Dropbear

Blog

  • Passwords in PHP

    Category:WikiProject Cryptography participants
    Image via Wikipedia

    Generally speaking it is a really bad idea to hold passwords in cleartext. I am actually amazed people still do this!  The standard way of holding passwords that has been around for years is to encrypt or hash the password and store the result, called a ciphertext.  There have been many ways of hashing the password, starting off with plain old crypt with no salt (a random pair of characters) then crypt with salt through to MD5 and SHA.

    The thing is, each one of these hashing techniques results in a ciphertext in a different length.  Now with most languages, this doesn’t matter because you know what hash you are using; its simply the name of the function or some flag you set.

    PHP is different, because all of these methods use the one function called crypt which is a little confusing because it is more than plain old crypt.  Around the PHP version 5.3 the developers started putting in the more complex hash algorithms which is good, but the ciphertext has been growing.

    A lot of applications store this hashed password in a database and the decision needs to be made; how big should this field be?  For a long while, 50 characters would be enough and this is what programs like JFFNMS use.  Unfortunately the SHA-512 algorithm needs 98 characters so what you get is half a hash stored. When the user enters their password, the program compares the full hash from that password to the half hash in the database and it always fails.

    I’ve adjusted JFFNMS to use 200 character long fields which is fine for now. The problem is who knows what the future will bring?

    Related articles
    Enhanced by Zemanta

  • Lottery from ancient rockers

    Apparently I’ve won the lottery. What is even more amazing is that it is one based not in Australia but in the UK ELO (England Lottery Organisation) and I didn’t even buy a ticket.  Even more amazing is even though this organisation is based in England, they don’t write English very well; perhaps its declining school standards. They’re so concerned about giving you the maximum return on the dollar (or pound) they don’t even use a proper co.uk email address but a free webmail from umail.

    It is, of course a scam. Popularly known as Nigerian 419 or advanced-fee fraud. You can win the money but.. well it seems there is some holdup and you need to pay some “release fee” or some bribe to get your dollars.  What makes me a little sad is it was for only 250,000 UK pounds. I feel ripped off as a few google searches showed people being offered over 500,000 pounds on the same scam. Don’t these crooks know I have a high aussie dollar exchange rate to overcome?

    About the only interesting thing about it was that my dspam filters missed it but they’ve now been retrained with that miss. I think sending it as a pdf was why it made it through.

    And I now cannot get ELO (Electric Light Orchestra) songs out of my head, thanks a lot scammers! (It’s a livin’ thing, ya know)

    Related articles
    Enhanced by Zemanta

  • Gjay 0.3.2 released

    After getting past a series of silly errors gjay version 0.3.2 is now available.  The source code was uploaded to SourceForge and the Debian package has been uploaded to the FTP master site.

    This version fixes the linking bug that have been extensively reported in a lot of Debian packages.  This is where you are using symbols of a library from another but not explicitly linking to it.  It means some versions of GCC will fail to link.

    gjay will now create playlists for Music Player Daemon or mpd and get mpd to run them too.  It does need for mpd and gjay to be on the same computer, or at least the same directory structure, so both programs know what file is.  While gjay has a full view of the filesystem, mpd uses a relative one off its own concept of a root directory.

    As a result of the two music players, both the audacious and mpd client libraries are not linked to gjay but are linked at runtime using dlsym(). It means you don’t need the audacious libraries if you like mpd or vice versa.  I’m not that experienced in using dlsym so hopefully I’ve not stuffed it up; it works for me!

    In theory, gjay could pass its playlists onto other music players.  The problem is knowing how to get the list into the player.  After it does its sorting and randomising, gjay ends up with a linked list of file-names. Now for audacious or (with some caveats) mpd it is pretty simple because they use file-names but others don’t do this.  If you know how it is done with your favourite player then let me know.

     

    Enhanced by Zemanta

  • Getting around the WordPress "add image" bug

    WordPress currently has an annoying bug where you cannot add images easily using the in-built editor. Instead of a pop-up being shown with the image setting details, you are sent to another page.  Once you choose the image size etc, you go to a blank page. Until that’s fixed, there is a work-around.  It’s not exactly pretty but it does work. I have assumed you have uploaded your images to the media library first.

    First, type up what you want your blog entry to say. The save it as a draft which is the button in the blue circle in the screenshot. Then click the “add image” icon which will bring up the warning to go to the image selection page. This page should be a pop up on the same screen but is not (and is the bug).


    On the image selection page choose “Image library” which is the blue circle and edit the meta-data such as the name caption etc. Once you are happy with your decisions, click the “Insert into Post” button (red circle) which goes to a blank screen.

    The blank screen actually does have data in it. You will need to view source which will show something like:

    The stuff in the win.send_to_editor is what you want. You will also need to change the backslash-quotes to plain quotes, so the code I would use is

    You then enter this information back into your post (click back a few times in your browser). Also, make sure you have your editor set for HTML and not Visual for it to work. With that small bit of HTML, I have a nice set of home-grown tomatoes, or whatever else you want.

    Enhanced by Zemanta

  • Silly C errors in gjay

    Gjay GUI

    I have been working on Gjay to add support for http://mpd.wikia.com/wiki/Music_Player_Daemon_Wiki where I had what initially looked like a strange problem. When WITH_MPDCLIENT was defined, the program would crash in all sorts of weird places when the main program structure had this:

    #ifdef WITH_MPDCLIENT
struct mpd_connection *mpdclient_connection;
#endif

    But would work fine when it was:

    struct mpd_connection *mpdclient_connection;
#ifdef WITH_MPDCLIENT
#endif /* WITH_MPDCLIENT */

    I tried changing the structure to just void *blah to see if it made a difference and it didn’t. The program would crash every time.

    The answer was pretty simple in the end. The WITH_MPDCLIENT is defined in the file config.h and not every c source file was including it. Needless to say, they should! So half the program was using one version of the structure and the other was using another; no wonder the whole program was a mess because anything beyond this entry in the structure would be a few bytes out.

    With that little insanity out of the way, I can get back to making gjay work with MPD.

  • JFFNMS at RC2, ncurses at 5.8

    After some reports back about [JFFNMS](http://www.jffnms.org/) 0.9.0rc1 I have now updated it to rc2. Thanks for all who gave me information about how it worked in YOUR setup.  I cannot be sure but I’d say the second RC will be the last until the release itself.

    Sven has also given me the nod and ncurses 5.8 migrated into unstable.  We’ve had one report that the new version of ncurses might not play well with stfl (see #616711 ) but generally speaking it should work ok.

    Finally, congratulations to the Debian project on [winning two categories at the Linux New Media Awards](http://www.debian.org/News/2011/20110304). It was especially good to hear the presentation by Karsten Gerloff who is president of the Free Software Foundation Europe.

    ## ncurses bug update
    It seems that the ncurses bug is more serious and is to do with newwin() function in the library. If you get crashes when a program starts and its linked to ncurses 5.8 (even if it is not a Debian system) you may have this problem.

    It doesn’t happen to all ncurses programs, as the stfl example code and mutt work ok.

    Y9VW3CNYRFF6

  • Apache and incomplete redirection messages

    As part of moving my site around, I needed a bunch of redirects so that http://enc.com.au/docs/linuxload.html now becomes because its now controlled by [Wordpress][]. so I used the [RedirectPermanent][] feature of [mod_alias][2.2 mod_alias] to do it with lines like:

    RedirectPermanent /docs/linuxload.html /2010/07/manually_calculating_process_times/

    So you come in on /docs/linuxload.html and redirect to the blog entry, simple really! It actually works, kinda, but the log files fill with things like:

    [Fri Mar 04 14:40:17 2011] [warn] [client 172.16.242.1] incomplete redirection target of '/2010/07/manually_calculating_process_times/' for URI '/docs/linuxload.html' modified to 'http://enc.com.au/2010/07/manually_calculating_process_times/

    What is going on? Why won’t Apache just be quiet and be happy? The reason is in the Redirect Directive documentation on the [2.0 mod_alias][] page:

    > Also, URL-path must be a fully qualified URL, not a relative path, even when used with .htaccess files or inside of sections.

    But I’m running Apache 2.2 and the [2.2 mod_alias][] page says:
    > The new URL should be an absolute URL beginning with a scheme and hostname, but a URL-path beginning with a slash may also be used, in which case the scheme and hostname of the current server will be added.

    That’s it, you two choices:

    * Use relative urls and have Apache complain
    * Use absolute urls and have a happy Apache

    Changing the above config snippet to use absolute paths fixed it.

    RedirectPermanent /docs/linuxload.html http://enc.com.au/2010/07/manually_calculating_process_times/

    [2.2 mod_alias]: http://httpd.apache.org/docs/2.2/mod/mod_alias.html
    [2.0 mod_alias]: http://httpd.apache.org/docs/2.0/mod/mod_alias.html
    [RedirectPermanent]: http://httpd.apache.org/docs/2.2/mod/mod_alias.html#redirectpermanent
    [Wordpress]: http://www.wordpress.org/

  • JFFNMS 0.9.0 release candidate 1 out

    The next version of [JFFNMS](http://www.jffnms.org/) is nearing completion and is now at Release Candidate 1. Version 0.9.0 has a major amount of work in cleaning up and securing the code.

    The majority of the work has been in the complete re-write of the engines that do the polling, autodiscovery and consolidation. The parent/child communication has changed as has the way the processes are forked.

    On the front-end, the requirement to register globals has finally been removed, with the code explicitly specifying and sanitising the variables it requires. This will make it easier to debug problems and make the application webservers more secure.

    Finally there is better support for High Capacity interface counters and some support for IPv6, meaning you can see how slow ipv6.google.com is from your place.

    JFFNMS 0.9.0rc1 is available from SourceForge at

  • Updating the website

    I’ve finally got the new website up and running after testing for a while. It has combined the blog and static pages into a single site that hopefully actually works and means I don’t have to worry about compiling a site every time I change something.

    The blog software has been changed from [movabletype](http://movabletype.org) to [wordpress](http://wordpress.org) and while the actual migration was straightforward, there was some apache mod_rewrite evilness to update the links.

    There is probably broken links somewhere. The site is so old now I’m not sure of all the links and paths myself. I think I also succeeded in changing the blog without spamming [Planet Debian](http://planet.debian.org/) with all my old posts, which is a bonus.

  • Syntax Highlighting with Mid-Century themes

    As a site that discusses a variety of programming languages, I thought it would be good to have syntax highlighting for the code snippets. This blog previously ran [Movable Type][] so it had to fit in with the setup I have already.

    So I found the [Syntax Highlighter][] module ok and the initial installation
    went fine, it was simply:

    1. Download the .zip archive
    2. Unzip the archive into a temporary directory
    3. Copy the plugins/SyntaxHighlighter directory to my plugins directory
    4. Copy the mt-static/plugins/SyntaxHighlighter directory to static/plugins

    You then need to edit the “HTML Head” template and add to the bottom of it the following line:

    Next, I like to use [Markdown][] as my “markup” language. But you can only have one type text filter. Another plugin called [FormatStack][] solves this.
    Create a new stack and put [Syntax Highlighter][] before [Markdown][].
    You can then create documents with both sorts of tags and it works quite nicely, well… almost.
    Mid Century Problems
    ——————–
    This is probably not a Mid-Century specific problem but the modern templates
    or styles may cause a problem. You’ll find you switch styles and suddenly, no more syntax highlighting.
    The problem is the onLoad functions get overloaded. Some styles have
    an onload property on their body. You’ll see lines similiar to

    This onload event stops other onload events, which means Syntax Highlighter cannot do its thing. The fix is rather simple, you just adjust thetemplates so they look like the following:

    

mtAttachEvent("load", mtEntryOnLoad);

    After doing this and publishing it all worked! You may also see this sort of problem with other plugins that use the mtAttachEvent() Javascript call.

    Reducing Includes
    —————–
    By default, the script includes all syntaxes it knows. If you want to only include some, you do this by specifying what brushes you want. For example if you only will highlight perl and python scripts then you can change the line to:

    Syntax Themes
    ————-
    The other attribute the Include line will take is theme. There are several themes but default is alternating white on grey with the rest being
    variations on light text on a dark background.

    [Syntax Highlighter]: http://plugins.movabletype.org/syntaxhighlighter-for-movable/
    [Movable Type]: http://www.movabletype.org/
    [Markdown]: http://daringfireball.net/projects/markdown/
    [FormatStack]: http://plugins.movabletype.org/formatstack/