lying." At some point, it hit me: what if SiteKey is nothing more than security theater? Maybe they do know that it's useless. Maybe they don't expect it to stop anything. Maybe whatever fee they're shelling out isn't coming from the security budget, but from the marketing budget. If this is the case, I just hope the marketing spiel isn't working on the people who need to be doing the real security.