Planet
CoApp: Open Source Package Manager for Windows
My strange ternary operator indenting
Cassini is now on github.
Adventures with SVG (a lessons learned post)
jquery.collapsiblePanel: A collapsable panel plugin for jQuery
Using the registry to resolve Visual Studio reference paths.
What three things got me here.
Trouble building PHP on Windows
Yes your software needs an installer.
Printf() for jquery.
The Birthday Boy
InterMapper & RT: You two play nice now…
This is going to be one of my rambling sysadmin-y entries talking about stuff that's probably of little general interest. Fair warning given.
There are two components that I would consider essential to proper system administration: GOOD Monitoring and Issue/Incident Tracking. It is imperative that you know when a problem arises (preferably before anyone else notices) and that you keep track of the problems you have encountered in order to spot troublesome systems and redesign them to stop bugging you.
Those of you who have worked with me know I have my prejudices in both of these areas, and that for the last few years I've settled on two pieces of software to fill these roles: InterMapper for monitoring and RT for issue tracking.
The major caveat of this pairing is that the two have no formal integration: InterMapper will happily send emails, and RT will happily accept emails and turn them into tickets, but RT doesn't know when InterMapper is telling it about the same problem twice, or that a previous issue has been cleared. The end result of this lack of integration is that you have a bunch of RT tickets for the same issue which need to be manually merged and resolved, and this manual bit bugged me enough that I actually took the time to fix it!
Continue reading "InterMapper & RT: You two play nice now…"
F the CC - Joe Biden's F-Bomb
So the Vice President of the United States of America said "Fuck". On the air. Twice.
Big fucking deal.
I've been prodded by a few people about this, so here's my 90 second commentary:
Joey-B dropped the F-Bomb twice during daytime programming hours (well outside the 10pm - 6am "Safe Harbor" for cussing up a storm on the air).
The last time I checked the FCC was to levy a fine of $7000 for each violation (i.e. every time a word slips out over the air), scalable up to $32500 based on other factors, like a history of prior infringements (and we clearly have at least two violations here).
So I have a few quetions.
- Is the FCC going to fine all the broadcasters who carried this speech live-live (no delay) and/or those who carried it with a net & failed to hit the bleep button fast enough?
- Is the FCC going to fine either Joe Biden (personally) or the US Government (as an entity) for producing/distributing profane material?
- Will we ever get rid of our nation's irrational fear of the word FUCK and the sight of breasts?
Is our house of representatives too big?
I say it is too big because of a concept called Dunbar's number. Basically humans can only have social connections with about 148 people. When the first congress met there were 59 members. When the current sitting one hundred and eleventh congress first met, there were 434 members.
I'm not sure how to solve this problem. Perhaps we can draw up congressional districts without regards for state lines, and have the state legislatures appoint senators. The lower house can be reduced to about 125 members, which will account for the local office, and non elected people in the capitol building the congressmen will have to interact with regularly.
I don't pretend to have a clear answer to this problem, I just know that 400+ is to many people.
Low-Tech Application Security
At the February LIPHP meeting, Blake Cornell presented a very informative talk about penetration testing. For those of us who have been creating applications for a while — especially web applications, which was the focus of Blake’s talk — there were a few “oh yeah” moments and a couple of “oh crap, I better fix that” moments. But anybody who has never really done serious application programming may have felt intimidated. Also, while parts of Blake’s talk were web-app specific, there were some ideas that are useful for any application developer, even the novices.
This post, then, is an attempt to rephrase Blake’s most important points, in a way that hopefully any programmer will be able to understand, and in a way that should be useful to all application developers. I will be leaving out the really super-technical, database-specific stuff, and help programmers set a couple of important, attainable goals.
What is Penetration Testing?
Why was Blake’s talk so important and informative? What was he trying to get us to do? In short, any application programmer needs to be sure that the application only exposes the right data to the right user. I shouldn’t be able to update your Facebook status from my computer any more than I should be able to see your account balance by using the ATM. The way we determine whether an unauthorized user can see data he or she shouldn’t see is through penetration testing — the act of trying to break into your own application, or trying to get at sensitive data through means other than what the application developers intended.
Think Like The Attacker
As I thought about Blake’s talk on the drive home, I realized that none of us will write a secure application by accident. Application security happens by design. Programmers who create secure applications, then, must always be mindful that careless coding — especially in the absence of good testing — can and usually does result in unprivileged access. I realized that even I needed to adopt a new philosophy while designing, coding, testing, and maintaining. I realized that I need to think like the bad guy, and anticipate what attacks might occur, so that I can defend against them. If you can think like your application’s attackers, then you’re probably already one step ahead of the game.
Don’t Give Away Free Data
Blake brought a large arsenal of technological weaponry to the LIPHP meeting. He had all manner of JavaScript pausers, and POST data manglers, and all kinds of other stuff, meant to confuse web servers into doing what Blake wants, instead of what the web application programmers wanted. But the most important tool Blake brought was his common sense. Attackers will try to glean any information they can from your application, so don’t give them any.
Blake provided a few examples of how a careless application developer can give away data without even realizing he or she did so. Imagine attempting to log into your Twitter account. You type your username and password into the fields provided, and you see a message that says something like “Wrong password. Please try again.” You might appreciate how helpful this message is, since now you know what to fix, and you can successfully log in.
However, if this were the case with Twitter (it’s not, thankfully), then the application developer seriously needs to learn how to think like the attacker instead of like the client’s friend. Sure, it’s nice to give the user that hint. But what if the user typing your username and password into the site wasn’t you? That attacker has now verified that your username exists in the system. (“OK, but everyone knows my Twitter username already.” Fine. Let’s say this is your bank’s web site.) From there, the attacker only needs an educated guess (“He was married on September 9th…”) or a little social engineering (“Hi, this is Chris from Citibank calling. I noticed some unusual activity on your Mastercard over the past couple of weeks, that I’d like to verify. Could you give me your username and password, so we can fix this up?”) — or maybe a keylogger, or a shoulder surfer — to gain unauthorized access to your data.
The Solution
Here’s why I entitiled this post “Low-Tech Application Security.” The fix to this problem is very easy, and it doesn’t require any more purely technical programming knowledge than what got you in this mess in the first place. Just change the error message. Instead of saying “Wrong password”, use the same error message for right username/wrong password as you do for wrong username; something like “Invalid Username/Password Combination” will do. This message has the intended effect on a real user; he’s going to type his username more carefully the second time, and if the password is really wrong, he’s going to take a minute and figure out what’s happening. (“Oh, I used the other password on this account.”) Plus, this message has the intended effect on the attacker, who has now learned absolutely nothing about your system.
What Next?
I’m hoping this discussion will help a couple of you shore up your applications, and make them more secure. I also hope to write more in this space about how to design applications — especially web applications — the right way. But there are certainly a ton of other resources out there you can take advantage of to keep learning about security and application design (and please add more in the comments). Also, find a local user’s group, and join the e-mail list or show up at a meeting, where you are sure to learn a thing or two about programming. For instance, I will be presenting my application PHProf at LIPHP’s March meeting.
Interesting (impractial) OpenSSL attack
While I usually read El Reg for teh lulz occasionally they come up with an interesting nugget, like their article on a "severe" OpenSSL vulnerability (quotes theirs). This vulnerability comes to us courtesy of the University of Michigan, and is tied to a simple oversight in the OpenSSL code: It doesn't perform a verification pass on signatures before sending them to a client.
So all you crypto-nerds, how many of you do a verify on your signatures before you send them? Hands please? Nobody? Not even me? -- Yeah, we all tend to trust that our math Just Works. I mean it's a computer, you put in fixed input through a deterministic algorithm and you get the same output ever time. Right? Nope.
- Computers, as we all hopefully know, aren't perfect. Trillions of minor errors happen every day, and they're usually compensated for: ECC RAM, cross-checks of math, etc. But because OpenSSL doesn't do a cross-check it's possible for those minor errors to creep into a transmitted signature. As the good folks from UMichigan explain in their paper if you can induce some minor errors in the OpenSSL signature math and collect a good signature and a large enough set of flawed signatures you can eventually derive the private key used for the signing.
That is all well and good, except it relies on errors in the system generating the signatures. These errors are rare (and pretty random) in the real world, so no problem, right? Wrong again Sparky! These clever folks came up with something I wouldn't ever have thought of.
-
Those of you who have worked on old Commodore computers probably know one of the first symptoms of a power supply going wonky is that the system starts acting up: Lots of random crashes, video corruption, etc. Why does that happen? Because the voltage being supplied to the system is fluctuating. Fluctuating voltages (specifically down-swings) cause all the magical voltage regulation hardware to go out of regulation, which feeds out-of-spec voltages to the chips, which in turn start making mistakes in their math.
The bottom line for this attack is an extension of that well-known Commodore problem: By putting controlled voltage fluctuations into the power supply of real computers (SPARC boxen running Linux) the UMichigan folks were able to induce errors in the math used by the real-world OpenSSL code and recover an actual key.
Continue reading "Interesting (impractial) OpenSSL attack"
Born Trilogy (@rob_t_firefly takes the blame for this)
So the point of this whole thing is trivial enough that I went ahead and did it: Go to Wikipedia and type in your birthday (month and day). Then you write down 3 events, 3 births, 3 deaths and 3 holidays.
December 29
Events
- 1778 – American Revolutionary War: 3,500 British soldiers under the command of Lieutenant Colonel Archibald Campbell capture Savannah, Georgia without firing a shot.
Way to go Georgia, just roll over and take it. Bitches. - 1890 – United States soldiers kill more than 200 Oglala Lakota people with four Hotchkiss guns in the Wounded Knee Massacre.
120 years later we're still treating the natives like shit & using the treaties to wipe our national ass -- Progress, we no can has - 2003 – The last known speaker of Akkala Sami dies, rendering the language extinct.
Interesting tidbit in honor of all those linguistics courses I took.
Births
- 1800 – Charles Goodyear, American inventor (d. 1860)
A subtle reminder from the universe to check your tire inflation and wear pattern - 1921 – Robert C. Baker, Inventor of the chicken nugget (d. 2006)
Cue ironic chorus of "Nugget Man" - 1967 – Andy Wachowski, American director
I still won't forgive him for the Matrix sequels. Filthy humans ruinsed a good thing.
Deaths (Excluding the "event" death)
- 1731 – Brook Taylor, English mathematician (b. 1685)
- 1737 – Joseph Saurin, French mathematician (b. 1659)
- 1891 – Leopold Kronecker, German mathematician (b. 1823)
Holidays
Only 2 and nothing relevant: The 5th day of Christmas (but nobody cares aside from the song) and apparently St. Becket's day (patron saint of secular clergy, so I suppose that's appropriate with me being an ordained minister and all)
The Wheel: Let me reinvent it for you! (update-notifier redux)
OK, for the record: I DESPISE Linux. I Hate, Loathe, Abhor and Revile it. I am a BSD-Bigot and proud of it, and if all the BSDs suddenly evaporated I would eschew Linux in favor of a commercial Unix (probably AIX).
Why do I hate Linux so much? Simply put, it's shoddy code written by shoddy coders. In my experience shit mysteriously breaks for no reason, standards and conventions are arbitrarily ignored, critical components of the system are perpetually at version zero-dot-something, regression testing seems to be a myth, and the average Linux developer seems to make no effort to ensure their code will work on anything except their particular favorite distribution (to say nothing about porting it to <GASP> a BSD system, or <HORRORS> Commercial Unix).
This particular tirade was kicked off by the Ubuntu update-notifier program suddenly and mysteriously no longer popping up update notification balloons. As some of you know my company ships a Linux-based appliance (built around a very stripped-down Ubuntu plus our commercial packages), and one of the things that made me go with Ubuntu was that they had gotten the update-notifier thing working beautifully and it had been stable for several versions.
Lo and Behold about a month ago our support guys came to visit me and asked "Hey, is the update notifier bubble broken?" I looked upon it and saw that it indeed appeared to be non-functional, but as all good (lazy) admins are wont to do I demanded they test and verify the breakage.
The breakage came back to me verified earlier this week, and as I really couldn't be assed to figure out why the update-notifier is happy to display the "you must reboot!" dialog box but refuses to display the "Yo, bitch! You have updates!" notifier icon & bubble I took the easy way out and re-implemented update-notifier in Python.
Continue reading "The Wheel: Let me reinvent it for you! (update-notifier redux)"
Been doing some heavy ExtJS development
The backend of the application I am working on is PHP, and I have come up with a psuedo framework for the application itself. By using the __autoload() functions in PHP and passing a couple of standardized arguments for every ajax call whether it be a submitting of a form or loading a data store for a grid/combo Ext component. Through Ext lovely use of the xtype property I am able to create arrays in my PHP Objects json_encode() them and pass them back to the front end where they become full fledged objects....this is not a standard practice for the interface but it is used in a specific element of the application that is very dynamic and very custom. Now I am sure if I found some Ext developers in my area and could sit down with them and show them the application they could do away with PHP generating the code and come up with a couple of extensions to do exactly what I want, but for now PHP is filling in the gaps and doing exactly what I want.
I originally started looking at ExtJS when version 1 was released, then version 2 came out and I started on a project at my former location, but never really was given the time to actually fully develop an application using Ext...then a couple of months ago I started on the current project I am working on and presented the idea of using Ext to my boss, he said I could proceed and I think overall everyone has been very happy with it.
Somethings I have seen improve for each release of Ext. I am going to start with the items that I have seen the biggest change in and work down to those that have changed but maybe not that much. Of course these are just my opinions
* Documentation
* Speed
* Overall Community Support
* UI Reliability
Documentation- The documentation has GREATLY improved and since the release of 3.0 I have started to see more and more examples of code in documentation itself. One thing that is still lacking just a little is an overall explanation of the properties/config options/methods/etc... for an object....some of these have a great amount of explanation and others not so much. Of course you can likely find someone to give a little bit more information on #extjs on irc.freenode.net but I think such details should be in the documentation. One thing I would love to see in the documentation along with the curret code example, is an actual working element produced from the code example, I know there are examples, but having everything in one place is a great thing to have and not all classes that have code in the documentation have samples...although most of them do.
Speed- The speed of Ext overall has increased SIGNIFICANTLY and I dont think there is anyone out there that is using Ext that could ask for more speed improvements although I am sure the team is working on them.
Overall Community Support- I have see the community grow in leaps and bounds for Ext, this past year was the first Ext Conference, and although I moved to Florida just in time for it, unfortunately I was getting married later that month and with starting the new job and having to take time off for the wedding/honeymoon I as unable to attend. I believe this years conference, if there is going to be one, will be in California as that is where the new Ext office is located (figures I come to town and everyone leaves!) Going with community tow books have come out recently The "Ext JS 3.0 Cookbook" and a not yet released in paper back form but available but available through Manning Publishing's MEAP program "Ext JS in Action" these has both bean great reads so far and I would highly suggest for anyone involved in Ext development to purchase them.
UI Reliability- This one really isnt an improvement but something negative that I am starting to see I have noticed a couple of UI bugs creaping in and out of the 3.x releases such as, tabs not having the site images, a form having trouble placing buttons correctly and having them cut off on the left hand side. Now the tabs issue was corrected with the release of 3.2 but the 3.2 release introduced the buttons issue, which I believe is my fault in that I have not set the proper config options for my objects but it was working correctly in 3.1 and now is showing up in 3.2
But overall Ext is great and the changes they have been/are making to the release cycle are going to help the overall package shine like no other.