Who Is...

Ooops. I’ve been muddying up a more serious thread elsewhere again. Sorry.

I posted a link to a picture of my desk, showing how to cope with a big monitor without straining your neck. This one: http://clive.semmens.org.uk/RISCOS/index.php?Desk2017

And was fascinated by the immediate response, as reported by my website logging for that page:

04:54:30/09/10/2017 066.249.070.023 0

06:22:49/11/10/2017 192.228.204.232 0
06:25:33/11/10/2017 095.145.012.045 0
06:36:23/11/10/2017 123.002.098.242 0
06:44:51/11/10/2017 195.074.148.001 0
06:47:21/11/10/2017 085.220.111.165 9291
07:15:46/11/10/2017 209.093.243.066 0
07:32:26/11/10/2017 088.173.001.206 10422
07:33:09/11/10/2017 088.173.001.206 10422
07:37:49/11/10/2017 046.018.177.138 0
07:41:46/11/10/2017 049.185.251.201 0

The first two columns are time/date and source IP addresses, the last is a user number – a cookie placed on your machine so I (sometimes) know if someone’s coming back, even if it’s from a different URL, and I (sometimes) know it’s a different user from the same URL. A lot of folks don’t seem to let me set a cookie; doesn’t matter, just gives me less idea about how my site’s being used.

One of the most fascinating things to me is where these have come from.
The first one, ages back, is from Google.
The rest, all today, are from the UK, Australia, Malaysia, France, California, and Iceland (not in that order). Interestingly, the one from Iceland (User 9291) previously accessed Opinions, from somewhere in the UK.

I’m not Big Brother, but you can get some kind of insight into how easy Big Brother’s job is becoming. User 9291 may be able to identify themselves (I can’t…perhaps I could but I can’t be bothered to find out how) and may want to delete my cookie…or not bother. They might even like to out themselves for a laugh. (And THEN delete the cookie?)

The first two columns are time/date and source URL

That’s an IP address, not a URL.

A lot of folks don’t seem to let me set a cookie; doesn’t matter, just gives me less idea about how my site’s being used.

Bear in mind that the first time they visit they won’t have a cookie yet. You’ll be able to send them a cookie, but (depending on the framework you’re using) the cookie you’ve just sent might only become visible to your code once that client makes another request.

User 9291 may be able to identify themselves (I can’t…perhaps I could but I can’t be bothered to find out how) and may want to delete my cookie…or not bother. They might even like to out themselves for a laugh. (And THEN delete the cookie?)

Or they could randomise the number you’ve stored in the cookie, confusing your tracking :-)

Also, if you’re not asking for the user’s consent before storing your tracking cookie, you’re breaking the law.

https://www.out-law.com/page-5486

The only cookies that do not need users’ consent are those that are strictly necessary to fulfill the user’s request for services. That will cover, for example, the use of cookies to remember the contents of a user’s shopping cart as the user moves through several pages on a website. Other cookies, including those used to count visitors to a website and those used to serve advertising, will require consent.

So now you have to decide between adding an annoying consent message to your site, disabling the cookie code, or risking a random nutjob reporting you to the ICO.

That’s an IP address, not a URL.

D’uh. Brainslip!

Bear in mind that the first time they visit they won’t have a cookie yet.

Yes, I’m well aware of that. The Zero user numbers may be refuseniks, or they may be first timers. I haven’t bothered to write the software to look back for recent accesses from the same IP address. I wrote the tracking software myself, in PHP – it’s not very sophisticated! Often a user will follow links within the site, and it seems that sometimes the second page they access already sees the cookie, even after less than a second; sometimes it takes several seconds and possibly several pages before the cookie gets returned.

Or they could randomise the number you’ve stored in the cookie, confusing your tracking :-)

Yes, that’s another possibility I was aware of.

Also, if you’re not asking for the user’s consent before storing your tracking cookie, you’re breaking the law.

Aaaarrrrghhh! Thank you very much for the heads-up. Will remove the cookie setting – fortunately easy to do, logging and cookies are dealt with in a single file that’s called by all the others. Annoying though, because one certainly can’t assume that multiple accesses from the same IP address are the same user, or that a user will always come from the same IP address.

fortunately easy to do.

Indeed it’s now done. Logging continues with no cookies and no user numbers.

I may reintroduce them later with an explicit consent, but on a page about such issues that people would have to specifically visit – I’m not going to ask every user regardless, so those other users won’t have cookies or user numbers and I won’t get so much information 8~(

Vague interest level: the Iceland address doesn’t seem to be currently active otherwise the responding IP’s from that /24 block would probably be a grand total of 10 rather than 9.

I wonder how many IP’s ever get used in the frozen north.

There have now been 32 accesses to that page today – one since I removed the User Number facility. One IP accessed it twice, all the rest unique.

The one listed as 06:25:33/11/10/2017 095.145.012.045 0
would be mine.
However I can assure you I was still in bed at 06:25 and 07:25 would be more likely.

+1 Like the display.

Ron

+1 Like the display.

Thanks 8~) One like that for each page on my site – and one for each block of IP addresses, showing the pages accessed.

There was one for each user, and will be again when I’ve set up a consent system – but that will be No Cookies by default, and you’ll have to deliberately turn them on if you want to. I hope some users will.

The times are according to the clock on the server. My site is hosted in Germany…

Also, if you’re not asking for the user’s consent before storing your tracking cookie, you’re breaking the law.

Aaaarrrrghhh! Thank you very much for the heads-up.

Don’t worry too much about it. It’s an idiotic knee-jerk law written by people that don’t understand what cookies actually are and hence has no hope of ever being enforced.

How to (almost) do it correctly and annoy the hell out of your users:

• https://slashdot.org
  Which will, upon first entry, clear the screen to blue with an explanatory message saying that permission is needed to store cookies (“Les lois françaises exigent que nous obtenions votre permission avant d’envoyer des cookies à votre navigateur Web.” etc) before you can access the site.
  Unfortunately it is a FAIL because the pretty little French flag logo is served up from a.fsdn.com which is managed by CloudFlare which sends this in the header:
  Set-Cookie: __cfduid=def04314998ab3faf3d24765b925686681507741095; expires=Thu, 11-Oct-18 16:58:15 GMT; path=/; domain=.fsdn.com; HttpOnly

How most European-based companies do it:

• http://www.bbc.com/ (and far too many to count)
  Set the cookies regardless, and then paste a message at the top of the screen (but not if scripting is disabled by default!) saying some gibberish like “If you continue without changing your settings, we’ll assume that you are happy to receive all cookies on the BBC website.” after having been given the cookie: Set-Cookie: BBC-UID=85d9bdfed49f7777[ridiculously long ID string]…

How the rest of the world does it:

• https://en.wikipedia.org/
  Sets cookies, doesn’t mention anything at all. Includes setting a cookie that is pretty much designed to locate a user – it’s a “GeoIP” cookie and mine says “FR:BRE:La_Fresnais:48.59:-1.84:v4” (which is the right region, at least, but I’m nowhere near St. Malo!).

• I should point out that this very site sets five session IDs and one shared ID. These are only set when logging in, as they are for tracking the current user session, and this is described halfway down this page; describing that it happens and why is not the same as specifically requesting consent.

or risking a random nutjob reporting you to the ICO.

Hahaha! The ICO? You’re kidding right? The ICO… actually I’d like to say they are pointless, worthless, toothless, and useless; but since Brexit that pretty much describes the entire government.

If I was to set a cookie on my site (I don’t, I don’t see any need), I absolutely wouldn’t be concerned about the ICO.

Another wrinkle – Clive’s site is hosted by Servage Gmbh, Hamburg. While that will still be subject to the cookie law (it’s an EU thing), it quite likely falls under German jurisdiction (assuming America didn’t try to claim that “because internet”). It’s a UK domain with UK content for a UK citizen, but it is physically located in Germany…

I wonder how many IP’s ever get used in the frozen north.

I have just visited your site and hit refresh a few times from the IP address 107.167.108.172. This is in Finland, China, or Germany depending on who you ask (I’d say Germany is the most likely), and it is the Opera (Mini) browser when running in data-saving mode – Opera’s server will perform the request, compress the data, then push the compressed (and potentially partially parsed?) content to the browser.

The Zero user numbers may be refuseniks, or they may be first timers.

I’m always a first timer on this machine. My policy is set to allow cookies but deny third party cookies; known tracking cookies are faked; and all the rest self-destruct the moment I close the tab.

The times are according to the clock on the server.

Three ways to fix this:

• Modify the settings in the php.ini file. This will have global effect, so you probably don’t have access to this.

• Alter the settings in the .htaccess file in your site’s root. This is most likely what you will be doing and it will apply to any php hosted on your site. You may have this file already for setting up redirects, or for treating html files as PHP (so you can in-line php in them).
  Add something like the following (this is for me, to use European time, you’ll probably want something like “Europe/London”):

# Set the timezone to European time
SetEnv TZ Europe/Paris
php_value date.timezone 'Europe/Paris'

• The last-ditch solution is a per-file modification. Take a look at: http://php.net/manual/en/function.date-default-timezone-set.php

As I said above, my site gives the correct time and date for my location because the timezone is set to “Europe/Paris”, but the server is in the UK. It’s the twenty first century. This stuff … isn’t hard… ☺

It’s not a hard thing to change.

It’s also not a hard thing to not care about. I know Germany’s times are an hour ahead of ours, and since my users are all over the world it’s entirely arbitrary anyway. I’d slightly prefer it to be monotonic, that is, not subject to clocks changing twice a year, but it really doesn’t bug me a lot.

or for treating html files as PHP

Now that sounds interesting. Might look into that…for various reasons/purposes…

I have just visited your site and hit refresh a few times from the IP address 107.167.108.172.

According to Who Is, it’s Opera Software Americas LLC, San Mateo, CA. I don’t attempt to follow back down chains of proxies – the logging system provided by my hosts does, and seems to be even wilder in its analyses than my simpler version. I take anything from the very big allocations, especially USA ones, with a very large pinch of salt. Some of the others are probably fairly accurate – if Who Is says, “Virgin, Cambridge” or “Virgin, Stevenage” it’s probably true (a couple of known fiends, or myself).

Clive’s site is hosted by Servage Gmbh, Hamburg.

Correct.

I absolutely wouldn’t be concerned about the ICO.

Fair enough. I’ve removed the facility for the moment, and it’s coming back shortly all legal and proper but hassling users not at all – and sadly thereby not catching as many of them, only the ones who are positively co-operative.

Hmmm… Ever since posting the DeskLib link here, Google crawls that stuff on my personal server… a lot. I ought to modify WebJames to send an “Expires” header based upon the age of the file, or something.
Or just add DeskLib to a robots.txt file. That’d be quicker. :-)

Of more interest are the Romanian hackers bragging about their activities and then trotting out the same tired script-kiddie rubbish that I’ve seen plenty of times before.
Seriously, this is in my log:

218.2.22.147 - - [08/Oct/2017:19:24:30 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 400 213 "" "ZmEu"
218.2.22.147 - - [08/Oct/2017:19:24:31 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 345 "" "ZmEu"
218.2.22.147 - - [08/Oct/2017:19:24:31 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 345 "" "ZmEu"
218.2.22.147 - - [08/Oct/2017:19:24:32 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 338 "" "ZmEu"
218.2.22.147 - - [08/Oct/2017:19:24:32 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 342 "" "ZmEu"
218.2.22.147 - - [08/Oct/2017:19:24:33 +0000] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 342 "" "ZmEu"

Yawn.

I’m not impressed.

This stands out for it’s weirdness:

164.52.0.141 - - [04/Oct/2017:15:07:04 +0000] "USER test +iw test :Test Wuz Here" 501 234 "" ""

This is all from my Pi server running WebJames. I don’t look at heyrick logs – life is too short…

Now that sounds interesting. Might look into that…for various reasons/purposes…

Let me rummage in my site’s .htaccess to see if there’s anything that might be of use to you.

# Set up support for PHP in HTML
AddType application/x-httpd-php .html .htm

If you want to look for “index.php” as the index page in preference to the usual index.html, but falling back gracefully:

# Specify directory index page as index.php, then index.html
DirectoryIndex index.php index.html

Set the timezone:

# Set the timezone to European time
SetEnv TZ Europe/Paris
php_value date.timezone 'Europe/Paris'

Because some really old content tries to link back to an “index.php3” page, fix that:

# My ages-old (turn of the millennium) site had index.php3 as the
# main index page, fix any equally old pages that link back to it
Redirect 301 /index.php3 <a href="http://www.heyrick.co.uk/index.html">http://www.heyrick.co.uk/index.html</a>

(redirect should be a full URL; I probably ought to make it https these days)

The cute-girl 404:

# Jiggle a custom 404 to be the cute-girl one
ErrorDocument 404 /errdoc/notfound.html

Yeah. Google and Microsoft both crawl my site. They’re welcome, as long as it doesn’t upset Servage. Or someone else is coming via them, I wouldn’t know.

Because I don’t host my own site and don’t pay Servage for a detailed log, I don’t get one from them – just some fairly general stats. And I don’t know how to get more information than I’m getting with my PHP, or even whether it’s possible to get much more. Apart from more accurate information about where accesses are coming from, I don’t think I’m terribly interested.

Sadly, I don’t really understand your log.

And if you want to set up an easy directory view, like https://www.heyrick.co.uk/random/ then you will want a .htaccess file within that directory that says this:

Options +Indexes

<Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
</Files>

IndexOptions IgnoreCase FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=* SuppressHTMLPreamble
IndexOrderDefault Ascending Name

So I can just drop stuff in /random and the server will build a pretty list automatically. The <Files ... </Files> part is very important, it hides the .htaccess file.

Because I don’t host my own site and don’t pay Servage for a detailed log, I don’t get one from them – just some fairly general stats. And I don’t know how to get more information than I’m getting with my PHP, or even whether it’s possible to get much more.

Every server generates a log that looks like the ones I posted snippets of above. It’s a standardised format. I can’t believe Servage would expect to be paid extra for something the server does routinely!

Apart from more accurate information about where accesses are coming from,

The problem with that is that the server just records IP addresses, not locations. There is a piece of software (“analog”) that can break this down, but you may need to pay extra for that.
Really, the only thing likely to be of interest is “what is popular”. Some simple PHP can write a list of user agents (to allow you to discount bots – Google, Yandex, etc) and paths requested to a file. This file can hide on your site, be fetched with wget and thrown at a bit of BASIC to just count up how many hits a particular page had.
If you can be bothered.
I used to.
Now I’m not.

Sadly, I don’t really understand your log.

The first line is bragging.
The rest are generic attempts to access “phpMyAdmin” that has not been secured.
They are trying various common paths to locate the “setup” script (which, if found, will let them hijack the server). You can see WebJames just throws a 404 back at each attempt, and “ZmEu” is the user agent, it’s a five year old vulnerability scanner that searches for phpMyAdmin weaknesses, named after a Romanian dragon.
Yes, that’s right, these w00t w00t hackers ran a program. FAIL. PMSL.

I can’t believe Servage would expect to be paid extra for something the server does routinely!

No, they don’t. I can get a log like that. My own logging picks out the bits I want, by IP address, User Number (formerly and futurely), and by page of my site.

The problem with that is that the server just records IP addresses, not locations.

Yup. I can get at those. Servage appear to track back locations somehow, but it doesn’t seem to be any more accurate than Who Is, possibly less.

be fetched with wget and thrown at a bit of BASIC to just count up how many hits a particular page had.

My php does that for me – a bit more than just counting hits. It gives me some clues about what route through my site users take, how they get to particular pages, things like that.

Yes, that’s right, these w00t w00t hackers ran a program. FAIL. PMSL.

Not unusual, even if you’re paying for the “service”
A few years back our then “associate director” hired some people to do “penetration testing” and they ran a set of scripts. A cli terminal session onto any of the switches declared the manufacturer info as Nortel so it was something of a surprise to see attempts to log on using common Cisco default details. It was actually doubly a surprise because their remit was to test the servers and for that round of testing the network was declared off-limits since I already knew the SNMP setup was insecure.¹ They then lied about having made the attempt(s) until presented with the logs as evidence.
These people take chunky money for running scripts and freeware.
If anyone is interested the firm have a name which is a homonym for a type of energy.

¹ Being a confirmed pain in the nether, for their next visit when networks were on the menu, I changed the access on the switches to only respond to my IP and took the day off.
>:)

Penetration testing is one thing. I am just amused that some outfit that wants to be thought of as hackers (in the pejorative sense; re “blackhat”) is still using a ~5 year old scanner looking for the same flaws as others have done numerous times in the past (and I have the logs to prove it).
They aren’t [cr|h]ackers, they’re script kiddies at best.

The “USER” line? That was new. Not seen that before in the logs.

They then lied about having made the attempt(s) until presented with the logs as evidence.

Shame you couldn’t swing the PHB to refuse payment on… oh, let’s see:

• failure to follow instructions
• failure to realise that logs would be maintained
• lying to cover up their misdeeds

These people take chunky money for running scripts and freeware.

Sadly, the hack scripts are likely to uncover a fair few flaws in the setup, due to what comes down to a mixture of cluelessness and stupidity.

There’s a note on the video camera recorder at work telling me what the password it. It’s a numerical phrase known to many British people as meaning “this programme is subtitled”, twice. So I go Google on my break for the make and model of digital video recorder and… yup… it’s the default password.
But what can you expect for a company whose IT guys think WEP is secure. :-/

I’d really love to scan open ports on the network at work. I bet there is all kinds of stuff offering telnet (the DVR? the printer?) not to mention open shares and the like. And each machine has open internet access, and the people in charge spend forever and a day yacking to each other on Skype (which now displays some pretty pervy adverts for “singles near you” as you can imagine the French might do it (hint: clothing optional)).

I can’t even say “Things would be soooo different if I was their BOFH”, because I know I’m dealing with people that Google the company name in order to get to the company website (as if leaving out the spaces and sticking .fr at the end is SO hard!).

Now have 45 accesses to the picture of my desk today, including 4 from Rick, and two others twice each, one pair in rapid succession and the other pair hours apart. And the first one from an IPv6 address!

Sadly, the hack scripts are likely to uncover a fair few flaws in the setup

I like to shut the doors before the unwelcome visitors arrive and nick the valuables.
Scanning for vulnerabilities myself is a spare time activity.

Now have 45 accesses to the picture of my desk today, including 4 from Rick, and two others twice each, one pair in rapid succession

The pair in rapid succession were probably me – my mouse button can be a bit jittery and sometimes double-clicks so opened the link in two new windows! It pushed me to finally replace the mouse, which I’ve been going to do for weeks!

I posted a link to a picture of my desk, showing how to cope with a big monitor without straining your neck.

What I have failed to grasp is: Why cut out the desk rather than remove the foot from the TV?

I had a not-unrelated problem with my daughter’s giant TV – I had to move my head from side-to-side constantly to actually follow the action as she had it on the narrow axis of the room. Perhaps it’s because I wear glasses.

Mark you, she also had the aspect ratio wrong, and had just got used to people being generally fat!

I remember that the reason I couldn’t get on with varifocals was that the depth of field went off towards the edges, making me have to move my head to scan a line of text on a conventional-sized monitor! Bifocals were good enough for my father, and they work fine for me! I returned the varifocals!

Set the cookies regardless, and then paste a message at the top of the screen (but not if scripting is disabled by default!) saying some gibberish like “If you continue without changing your settings, we’ll assume that you are happy to receive all cookies on the BBC website.” after having been given the cookie: Set-Cookie: BBC-UID=85d9bdfed49f7777[ridiculously long ID string]…

And a number of those companies plaster the banner on the screen regardless of whether the customer is in the EU or not. Fortunately I’ve never seen a full blue screen (!) like Slashdot apparently does over there…

Oh I see me, apparently.

This reminds me of something I heard that my ISP told someone. They said that multiple premises share an IP address. All I could say is that has to be rubbish. I mean I know they are terrible, but that would be disastrous.

The ony reasons I’m with them is I have a wonderful, deprecated plan which has unlimited data. Also if I were try to change I’d lose my ADSL2+ connection at the exchange and be left in limbo halfsaw between providers because the slot would be taken by someone else before changeover occurs. It’s been full for years, so I’m sticking with it.

Big Brother’s job is even easier because they can collect the metadata of all internet activity. Then there’s how police vehicles automatically check the records of the owner of every car they see. The recent plans to add all drivers license photos to facial recognition for public places etc.

Then there’s the thing that surprised me most. My council sent me a letter about a water leak. Apparently there has been a low level of 24 hour usage of water for months. So the water meter is smart enough to track and record hourly water usage apparently. This kind of bothers me.