Malware Prophylaxis

Posted on 2012-07-30 by jcs

After last week’s malware outbreak at Irreal I’ve been thinking about ways to prevent another episode. For those who haven’t been following along, someone managed to add a line of obfuscated PHP to the index.php file that gets things going when someone visits the Irreal blog. For the technically inclined, the details are in my Anatomy of an Exploit post.

The number one thing I’ve resolved to do is keep WordPress up to date. Although I can’t be sure, I suspect that the attacker gained access to index.php through a WP vulnerability so it makes sense to keep up with the latest patches. I’d been lax about that because irrational paranoia requires me to back up the database whenever I do an upgrade and that’s a bit of a pain with my setup. It’s not, however, nearly as big a pain as trying to get the site clean and convincing Google that they should stop flagging it as a malware purveyor.

One of the difficulties I had when scrubbing the site was looking for infected files. As it turns out, only index.php had been affected but I couldn’t be sure of that until I’d done a thorough survey of the site looking for the injector signature. To make that easy if I have occasion to do it again, I have a backup of the entire irreal.org site. Most of the files will be static so it should suffice to look for changed files. Most of those will be log files so checking only changed files should simplify things considerably.

There used to be a Linux utility that went through the file system and took an MD5 signature of each file so that you could check for corruption on a regular basis. Following that idea, I can periodically pull a snapshot of the site back to my local network, generate MD5 signatures on it and the my original backup, and diff the results to find files that need examination.

I thought of writing some Elisp to do this but that’s really overkill. All I really need to do is

Ctrl+u Meta+!find -P . -type f -exec md5 {} \;

to get a list of all the files and their MD5 signatures into an Emacs buffer. Then I can compare this against the saved list using Ediff right from Emacs.

I’d be interested in any other idea that readers have to help me keep things secure. Irreal runs on a hosting service so I don’t have much control over site security other than using strong passwords and keeping WordPress up to date. If you’ve got any other ideas, please leave a comment.

Posted in General | Tagged , | 5 Comments

Does Anyone Really Think This Is A Problem?

Posted on 2012-07-29 by jcs

Oliver Reichenstein over at the iA has a strange post/article positing that nested directories are hard to understand. Reichenstein celebrates the iOS/Mountain Lion approach to file systems in which directories can be at most one level deep (and even that is too much, he believes). Leaving aside his misrepresentation of the actual situation in Mountain Lion, I’m really nonplussed by the idea that traditional file system architecture is somehow unnatural or hard to understand.

Reichenstein claims that multilevel directories are a geek invention that can only be understood by geeks and that even they don’t really understand them. I’m confused because I’ve never had the slightest problem understanding the idea and neither have any of the non-technical people I know. To me, it seems like a natural way to organize data and really isn’t any different, in principle, from an outline, something that we all learned to deal with in elementary school.

So my question, dear readers, is do you find nested directories hard to understand or unnatural? If you do, please leave a comment and let me know what the problem is.

Afterword: After writing this post I came across this post by Thom Holwerda over at OS News that expresses the same confusion over Reichenstein’s article. Like me, he finds the traditional directory architecture natural and useful.

Posted in General | 6 Comments

Syncing With Git Repositories

Posted on 2012-07-28 by jcs

Last month, I wrote about how I keep my two main machines in sync using git and how, after doing a git pull, I use a bit of Elisp to automate the reverting of my open buffers. After automating the reversion of buffers, I noticed that pulling all my repositories was also a pain. I had been just pulling the repository that I was going to use but that meant it was easy to forget which repositories were up to date and get things out of sync.

I decided to write a quick script to pull all repositories at once. That way I could just run the script when I began work on one of the computers and be sure that everything was up to date. Here’s the pull-repos script:

#! /bin/bash
# -*- mode: sh -*-
REPOS="/Users/jcs/org /Users/jcs/medical /Users/jcs/tax /Users/jcs/.emacs.d"
for r in $REPOS
do
    cd $r
    pwd
    echo "========================="
    git pull
    echo
done

There’s nothing exciting here, of course. Most of the script is involved with outputting information as to what repository is being pulled.

The pull-repos script is already a big time saver but to really automate things I made it callable from Emacs and folded in the revert-all-buffers functionality.

(defun sync-repos ()
  "Pull from git repos and then revert all buffers."
  (interactive)
  (switch-to-buffer "*SYNC*")
  (goto-char (point-min))
  (shell-command "/Users/jcs/bin/pull-repos" "*SYNC*")
  (revert-all-buffers)
  (end-of-buffer)
  (insert (format-time-string "%Y-%m-%d %T\n"))
  (insert "Buffers reverted"))

Now I just call sync-repos and all my repositories are updated and all my buffers are reverted. One step when I first start using a machine: perfect.

Posted in General | Tagged | 7 Comments

The Master Speaks

Posted on 2012-07-27 by jcs

The road to wisdom begins with a single step, grasshopper.

Posted in General | Tagged , | Leave a comment

Diceware in Lisp

Posted on 2012-07-26 by jcs

I recently downloaded the Ironclad Cryptography Library with quicklisp and wanted to give it a spin. I thought a nice little project would be to implement the Diceware password generation algorithm in Lisp. This turned out to be really easy. I was expecting to use Ironclad primitives to get some random data, expand it with hashing, and use the result as an index to choose a word from the dictionary as I did with the C version. Instead, Ironclad provides the strong-random function that can provide the indicies with a single function call.

To implement the Diceware algorithm, I first downloaded the diceware8k.txt file that contains 8,192 words. Having the number of words be a power of 2 avoids a bias from the modulo operation—see Diceware Implementation (Part 2)—although strong-random avoids that at the expense of some extra work. The code itself is very simple:

(in-package #:cl-diceware)

(require 'ironclad)
(defparameter *words* nil)
(defparameter *prng* (ironclad:make-prng :fortuna))

(defun load-words (&optional (wd-list #P "~/Desktop/diceware8k.txt"))
  "Load *words* with diceware8k.txt."
  (with-open-file (s wd-list)
    (do ((wd (read-line s nil) (read-line s nil))
         ( i 0 (1+ i)))
        ((not wd))
      (setf (aref *words* i) wd))))

(defun choose-one ()
  "Randomly choose a single word from *words*."
  (aref *words* (ironclad:strong-random (length *words*) *prng*)))

(defun choose-password (n)
  "Generate n random words for a pass phrase. Initialize *words* if needed"
  (unless *words*
    (setf *words* (make-array 8192))
    (load-words))
  (let (words)
    (dotimes (i n)
      (push (choose-one) words))
    (reverse words)))

The choose-one function gets a (strong) random number between 0 and 8191 and uses it as an index into the *words* array. The choose-password function loads the dictionary into the *words* array if it hasn’t already been loaded and then calls choose-one the requested number of times. The random words are accumulated in the words local variable and returned at the end.

Here’s a sample call

CL-USER> (cl-diceware:choose-password 6)
("hath" "otto" "fly" "urea" "becalm" "seed")

Choosing 6 words gives 78 bits of entropy, more than enough for today’s hardware and technology.

Update: 6 words gives 72 bits of entropy → 6 words gives 78 bits of entropy

Posted in Programming | Tagged | Leave a comment

Using Expand-Region

Posted on 2012-07-25 by jcs

Back in January I wrote about Magnar Sveen’s expand-region package that he described in Emacs Rocks #9. I recently loaded the code with ELPA and have been using it for my day-to-day work. I really like this package. It’s extraordinary how often selecting by semantic unit is the right thing. For a long time I selected text by typing 【Ctrl+Space】 and then manually moving the point with 【Ctrl+f】, 【Meta+f】 or something similar.

In almost every case expand-region will do the right thing with a call or two of 【Ctrl+=】. Take another look at Sveen’s video on expand-region and then download the code. You’ll need to set a keybinding for it in your .emacs or init.el. I use

(global-set-key (kbd "C-=") 'er/expand-region)

but you can, of course, set it to suit yourself. It’s also a good idea to checkout the package’s README on github, which explains how you can extend the package.

Posted in General | Tagged | Leave a comment

Password Reuse

Posted on 2012-07-24 by jcs

I’ve mentioned Troy Hunt’s writings here before. Hunt writes regularly on security and always has something interesting to say. Last year I wrote about Hunt’s analysis of passwords from the Sony compromise and—sorry but it’s true—the stupid choices people make about passwords. Others have already commented that those people have learned nothing because the same weak, well-known passwords keep showing up, this time on Yahoo!.

It turns out, though, that it’s much worse than we thought. Hunt was interested in password reuse so he compared the passwords used by people who had accounts on both Sony and Yahoo!. Unbelievably, he found that a year after the Sony exploit 59% of users who also had an account on Yahoo! were still using the exact same password on Yahoo!. This despite the fact that those passwords have been public knowledge for over a year.

Posted in General | Tagged | Leave a comment

Working With Rectangles

Posted on 2012-07-23 by jcs

Xah Lee has a nice updated post on working with rectangles and some other loosely related matters. Every time I see these commands I think how useful they are and then promptly forget about them. I’m going to make an effort to try to use them more often to set them in my mind.

I especially like the replace-rectangle and string-insert-rectangle commands that let you replace the rectangle or add text to the beginning of each line of the rectangle. A sometimes useful related command is kill-rectangle that just deletes the rectangle (and puts it in the kill ring).

Lee also presents a bit of Elisp that shows how to copy a rectangle into the system’s clipboard. I like this not because it’s something I want to do but because of the techniques he uses to copy the rectangle into the kill buffer. It’s something that looks like it could be useful in other contexts.

SUMMARY OF COMMANDS

 
COMMAND KEY BINDING
replace-rectange Ctrl+x r t
string-insert-rectangle Unbound
kill-rectangle Ctrl+x r k
Posted in General | Tagged | 1 Comment

Juan José García Ripoll: Lisp Hacker

Posted on 2012-07-22 by jcs

This is slightly old news but over at Lisp, The Universe and Everything there’s a nice interview with Juan José García Ripoll, the developer of Embeddable Common Lisp. The thing about Ripoll is that he’s not a programmer1; he’s a physicist who got into Lisp because he wanted a better way of handling the simulations that were his bread and butter.

It’s interesting that non-programmer scientists, like Ripoll, would turn to what almost everyone considers one of the hardest programming languages to master. Of course, those of us who have embraced Lisp have no difficulty understanding this. Lisp allows the researcher to quickly represent his physical models without worrying about programming minutia. As Ripoll recounts, he was able to leverage the Lisp bignum capabilities to solve a 3-SAT problem in an afternoon and to produce an executable that ran faster than the problem’s C++ prototypes.

I like Ripoll’s story because it demonstrates how powerful Lisp is. If you’re a physicist faced with solving problems like his and your first thought is Fortran, you’re going to get eaten alive both by Fortran and by guys like Ripoll who leverage the power of Lisp.

If you’re a scientist using computer modeling, it would be well worth your while to take a look at Ripoll’s interview. If you’re a Lisper, you’ll love Ripoll’s story of problem solving with Lisp.

Footnotes:

1 Of course, Ripoll is a programmer. What I mean is that his primary job is not programming.

Posted in General | Tagged | 2 Comments

Searching for Blog Posts by Title

Posted on 2012-07-21 by jcs

Last year I wrote about how I search for a blog post’s org file by the post’s title. That involved bringing up a dired buffer for the directory containing the source org files and doing a dired-do-search for a regular expression that looks like

TITLE:[ ]+Blog-Post-Title

That works well but it’s a little fussy because you have to mark all the org files in the dired buffer and the regular expression is tedious to enter. I finally decided it was time to truly automate this chore.

The following code prompts for the title (ignoring case) and then pops up the relevant file in a new buffer.

 1: (defun jcs-search-by-title (title)
 2:   "Search for a bog post source by title."
 3:   (interactive "sTitle: ")
 4:   (dolist (f (directory-files "~/org/blog" t ".*\\.org"))
 5:     (with-temp-buffer
 6:       (insert-file-contents f)
 7:       (let ((case-fold-search t))
 8:         (if (search-forward-regexp (concat "#\\+TITLE:\\s-*" title) nil t)
 9:           (progn
10:             (find-file f)
11:             (return t)))))))

The directory-files on line 4 returns at list of all the .org files in the directory that contains blog posts source files. Each of those files is placed in a temporary buffer on line 6 and a regular expression search is performed for the title line. If the search succeeds, the file is loaded into a new buffer ready for editing.

It doesn’t seem like much of an improvement over the old method but it makes it enough easier that I use it instead of just trying to guess the file’s name. I just love the way that Emacs’ extensibility allows me to optimize my work flow.

Posted in Programming | Tagged , | Leave a comment