Matasano Security - Matasano Web Security Assessments for Enterprises. Analysis of cryptography in JavaScript. Summary: Cryptography in JavaScript is usually a bad idea, as the JavaScript is loaded from an untrusted source or untrusted network (if you trusted it, cryptography would hardly be necessary) and therefore a chicken-and-egg problem exists. Regarding the previous 0bin project: cryptography was not implemented to secure the user, but to secure the 0bin operator - it is therefore relatively irrelevant to the operator whether users are secure or not, it is only about "plausible deniability" for the operator. The situation is different, however, when a JavaScript encryption is implemented instead of using SSL.
sysadmin - 31.5.2011 - 21.5.2012
sametmax/0bin. Interesting approach to circumvent the problems of pastebin hosting. With pastebin-like sites, the problem is that users post all kinds of content and the server operator can quickly be held liable. 0bin tries to shift this problem so that the operator cannot know what is in the pastebins, as they are stored encrypted and the encryption is done by the client via JavaScript. This works, of course, only if the judges also accept that the server operator cannot know what is going on - and not, for example, argue that he should then just install different pastebin software where he can know and still hold him responsible. Certainly an interesting approach, especially the idea of putting the key for the encryption in the hash of the URL (i.e., the part after the # in the address) and thus having a functioning URL, but still not providing the server with the key (since the hash of a URL is only used by the client and not communicated to the server).
R17 - flexible, scalable, relational data mining language. Looks quite interesting, basically something like a cross between AWK and SQL. The result isn't really pretty, but it seems practical - especially because you can easily use multiple processors, or even multiple machines (implicit parallelization), and thus also quite easily evaluate large amounts of data with ad-hoc queries. Because there is a simple format for passing data to further steps, it can also be easily adapted to new data sources without first running a lengthy export step there.
Plumbum: Shell Combinators and More — Plumbum: Shell Combinators. Looks interesting and much more thought out than some alternatives I've looked at (and much more expanded than shutil+glob).
ownCloud.org | Your Cloud, Your Data, Your Way!. I will definitely keep an eye on this, because once the OSX desktop client and the iOS client are available, this will be a clear alternative to Google Drive, Dropbox, or SkyDrive for me. After all, I already have my own server (classic Ehschonda solution), and I would only use Dropbox for integrating various iOS applications and then integrate their content into my own server and bring it to my desktops. Because no matter how good a cloud provider is (and so far Dropbox is one of the clearly better ones), my own server gives me more trust in the end.
pycounters. I need to check this out, it allows you to easily integrate counters into a project that provide data on things like function calls or similar - basically something like the Windows Performance Counters, but for Python projects.
Virtualenv-clone 0.2.2 : Python Package Index. Not yet tried, but according to the description it copies virtualenv environments and fixes import paths, egg files, .pth contents and scripts. And it should work more completely than relocatable virtualenvs.
abique/tmfs. Poorly blogged, could be helpful someday - a user-space filesystem for Time Machine backups on Linux.
The unbearable finality of pixel space. I tried the linked archiving tool for Flickr once and it works really well. I can even forgive the PHP for that. I have also occasionally pushed Flickr images into this blog (the "Neulich auf Flickr" posts), but the advantage of this backup script is that the structure and even the Flickr access rights are preserved. Unfortunately, albums and sets are not yet backed up, only the photostream. And the layout is very spartan. But maybe this would be a candidate to play with Bootstrap 2.0 and spice up the whole thing a bit.
pyp - Python Power at the Prompt - Google Project Hosting. Since I prefer to play around with Python rather than awk or perl, this is quite an interesting tool. You can use it to edit text files with similar features as awk and perl. And all of it as a one-liner - pyp simply defines a few variables and operators that you can use. Looks quite good.
Gprowl is a nice little script that monitors a GMail account and sends messages when a new message appears in the inbox. With this, you can create push notifications if you use Sparrow (which does not yet support push notifications). Of course, it also works with forwarding and BoxCar, but I don't really want to forward my spam to other servers ... (and hey, the script is in Python!)
Heroku | Clojure on Heroku. And even more Lisp. With Clojure, you can now also work on Heroku, the cloud platform. This might be an alternative to, for example, Google App Engine (on whose Java incarnation Clojure also runs).
Chrome can be cracked in five minutes | Products | futurezone.at: Technology-News. Oy Gevalt! I think some people need to rethink things now. No, sandboxing is not a guaranteed solution for security, it is at best a single component of a complete solution. And yes, making programs more complex also increases the complexity of the security situation. And eventually, there will be a breakthrough like this. (and no, the other browsers are no better, Chrome was just considered "secure" for longer and after the last Pwn2Own it was considered "uncrackable" by some)
Vagrant - Virtualized development for the masses.. Looks good, you can quickly set up a development environment based on BSD or Linux via the command line - and then work with it without having to manually install a bunch of things. Basically appliance templates that can be installed via command line tool. And a whole range of systems are offered as hosts (including OSX, for example). So, for example, also a very easy way to set up a LAMP stack or something similar under OSX.
Hyper-V, Virtual Machines, Drive Letters, Madness, Microsoft
Yupp, the above combination is really not great. Scenario: Hyper-V machine, several virtual machines, some with snapshots, various very long-running installations and a lot of work in these machines. New machines are created based on existing images, which are each generalized with sysprep and prepared for first use and then configured.
Enter the system administrator: a new virtual machine created, sysprep running, unfortunately not in the virtual machine, but on the Hyper-V server. It was then gone. First panic attack.
Colleague has revived the (of course remote) Hyper-V server and put it back into the domain, I get on. All configurations still there, all virtual machines still there. Not a single one of them works. Second panic attack.
Trying to edit virtual machines, no go - the configurations are not accessible, Hyper-V thinks they are all on drive C:. Checked, oh, the drives I: and J: (where the machines were before) are no longer there, have different letters. Ok, letters reversed and Hyper-V restarted. None of the machines run, they still think they are on C:. Third panic attack, as I realize that no configuration changes can be made.
Well, even in the configurations and the registry there is nothing about this mysterious C: - where does it come from? After a long search, found, for each virtual machine and for each snapshot Hyper-V places symbolic links under NTFS. These are located under %systemdrive%:\ProgramData\Microsoft\Windows\Hyper-V in the subdirectories "Virtual Machines" and "Snapshots" and point to the real target files. And in a magical way, all of these pointed to C: - apparently "corrected" NTFS at startup defective symbolic links that point to non-existent drives. Great.
So the links were recreated (first only an unimportant server, so I can see if it works). Of course it doesn't work, because Hyper-V ignores the nice new symbolic link. Permissions are wrong. Icacls can fix that - "NT VIRTUAL MACHINE\
Found, while swearing, that a Frenchman also had problems with this - Microsoft in its great wisdom has localized the names. Under the German version, therefore "NT VIRTUELLER COMPUTER\
German Keyboard Layout under Parallels, VMWare, BootCamp and VirtualBox - Info - Schirmacher. Because I needed it just now - this moves the special characters that you do need occasionally when programming to keys that are more Mac-like. Not perfect, but much better than the standard PC layout, as the MacBook usually doesn't have any markings for these special characters, so you would otherwise search for them in vain.
CoRD: Remote Desktop for Mac OS X. Hmm, let's take a look, it should be good - better than Microsoft's client.
Howto to rebuild Debian packages. Since I had to do it again - especially important is the hint about dch --local blah, so that you get version numbers that differ from the official ones and are not automatically overwritten with the current version from the Debian repository.
Google Wallet PIN cracked on rooted Android devices | The Verge. Well, that was quick. I can't help but smirk. Google should really have better people implementing such things.
Technical Documentation of the Pistos Diaspora forks with a whole lot of interesting features that go beyond the normal Diaspora code. There are some things in there that really interest me, maybe I should think about moving to Amsterdam. Therefore, here's a blog reminder.
Linux L2TP/IPSec with iPhone and Mac OS/X clients | PEEN.NET. Helped me install an L2TP/IPSec Gateway on my server that works with the iPhone. This is already a quite nice solution to not shout all data out loud at hotspots. However, due to the deactivated NAT transport in the Ubuntu package (due to security concerns), it is a bit fiddly because you really have to manually compile the strongswan package. Additionally, it's a bit annoying that you always have to manually activate the VPN on the iPhone - it doesn't stay active at the top. What you actually want with VPNs is for them to always be active - because otherwise you end up sending data accidentally over unencrypted and listenable paths.
Phalanger 3.0 | PHP compiler for .NET. Hmm, completely passed me by - there is a PHP compiler for .NET, which makes PHP a fully integrated .NET language. And this also runs with Mono. And it's so complete that you can run a current Wordpress under mod-mono with it - and according to benchmarks, the performance goes up significantly. Maybe I'll take a look at it in a quiet hour.
EComStation - Wikipedia, the free encyclopedia. Wow. While we're on the topic of Rexx - OS/2 is still around. Even if it's no longer made by IBM - does the company have licenses from IBM? Or do they just have a huge warehouse full of OS/2 Warp installation media lying around?
BUSTED! Secret app on millions of phones logs key taps • The Register. Net - Android phones infected with rootkit/keylogger. And if I read that correctly, the software was apparently installed by network providers and/or device manufacturers. Oh, of course, it's just a "diagnostic tool" - just like the various trojans for PCs are only remote maintenance tools ...
Security flaw: Fire hazard with HP printers? - Golem.de. Finally able to remotely burn down offices. Surely every hacker dreams of that. Thanks HP for this extremely useful feature.
YaCy - Free search engine software and decentralized web search. I'm a fan of distributed systems, so I should definitely check out this distributed search engine (alongside the distributed overlay network Tor and the distributed social network Diaspora, certainly an important component in a potential "free" network).
CCC | Chaos Computer Club analyzes current version of the state trojan. Well, well, the current state trojan is just as bad as the alleged prototype. And of course, everyone claims not to use it. So what is the wonderful, legally compliant version of the state trojan that is allegedly used in the authorities? It would be interesting if the authorities would provide this trojan to the CCC for analysis. But that would be honest and transparent behavior. Apparently, we can no longer expect that from authorities in our banana republic.
Time zones: tz database shut down due to lawsuit. This is probably one of the extra-absurd cases of patent extortion. Time zones are hardly copyrighted by this silly company, and the banal compilation of facts that do not belong to you really does not have a level of creativity that needs to be greatly protected. Patent trolls are annoying.
oryx-editor - Web-based Graphical Business Process Editor. Just looked this up for a colleague and it looks quite interesting - I should take a closer look at what it actually does. This could be quite exciting for some work projects.
Straight Talk on Event Loops. After his beautiful rant "Node.js is Cancer" Ted Dziuba goes into more detail about what the problem is with pure async-event solutions like node.js. As a programmer of a rather old project in Python - the Toolserver for Python - I can certainly understand this. There are good reasons why I implemented threads integrated into the event loop for parallel processing as needed. This "async is faster and better than threads" is exactly the kind of hype nonsense like "NoSQL is faster and better than SQL" and other pigs that are currently being driven through the village.
StartSSL and Nginx. StartSSL is a very good way to obtain SSL certificates for a web server that are actually accepted by browsers. However, these are issued by intermediate certificates that are often missing in browsers - for this, you have to deliver these with the server. With Nginx, this is a bit more complicated because there is no separate setting for it - you have to copy the certificates together for it to work. This is all explained in the linked blog post.
SCO ultimately loses against Novell. Should this nonsense finally be over soon? It's not as if there aren't more absurd proceedings on the horizon (I just recall Lodsys), so it won't be boring. And the entertainment value of the longest-dying IT company has left much to be desired for quite some time ...
Setup services on your Pod - GitHub. Saved for later, I've already set up the link to Twitter on my own pod. I'll probably set up Tumblr soon too, since I still use it quite often. Diaspora is still quite buggy (it's really Alpha), but already quite complete in terms of features. And it's fun to play around with. However, people on Diaspora pods should also post more there, otherwise the social aspect has its problems - I only knew after self-experiments on two pods and several days of waiting that posts actually arrive at me - not because of technical problems, but simply because no one wrote anything ...
Schneier on Security: New, Undeletable, Web Cookie. On to the next round: ETags are evil! Since they can be arbitrarily assigned by the server, you can simply insert a visitor's UUID there, and on the next visit, the browser sends the content for checking for file changes (provided it supports conditional-GET, but that's true for all browsers today). The user has no control over the use of ETags - and it actually doesn't make sense to give the user this control - so it's very difficult to defend against this method.
Time Machine - Frequently Asked Questions 30. What are Local Snapshots?. Not a bad idea what Apple came up with. The first rumors about local snapshots sounded rather strange, but what has become of it - automatic snapshots for on the go, when you don't have your backup drive plugged in, are quite practical. Not for real recovery in the sense of a disk crash, but for the usual "oops, I'm stupid, I didn't want to delete that yet" situations. However, I would like it if there were a GUI in Time Machine for this, where you can turn local snapshots on and off - yes, I know, you can do it from the command line, but I'm not an Apple user for nothing, I want pretty graphical buttons to press!
Sankra Software: Disable OS X Lion Resume per application. Since Apple implemented this feature a bit "aggressively" (it is also activated for apps that do not explicitly say "turn this on, I can handle it"), it can sometimes be quite annoying - some apps then perform both their own "new program start" action and then the system's action afterwards - for example, some editors open two windows on the same file if both the editor and the OSX say "Restore Window". Therefore, it is not impractical to be able to disable this feature per application. Although, of course, this will be forgotten at the latest when the application is updated, and you wonder why the windows no longer open automatically because the application has switched from its own control to system control. But hey, software is the last remaining adventure ...
Trunk Notes | Apps On The Move. I've had this on my computer for a while, but only now have I taken a closer look at how to integrate it with other tools. And it's actually quite simple: Use VimWiki. I already use VimWiki for my desktop wiki, so it makes sense to integrate everything so that I can also use it with the TrunkNotes wiki. Of course, this means that various advanced features of TrunkNotes are not supported, but that's not primarily important to me; what's more important is being able to edit the normal content directly. And for that, this little hack is sufficient. At some point, I'll create a special TrunkNotes mode that also supports metadata. Just found: a clone of VimWiki that works with Markdown (which TrunkNotes uses internally) (the corresponding code is already in the developer version of VimWiki).
PostgreSQL Server Tuning. I just used it, and so I don't have to google it again and again, I made a blogmark. Additionally, you will probably also need to increase kernel parameters so that the shared memory can be allocated at all. Because PostgreSQL likes a lot of memory when you execute more complex queries and the default allocation of about 100 MB is definitely too low for serious use.
Data Protection and Social Network Buttons
Just read: Data Protection & Facebook Like Button for Website Operators. I just played around with the various social buttons (they might still appear on cached pages for a while), but then I thought they will probably report more connections between accounts and page visits - and turned them off for now.
The linked article takes a closer look at the Facebook Like Button, the Google +1 Button should be very similar. The Twitter Button is probably not unproblematic either, at least when the server is queried for the number of tweets - but an unproblematic variant of the Twitter button should be achievable, because that is the simplest case after all.
Well, for now I have turned off the toy again, I still have to think about it. Because on the one hand it is of course interesting to enable visitors with active social networks to easily share in their networks - but what is the price?
Google+. Now I also have one of those funny gadgets. However, I still don't really have an idea of what I need it for. What I like is the already quite good integration with other Google services, although I am surprised that I cannot automatically transfer my recommendations from Google Reader to Google+. Or that I cannot import a simple RSS feed into Google+ for automatic posts. Let's see how this develops. The setup for targeted sharing with different recipient groups, however, I already find much more thought out than the strange stuff on Facebook.
Auto Refresh Plus - Chrome Web Store. For good reason, my interest in such things has been piqued. On the Mac, I of course have more comfortable tools, but to simply refresh a webpage until it has a defined change, this one is more than enough.
WordPress 3.2 now available. Update executed (and for the first time also via automatic update and ssh access for the update, since my web server does not have write permissions on the WP code) and everything seems to have worked smoothly, even though I use a number of plugins. Nice. The admin has been really streamlined, much faster responses.
Prowl - iOS Push Notifications. Is a very practical tool for the iPhone or iPad as a supplement, because you get nice APIs with which you can, for example, send messages from servers to the iPhone. Or you use Send2Prowl from Firefox or Prowl from Chrome to send a link directly to your iPhone.
"We sometimes need your permission to do what you ask us to do with your stuff for example, hosting, making public, or sharing your files. By submitting your stuff to the Services, you grant us and those we work with to provide the Services worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works such as translations or format conversions of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission." - weil sicherlich wieder haufenweise halbinformierter Unfug geschrieben werden wird, nachdem Dropbox die ToS leichter lesbar und vervollständigt hat, hier der wichtige Punkt nochmal rausgegriffen. Nicht dass ich mich der Illusion hingebe das würde die halbinformierten Unfugposts verhindern, aber wenigstens kann ich dann einfach auf die passende Stelle zeigen.
Ubuntu Cron error - Module is unknown - after libpam upgrade. Argh!!! That really caught me off guard - I didn't notice it for a whole month, so the Metaeule wasn't updated during that time, the cron was just gone. Damn it. I only realized today to look for the cause outside the Eule and then stumbled upon the log messages. Now everything should work properly again. I hope.
Installing gitorious on Ubuntu 10.04. Hmm - I already have an Apache2 with SSL running for my Wordpress administration. And I've also set up a DAV server for document synchronization (in case MobileMe is replaced by iCloud and loses the iDisk in the process). Besides, it's sensible anyway, because the iDisk is so slow. I could also install my own Gitorious there and put my own repositories on it. Just blogged about it, but I should really take a closer look at it.
SparkleShare - Sharing work made easy. Badly blogged, but this looks quite promising at first glance - a simple Git server is used. Unfortunately, it seems to be based only on SSH Git, not HTTPS, at least I don't see anything about it in the docs - HTTPS would be more universal (even if passwords would then have to be stored). What is still missing is an iOS or Android client (Android is apparently in the works), but OSX is already supported. It seems that the most activity in the open-source alternatives to Dropbox is happening here - but I'm still wondering how the server behaves with massive file additions and deletions - for example, I have the current raw photos of the last few months in my Dropbox. A "raw" Git repository grows very quickly to unimaginable sizes ... (and you probably also have to do regular packs so that changes to DNG files don't blow up the repository). One small detail on the side is still important: SparkleShare uses a public IRC server for synchronization messages - so even with self-hosting, all clients are on this server and exchange their triggers via it. Should be kept in mind, because this would be a classic attack vector (and if the IRC server fails, the self-hosted system also hangs). SparkleShare is open source, so you can certainly also plug in your own IRC server here and simply use your own packages.
The Postillon explains: What can the National Cyber Defense Center do?. Awesome. Simply awesome. Next, they'll buy a computer... (I doubt it, though, probably its purchase will be canceled for budget reasons)
Metaverse Ink Blog» Blog Archive » The 4,096 “bug”. Why OpenSim operators should set up their grids with region coordinates below (4096,4096) - the higher coordinates simply cause too many problems and it doesn't look like these problems can be easily and compatibly fixed. Since region coordinates are internal to the grid, it shouldn't be a problem if multiple grids lie in the same coordinate ranges.
Function Reference/site url. I need to go through this more carefully, because if a site is supposed to run in parallel under http and https, then there must no longer be any absolute references, everything must be routed via these functions. A few plugins (jQuery Lightbox and Infinite Scroll) also cause problems here, so bug reports will probably be necessary.