PHP Software Engineering

Blocking Tor Exit Nodes by .htaccess with PHP

What is Tor?

Tor is a multi-layered anonymizing proxy, used by a lot of parties interested in privacy or avoiding government overreach (great firewall of China, for example).

It is also used by annoying spammers who don’t know how to configure a traditional VPN, so they rely on pre-configured browsers.

Candidates for this Method

If you run a forum, for example, where you’re not looking for Tor users to visit your site, you can simply deny them with .htaccess. This isn’t the most elegant solution, as a firewall would be ideal. But it is a quick win. This assumes you’re using Apache 2.4, PHP 7, and Ubuntu 16.04. It also requires root access or a user that can edit .htaccess of the site required and run PHP. You should also not have anything already in htaccess, as this will overwrite it. If you require htaccess later, this can be modified as needed.

Configure your VirtualHost

You will need to modify your virtual host (probably located in /etc/apache2/sites-available/——). Adding the code below will instruct Apache to process the htaccess files, make sure to modify the path as needed.

<Directory /path/to/site>
   Options Indexes FollowSymLinks
   AllowOverride All
   Require all granted

After completing the change, run this:

sudo apache2ctl configtest

If you see “Syntax OK” at the end, you did a good job. Restart Apache:

sudo service apache2 restart

Set up the PHP script by entering your path where it is bold below:

$nodeList = file_get_contents("");
$nodeList = str_replace("\r\n","\n",$nodeList);
$lines = explode("\n",$nodeList);

foreach ($lines as $v) {
 if (substr($v,0,11)=="ExitAddress") {
 $exitNode = explode(" ",$v);
 $exitNodes[] = $exitNode[1];

$file = fopen("/path/to/site/.htaccess","w");
fwrite($file,"# Any changes here will be overwritten. File managed by /automation/getTorNodes.php".PHP_EOL);
foreach($exitNodes as $v) {
 fwrite ($file,"Deny from $v".PHP_EOL);

I like to have this file in an automations folder. You can trigger it as often as you like, though I recommend not more than once a day. You can either manually trigger the php script, or add a cron job.

Bonus: If your firewall is a Ubiquiti Security Gateway:

You can SSH into it and modify /config/config.json and add this in. I haven’t tested persistence across re-provisioning. I’d suggest adding the group through the web UI first, finding the IP(s) you added in the JSON, and then adding them there.

 group {
 address-group 5a61631fe4b0d5a0bfa53416 {
 description customized-TorNodes




Cybersecurity Phishing Security Virus (Well, Phishing Scam)

First off, I want to be very clear that this is not actually a virus. This is a phishing scam.

I also want to make it clear that just seeing the domain does not mean it is a scam, likewise not seeing that domain does not imply it is safe.

Sadly, the local community college would rather tell people about art than about data security and privacy, and the term “ virus” is a term people often use for these things.

What is this Site?

It is a URL shortener, similar to,, and others. In lieu of telling a friend to visit “” you can create a short link, and tell them that instead.

That’s where the utility ends, and the scam starts. Link shorteners allow masking the actual destination of the URL, and thus, makes it harder to determine if the destination is legitimate. This site: CheckShortURL allows you to paste in the short URL and see where it is going. Always do this.

How does this scam look?

It could be anything from a friend to a post in a garage sale site. Below is an example of one I seen on a garage sale site just today:

Facebook Phishing Campaign

If you see something that sensational, it’s probably going to be fake. It has no place in a garage sale group. Another good indicator is that commenting is turned off. Why would you share news and expect no reactions? Simply put — it’s because they didn’t want the scam unveiled.

Sadly, this user probably fell for this trick, and lost her account which is now posting this in all of the groups she’s in. It may even be requesting money from friends and so on.

Facebook does not provide a good avenue for reporting this sort of issue, and garage sale group admins aren’t always online. I went after the hosting company itself “Wix” to see if they can approach it, but at the time of writing no action was performed.

So, I clicked the link to see where it goes…

… I did it safely though, using a Liveboot of a Linux distro inside of a virtual machine. This sandboxes the attack from any valid sessions I may have open. At this point I didn’t understand the attack, so I was extra cautious.

At first, the link takes you to this page:

Broken Video
Pretend broken video

Looking here, you can see the image is warning you of gruesome content — you probably expected this consider it would show people hurled off of a roller coaster. (Alright, so it’s kind of sick you’d click this, but whatever). Simply hovering over the pretend video player reveals it takes you to another site entirely… but it isn’t what you think:


Here, I left the URL bar partially visible. You can see obviously that you’re not on Facebook, but it is looking for your login. This is where people fall victim, they enter their e-mail and password to see the video. At this point, the attacker gets a copy of this.

I did a “whois” inquiry, which may allow me to see who owns this hacking domain, but the owner was hidden. The registrar was (this is where they bought the domain). All of them have style e-mail addresses to report the phishing scams, though the turn around for these sites is often low.

How do I know if it is Facebook asking for my login?

When in doubt, don’t log in. In this case, it is obvious that the site is not Facebook. In some circumstances you can specify a fake email and password. If you don’t get a “bad username or password” message, it’s probably a bad site. (This is a guide, not a rule).

So I’ve been scammed, they have my FB login, but do I get to see the video?

Imgur wtf
Imgur wtf

Nope, rather hilariously, they dump you on imgur — at a “page broken” image. There is no video, there’s only you and your vacated account.


I worked with’s abuse contacts (who is the registrar of the domain) and they acted promptly and cleared all of the DNS records for the domain, effectively taking it down.

Unfortunately, I had also reached out to Wix about the initial hosting domain, and as of this update the page is still live, and they offered to “report it” even though it is one of their own customers. Obviously, clicking the link below exposes you to part of the phishing site:




MOS 6507 Software Engineering

New Atari 2600 Game — Speedway

Download Speedway v0.1

The Atari 2600 was released back in September of 1977, 40 years and a few months ago. I wrote a rather simple driving game for the Atari back in September of 2014, and finally I’m getting around to putting it online.

Lerner Manufacturer Title Card

Don’t expect a whole lot, I’m not a graphic designer, or a game dev. I’m also younger than the system I built for. I built it for fun as a learning lesson, as the 2600 is notoriously hard to program for (racing the beam, etc).

Speedway Title Card
Speedway Title Card

Well, if I’m going to make something to “race the beam”, what better than a racing game. Be prepared, GTA5 lovers, these graphics are “SIK” and “4K” if 4K means 4Kolors:

Speedway Screen Shot
Speedway Screen Shot

You’re the car on the right (solid black), the opponents are your drunk neighbors (the car on the left). They’ll drive on the wrong side, the middle, anywhere! Your job is to avoid a collision by using a joystick to move left and right. You can accelerate by going up, or crash into the wall to slow down.


Speedway Game Label
Speedway Game Label

The archive you downloaded (top and bottom of post for the link) includes some game art (the top and front labels, if you are going to flash this to a cartridge), as well as a nice, full-color manual! The picture is one I took ca. 2003 at the NHRA drag races at Route 66.

Speedway Manual
Speedway Manual

The game is playable, it’s enjoyable, if you go fast enough, it’s hard. It may even run on an old school 2600, though I recommend a nice RetroPi or, for even more immediate results, Stella.

Please leave feedback in the comments! I always enjoy it! (Good or absolutely terrible!)

Download Speedway v0.1

Smart Home

My Not-So-Smart Home

My Smart Home

Smart homes are fantastic, have an old fan with a light kit, but want it to dim? You’re either pulling an extra conductor and expanding the switch box, or you’re going to burn up the motor by throwing the fan on a dimmer. There does exist a third option — smart bulbs. You can throw these in a standard E27/A19 socket and dim them from your smart home!

Anything from detecting break-ins, playing music, to controlling your HVAC equipment can be done with this technology.

Without open standards, APIs, and people to integrate these technologies, the smart home will continue to exist as a heavily segmented (and thus broken) paradigm for the luxury segment.

My experience is with the Wink Hub (original one), a Emerson Sensi Thermostat, and an old Vivint panel.

Emerson Sensi Thermostat

Emerson Sensi
The Emerson Sensi Thermostat

Overall, the thermostat is great. Installation was a breeze, the power consumption is low enough where a C-wire isn’t required, and setting it up with the app was easy. It also integrates with my Wink app. Downside is that the protocol is closed and secured, and there’s no option for local network control. The Wink app allows control apparently by scraping the Sensi website and sending commands to that. As is standard on a lot of these major manufacturer ‘stats, a disclaimer reads something to the effect of “there is no charge for the online service … this can be changed at any time with or without notice to you.”

A coworker, and also a friend of mine (due to my recommendation) have both bought the Ecobee 4, which seems to not only provide a robust API, but has a very attractive web interface and logging capabilities. As a matter of fact, it was this thermostat that had me forego my ThermoPi project (a Raspberry Pi-based smart thermostat). It had everything I wanted to build!

Another downside of the Sensi thermostat is that the app does have issues logging in occasionally, and changing the setpoint seems laggy. Setting up schedules is really easy though, and for a cost, you can whitelabel the thermostat for integrators, installers, and HVAC technicians.


CREE Connected Bulbs

Cree Connected Bulb
Cree Connected Bulb

I have over ten of these CREE bulbs, mostly the warm white color. I’ve had no issues with them once they’re paired (the pairing process is a pain as the Wink App seems as if it stopped responding). The only downside is that they are not outdoor rated, so I cannot use them in my sconces and dim them later at night, or turn up brightness on command. The open design would seem to invite moisture and insects. I’d purchase an outdoor variant if they’d make it. The quality of the light they give off and the brightness range is fantastic.

Kiddie Smart Smoke & C02 Detectors

Kiddie Smart Detector
Kiddie Smart Smoke & C02 Detector

These units seem great and work very well as networked smoke/C02 detectors. Setting off one will cause any of the other units with the same ID to alarm as well. Unfortunately, you cannot uniquely enumerate what device is going off, so any notifications sent to your phone will have the same name despite the individual device alarming. These do integrate with Wink and seem to work quite well (the networking radio portion seems independent of Wink — which is fantastic as it should work in times when your internet is down, Wink is down, or your power is out.) I have my system to automatically switch on all fixtures, and shut off all HVAC equipment (fan, AC, furnace) to stop blowing oxygen to a fire or stop C02 from being circulated.

TCP Connected Bulbs (5-6″ retrofit Can Lights)

These are both color temperature and brightness variable, which are fantastic. I had envisioned my home theater system — turn on the movie, these smart Wink shades automatically drop down… my lights in the room fade to a 2700K warm glow before fading into darkness just as the movie starts. I could make this happen, I know I can. I used their original API and I know I can send the commands. The problem exists that there is sometimes a few MS delay… up to 10 or more minute delay before commanding a bulb to go off, and the wink hub executing it. I can only imagine this is due to the routing delays of sending these commands out of my network, to theirs, and back again. Even though they have released local control a while ago, it seems flaky at best. Perhaps a Z-Wave dongle would do the trick better.

Samsung 7-Series 55-inch UHD Smart TV

I had a Note 7, I loved it. Best device I ever touched, even now. The thing made my love of technology flourish. It was the “bomb.”

Sadly, I evangelized Samsung products before the recall, had bought a new refrigerator that makes small gunshot sounds. I’ve reported the issue to Samsung who confirmed I was within the warranty period, but insisted that I video the fridge making the sound. They refused to reimburse my costs to tape the intermittent sound.

Anyway — the TV, the reason you’re here. It has a “Smart Hub”, which basically means they made a really shitty Roku clone and glued it to one of the  HDMI ports. The thing freezes, and if Netflix’s terrible “original” content wasn’t bad enough, I can’t watch half of it as it refuses to load. What inflames me the most is when it says it cannot connect to the internet, but my extremely sexy Ubiquiti radios tell me exactly when it connected last. Below, you’ll see I bought a Leviton outlet to powercycle this piece of crap each night to see if it helps. So far, only “kinda.”

Yahama RX-V479 Receiver

Yahama RX-V479
Yahama RX-V479

This thing seems to work pretty well, it has a decent mobile app to control it, and a nice local web interface for doing just about anything else you’d want to.

Wink’s Awful App Layout

I’ve never been an iPhone user, however the Wink App may follow their “we only have one little circle button” paradigm, but it doesn’t work for everybody on Android. If I hit back, I don’t want the application to disappear, I want to go back.

Wink’s App – No Confirmation of Signals

If you turn on a light in the app, the icon will turn orange/blue (depending on the color temperature of the bulb). If it is off, then it is gray. The status on the app will change and does not necessarily reflect the status of the bulb.

Completely Awful API / Integrator Support

I had a Wink API key a few years back, I used it, it was a pain, but I was able to use it. It took days after requesting it to do anything with it, and at that, the disclaimer was pretty much “if you do anything cool with this, we can take your idea and give you nothing.” Well, that API key disappeared. No announcement of EOL for developers consuming their API. They did make a new one, and it still took days for them to manually e-mail out a key to me. I’ve done nothing with it, I can’t justify spending time building for a platform like this.

Leviton Smart Outlet

Leviton Smart Outlet
Leviton Smart Outlet

I’ve installed one of the 15-amp smart outlets to enable remote power-cycling of my terrible Samsung television I bought. The outlet seems to work great, turning on and off. Wink, on the other hand, sees this as a “light” item, and therefore when you toggle the “All Lights” group, it includes this outlet. It’s a bit loud too, the contacts sound pretty hefty. I guess they’d have to if you were saturating the 15A limit. The issue comes down to IFTTT, or the Wink term “Robots.”

I have a Robot shut off my “All Lights” group at 12AM and 8AM, which trips the TV. I do this for electricity savings, however the TV was never supposed to be a part of this. The Samsung TV turns on, as does my PS3 when the power gets restored, so my 12:01AM robot turning just the outlet back on ends up costing me money as I turn off a bunch of lights, but effectively turn on a 55″ LED panel with a computer strapped to the back.

I’ve asked @WinkSupport for a resolution date, but they replied that they have logged it as a “feature request.” Any developer can tell you that means the issue was interpreted as a “lowest possible priority bugfix”, e.g. never.

In Closing…

Most of my smart home technologies are fantastic independently, and the folks over at Quirky/Wink have the hard job of integrating all of these technologies. That said, they haven’t integrated any of them well since they are trying to perpetuate a closed ecosystem and are disinterested in improving their product or enabling developers to do so themselves.



Payment Card Security Security

How to Scam Garage Sale Sites with Gift Cards

PLEASE TAKE NOTE: The title is correct, this is how to scam users of garage sale groups. The intended audience, however, is victims and group administrators. The goal here is to convey how easy it is to defraud people into purchasing gift cards, and why they should not be allowed for sale in these groups.

You should never purchase used gift cards from anybody without the authorization of the selling store, and their support transferring your balance to a new gift card.

Short Version of the Scam

When you purchase a gift card from somebody on the Internet, you may find that paying $50 for $100 of merchandise credit is a fantastic tradeoff. The fact is, you will pay $50 and they will keep the $100. Leaving you out money.

How this scam works

This is nothing new, it is very similar to how credit card fraud has worked for years, however there are many site admins and potential consumers unaware of this tactic.

How Payment Cards Work

Your older credit cards, and the majority of gift cards in the world use a magnetic stripe (the black line on the back of your card). This mag stripe, from a fundamental level, operates exactly like old cassette tapes. When you swipe your card, the equipment reads the card and a special number comes up. This number does not include your balance, but does generally contain the card number, expiration, the name of the card holder, and a few other pieces of information.

This information does not ever change. This is the problem with credit cards, and why EMV “chip” cards were introduced, they reduce the attack surface and greatly increase the complexity of this issue.

The scammer’s shopping list…

The scammer will buy a valid gift card (let’s say it’s $100 worth), and a card reader / encoder. The latter device is roughly $30 from Amazon, and there are plenty of legitimate reasons to sell and own these devices. At this point, an attacker has all of the tools they need.

The scammer reads the card’s data into a computer, and encodes it (sort of like saving a file) onto an extra card that they picked up.

Selling the Gift Card

The card will be listed for sale in multiple areas, usually for some money off the face value, and with the caption “Got this for (insert holiday), don’t shop there” or similar. Sometimes this will be backed up with a picture of the register receipt.

A buyer is found through one of these garage-sale groups, and you meet up. You first call the store to verify the $100 balance, and sure enough — the card is loaded legitimately. You gladly pay your $50 for the card, and you both leave happy. You may head straight to the store, you may wait a few days, or you may be extra hilarious and gift this card to somebody.

Hook, Line and Sinker

As soon as you leave, the attacker has a duplicated gift card of yours and can call a friend at the store to purchase another gift card, food, clothes, or anything else with that card. By the time you get to the store, that card will have a $0 balance, and the Facebook / Craigslist / etc account will be long gone.

Buying Gift Cards Legitimately

The majority of stores expressly prohibit transferring cards between people, and for this reason. The best way to do this safely is that both you and the seller meet at the store in question, and you purchase a new gift card with the card they’re selling, you can then dispose of the depleted card, and your new card will not be vulnerable to this scam, as the seller will not posses a duplicate of your gift card.

There are also websites that may have additional mechanisms for exchanging gift cards, though you should always keep in mind how this works. Companies will often state directly on the cards “TREAT THIS CARD LIKE CASH”, claiming that losing the card or other conditions will prevent them from issuing a balance. Furthermore, as far as the store is concerned, you spent the balance, and store clerks will almost never check a gift card for validity. Even if they do, there’s embossers for that.