When SSL Is Not SSL

Troy Hunt has a nice post on SSL and how many sites misuse it. As Hunt says, SSL is not about encryption. The problem that Hunt is writing about is sites that deliver a login page, say, in http and then post the login credentials over https. The idea is that the credentials are sent encrypted so everything is nice and secure. Often these sites will even display a padlock icon suggesting that the login is secure.

The problem, as Hunt explains in detail, is that the user has no way of knowing to whom those encrypted credentials are being sent. With SSL, the user is assured1 that the login screen is from the site it’s purported to be representing. If the login screen is not sent by SSL (indicated by an https connection) then the user has no way of knowing where it came from or where the login credentials will be sent once the user enters them.

Hunt gives real examples of governments exploiting this vulnerability so we’re not talking about a theoretical threat. Sadly, many sites continue to get this wrong putting their users at risk. That authoritarian governments are exploiting it means that it can literally be a matter of life and death. Remarkably, when Google moved Gmail to SSL the increase in load was within 1% of existing load so there really is no excuse for not using SSL at least for logins.

This is a great post and very informative. If you are developing Web sites, you definitely need to know this material. Hunt’s post is a great way to get started.

Footnotes:

1 For various values of “assured.”

Posted in General | Tagged | 1 Comment

Emacs Compilation Errors

Over at the Definitely a plug blog there’s a very nice mini-tutorial on using the Emacs compilation facility. When you use 【Meta+xcompile to run a compilation process, Emacs will parse the error output and allow you to step through the errors, jumping to the source of each error as you go. You can go to the next error in the current buffer with 【Ctrl+x `】 and move to the next or previous file with 【Meta+}】 and 【Meta+{】. More conveniently, you can move to the *compilation* buffer and use the buffer-specific navigation keys listed in the post to deal with each error.

Most of this is known to developers who use Emacs regularly but the really interesting part of the post is how to define rules for parsing the results of new (or previously unsupported) compilers. That this is possible should be obvious to any Emacs user but I must admit I didn’t know about it.

The really nice thing about defining new rules is that it’s pretty easy. There’s a simple example in the post that serves as a go-by. This is really interesting and useful material. If you compile things from within Emacs then I really recommend this post—it’s full of good information.

Posted in Programming | Tagged | 1 Comment

Forensics with DRAKMA

I ran across the Open States Website, which provides information on legislative activity for many (and eventually all) of the U.S. states. They have an API that allows you to query information via http and get answers formatted as JSON. I thought it would be fun to play with this in Lisp but I didn’t have a Web client so I asked Google about Lisp Web clients and got pointed to DRAKMA, Edi Weitz’s Common Lisp Web client. DRAKMA provides a simple and easy to use library that allows you to make HTTP requests in Common Lisp.

I loaded it with Quicklisp and was quickly retrieving data for my state. The Open States site is a nice resource if you live in the United States and want to keep an eye on what your state legislators are up to.

While I was playing with DRAKMA it occurred to me that it would have been perfect for investigating the malware problem that I had a while ago. If you followed that sorry tale, you’ll recall that one of my site’s WordPress PHP functions was modified to serve some malicious JavaScript for Windows users. As part of cleaning up the site I needed to verify that the JavaScript was no longer being served. I originally did that with curl but that was a little limited. Using DRAKMA I am able to send a request, pretending I’m a Windows/MSIE user, and check all the JavaScript scripts that come back. Here’s a sample run on the now clean site.

DRAKMA-USER> (ppcre:all-matches-as-strings "<script.*?</script>" (http-request "http://irreal.org/blog/" :user-agent :explorer))
GET /blog/ HTTP/1.1
Host: irreal.org
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Accept: */*
Connection: close

HTTP/1.1 200 OK
Date: Sat, 28 Jul 2012 16:00:21 GMT
Server: Apache
X-Pingback: http://irreal.org/blog/xmlrpc.php
X-Powered-By: PHP/5.2.17
Vary: *
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

("<script type='text/javascript' src='http://irreal.org/blog/wp-includes/js/jquery/jquery.js?ver=1.7.2'></script>"
 "<script type='text/javascript' src='http://irreal.org/blog/wp-content/plugins/nucaptcha/res/js/wp-nucaptcha-form.js?ver=3.4.1'></script>")

As you can see, only two scripts are served and they are both legitimate WordPress scripts. I set DRAKMA to print the HTTP headers so that I could verify that the correct USER_AGENT was being sent. This is very nice and since you have the power of Lisp at your disposal, it’s easy to ask any appropriate question about the data that comes back. In the above example, for instance, I used Weitz’s Portable Perl Compatible Regular Expressions (PPCRE) library to pick out any scripts in the output.

Posted in General | Tagged | Leave a comment

Now Let’s All Enjoy A Moment of Schadenfreude

ZDNet is reporting that SCO is in Chapter 7 and thus effectively dead. They’ve been in Chapter 11 since 2007 and really had no hope of getting out so this news is not surprising.

Those of us with memories of the computer industry that extend as far back as 5 years will remember the uproar and disruption that SCO caused with their suit against IBM for supporting Linux, which they claimed had stolen its copyrighted IP. It turned out, of course, that Linux had done no such thing and that in any event SCO didn’t own the copyrights to Unix that they were using to press their claims. These guys were the worst sort of IP trolls and almost all of geekdom will feel a bit of satisfaction at their belated demise.

By far, the best thing to come out of the debacle was Groklaw, which even today continues to defend free software and comment on the antics of those who prefer lawsuits to innovation. For those of you who were there and remember the excitement of pulling up Groklaw everyday to see the latest news on the SCO spectacle, here’s Groklaw’s report on SCO’s demise written by PJ herself. The other great thing to come out of the SCO saga was the utter humiliation of those in the tech press who shamelessly spread SCO’s FUD and predicted their ultimate victory. We won’t sully the sacred Irreal franchise by mentioning their names but they know who they are.

Posted in General | Leave a comment

Reusability and NIH

Peter Donis has a nice post discussing a programming challenge given to Knuth and critiqued by McIlroy. Don Knuth, certainly one the premier computer scientists (period) was asked to demonstrate literate programming by solving a simple problem involving finding the n most frequent words in a given text. Doug McIlroy, who’s also well known but not nearly as much as he should be1, was asked to critique Knuth’s solution. McIlroy’s critique consisted of a 6-line shell script that solved the exact same problem as Knuth’s 10-page Pascal program.

McIlroy’s larger point was about reusability (follow the link to Donis’s post for the details) but what struck me about the story—and made me vaguely uncomfortable because I’m often guilty of this—was how often those of us with the hacker disposition are inclined to jump in and implement a solution to a problem in our $FAVORITE_LANGUAGE rather than use existing functionality as McIlroy did.

It’s amazing how often a simple shell script can solve a problem simply and elegantly. It’s just crazy that we would rather write pages of code rather than simply use a pipeline of a few of the robust and tested Unix utilities. The problem, I think, is that we really love programming and it seems like cheating to solve a problem using a line or two of shell script.

It’s worth remembering that the goal is—most often—solving the problem in the fastest and easiest way. Sometimes that means a simple shell script rather than rolling up our sleeves and cranking out code.

Footnotes:

1 This story is from Dennis Ritchie as told on his home page.

Posted in Programming | 9 Comments

Even The New York Times Is Getting A Clue

The New York Times Sunday Review has an interesting article on piracy. They invoke the common metaphor of Whac-A-Mole and conclude that Internet piracy is not going away and that the content industry is fooling themselves to believe otherwise. They suggest that maybe it’s time to move on and find a new business model.

None of this is news to Irreal readers, of course, but it’s significant because the very epicenter of the establishment media is promulgating these views. Perhaps there’s hope after all.

Even though you won’t find any new ideas, I urge you to read the article if only because it’s so satisfying to hear these things from the content establishment.

Posted in General | Tagged | Leave a comment

The Emacs Configuration File

Xah Lee has an interesting post on organizing your emacs init file in which he advocates breaking your .emacs or init.el file into several subfiles. Generally when people do this they organize the subfiles by category or function—all the items concerned with processing C files, for example, would be in their own subfile—and Lee is in favor of this approach. But even more, he says it’s a win to just arbitrarily break your .emacs or init.el into equal parts based simply on length.

I understand the urge to segregate individual functionality into separate files but I’ve never been able to warm up to the idea. My init.el file is a little over 800 lines, probably making it of medium length in the universe of such files. According to Lee and others who like to break their configuration files up, this makes me a prime candidate for using subfiles.

I sort of do that by organizing my init.el into subsections within the single file but I don’t see the case for multiple files. It seems to me that it’s just harder to find things that way and because I’m always tweaking my init.el I almost always have it open it Emacs. That would be more of a pain if I had to keep several subfiles open all the time. Still, I recognize that this is largely a matter of preference and don’t insist that my way is right or better; it’s just my way.

The really interesting thing about Lee’s post is a bit of Elisp that he gives to automatically byte compile your .emacs or init.el file when it’s saved after being changed. The code checks to see if a .elc exists and if so recompiles the init file. I’ve seen other solutions that do the same sort of thing but they all fell just a little bit short. The nice thing about Lee’s solution is that you can easily modify it to do exactly what you need.

Regardless of your position on multiple Emacs init files, Lee’s solution for automatically compiling this file or files makes his post worth a read.

Posted in General | Tagged | 8 Comments

The Dropbox Breakin

Much is being made of the supposed Dropbox break in. Several users reported that they started receiving spam at email addresses that were only used with their Dropbox accounts. Dropbox, to their credit, immediately launched an investigation and brought in outside investigators to aid in their analysis.

The results of that investigation pretty much boil down to:

  • Most of the accounts were compromised because users had used the same passwords at other sites that were later compromised, and
  • A Dropbox employee, whose account was compromised in the same way, had stored an internal Dropbox document in the system that contained further email addresses.

The press, of course, was quick to compare this to the LinkedIn exploit that resulted from very poor security practices on LinkedIn’s part. But how, exactly, is Dropbox to blame for this? Yes, they have an employee who did an extremely stupid thing but how are they supposed to guard against users reusing their credentials? All in all, Dropbox was taking security seriously and doing everything right. They have since started offering optional two-factor authentication and a page that allows users to track logins to their accounts.

To my mind, the real blame belongs with the users who couldn’t be bothered to use unique passwords. This does include the Dropbox employee who, one hopes, had been admonished, terminated, or otherwise suffered the application of the clue bat. As I wrote recently, password reuse is endemic and those who are guilty of it deserve no sympathy when the real world exacts its revenge.

And, by the way, let me say again: if you store sensitive data in the cloud you better encrypt it. Dropbox is, of course, responsible for the action of their employees and one hopes that this incident will encourage them to make sure these employees aren’t doing things that endanger their customers. Still, the user is ultimately responsible for safeguarding their data. That means that they should assume that screw ups will happen and should therefore take actions to ensure they aren’t affected when they do.

Posted in General | Tagged | Leave a comment

Tips for Using Emacs Lisp

Nic Ferrier has a nice post entitled Tips on Emacs Lisp programming. The post has been mentioned by many of the Emacs aggregators but it’s a nice post and worth a shout out.

Ferrier takes the position that Elisp is a nice programming language and useful in many situations that are separate from driving the editing environment. That’s a position that I certainly agree with. Emacs provide a rich environment that can make many disparate tasks easy to accomplish.

Ferrier’s tips are not concerned with the minutiae of actually writing Elisp in the way that, say, Xah Lee’s Elisp tutorial is. Rather, he deals with might be called “meta-issues.” How to find example code; how to name your functions and variables in the absence of a module system; autoloads; tests; documentation; writing scripts; and EIEIO for objects.

As I said, this is a nice post and if you (even occasionally) write in Emacs Lisp it’s worth a few minutes of your time. I heartily recommend it.

Posted in Programming | Tagged , | Leave a comment

Prompting for User Input with Elisp

Xah Lee has a nice tutorial on getting user input with Emacs Lisp. Most Elisp programmers are aware of the interactive control strings for this purpose and most of us probably use that for most occasions requiring user input:

(defun test-input-func (msg)
  (interactive "sEnter Message: ")
  (message "Your message was: %s" msg))

The interactive form supports the input of many type of data as documented in the built-in info documentation and also the Emacs Lisp Reference Manual.

The nice thing about Lees tutorial is that he mentions the rarer but sometimes useful functions that also accept user input. These are handy when you need to get data from within a function that is not (necessarily) an input parameter. These functions are:

 
Function Use
read-string Read input as a string
read-file-name Read input as a file name
read-regexp Read input as a regular expression

An additional benefit of these functions is that they support the history mechanism and that read-regexp doesn’t need the escaping that representing regular expressions as strings usually require.

Head on over to Lee’s tutorial for all the details. If you do anything other than very simple Elisp, this is stuff you need to know.

Posted in Programming | Tagged , | Leave a comment