Listing Files On A Remote Server With Emacs

I use TRAMP all the time to edit files on a remote machine: it’s quick, easy, and pretty much transparent. I just learned something new that in retrospect should have been obvious. You can obtain a listing of remote directories simply by opening the directory.

Normally, when using TRAMP, you specify a file 【Ctrl+x Ctrl+f/host:directory/file and Emacs fetches the file for you to edit and then copies it back to the remote host when you save it. But if you specify just a directory, 【Ctrl+x Ctrl+f/host:directory, Emacs will either open a Dired buffer for that (remote) directory or show you a list of files in the minibuffer. I haven’t figured out the exact rule but it appears that the first time you go to the remote host you get the Dired buffer. After that you get the list of files. If you want the Dired buffer you can always get it with 【Ctrl+x d/host:directory.

The nice thing is that this Dired buffer acts just as a local one does. You can drill down into subdirectories and choose a file to edit as normal. All the usual Dired commands work just as if you were in a local directory: you can search, mark, copy, delete, and so on.

Considering that my usual procedure is to SSH into the remote host and run ls to find the exact name of the file that I want to edit, this is a real time saver. Just another example of the power of Dired, this time assisted by TRAMP.

Posted in General | Tagged | 3 Comments

Security and Unicode

I’ve written before about the wonders of Unicode but this post is an example of its dark side. Over at the Microsoft Malware Protection Center there is an interesting post about the use of Unicode by malware. It seems that the trojan TrojanDropper:Win32/Vundo.L hijacks the Russian social networking sites vk.com and vkontakte.ru and redirects them to another—presumably malware, the story doesn’t say—site.

The normal way of doing this is to add an entry to the hosts file (%SystemRoot%\system32\drivers\etc\hosts) but when they checked the hosts file it was clean—no entries for the Russian site. Then they displayed hidden files and discovered another hosts file that had been corrupted. How could this be? You can’t, of course, have two files with identical names in the same directory. By now, you’ve guessed the answer: the visible hosts file had the o replaced with the Unicode character 0x043E, which is a Cyrillic character that looks like the Roman character o. That meant that TCP/IP ignored the “clean” hosts file because it had the wrong name and ussed the hidden one instead.

I’ve heard of this trick being used in URLs to snare the unwary into going to a rogue site that appears to be legitimate but this is the first time I’ve seen it used this way. A very simple but effective trick.

Posted in General | Tagged | Leave a comment

Keyboard Macro Counters

Emacs is incredibly useful for repetitive editing chores. For example, this Xah Lee post shows how Lee performed major surgery on hundreds of pages of HTML by using a little Emacs Lisp.

Not everyone can or wants to write Emacs Lisp but even without it you can still do a lot of automation with keyboard macros. Most Emacs users are familiar with the fundamentals: use 【Ctrl+x (】 or 【F3】 to start recording your keystrokes, perform the repetitive action one time and stop the recording with 【Ctrl+x )】 or 【F4】. Then you can repeat the keystrokes with 【Ctrl+x e】. After the first repeat you can simply type 【e】 for subsequent repeats.

Here’s a little trick I learned from the EmacsWiki. Suppose you want to create a list of host names where each differs from the others by a number at the end

host1.irreal.org
host2.irreal.org
...

To do that, follow these steps

  1. Ctrl+x Ctrl+k Ctrl+a1 to set the amount to increment the counter on each repetition.
  2. Ctrl+x Ctrl+k Ctrl+c1 to set the initial value of the counter.
  3. Ctrl+x (】 to start recording the macro
  4. hostCtrl+x Ctrl+k Ctrl+i】 to insert the current counter value after host.
  5. .irreal.orgReturn Ctrl+x )】 to stop recording the macro.
  6. Ctrl+x e】 to generate the next host name.
  7. e】 to generate another and so on.

You can also use 【Ctrl+x Ctrl+k Ctrl+f】 to set the format of the counter.

Posted in General | 1 Comment

Git By Hand

I went looking for the update to Tom Preston-Werner’s talk on Git that I wrote about previously but I didn’t find it. What I did find, however, is another talk on Git, entitled Unlocking the Secrets of Git that he gave at the UCAR Software Engineering Assembly. This was a very enlightening talk that along with his Git Parable provides an excellent understanding of the Git architecture and how it works under the covers. He describes Git as a user-land file system with versioning and synchronization.

In this talk he constructs two Git file blobs by hand (using an editor and an interactive Ruby shell) and shows how they get named by their Sha1 hashes. Then he constructs a Git tree object—essentially a directory listing of the two file blobs—and then uses git cat-file to show its structure. Finally, he makes a commit object and again shows what it looks like with git cat-file.

This talk really brings alive how simple Git is. There’s something about seeing the objects made by hand (not even using Git in the case of the file blobs) that dispels all the mystery. I really can’t recommend this talk enough if you’re a Git user. It will really help you understand what’s going on.

Of course, there’s a lot more to Git then the add, and commit commands so the talk won’t make you a Git master but it will give you the background to understand the more advanced commands and how they fit in with the Git way of doing things.

Preston-Werner is a Git master and a cofounder of GitHub so he’s a good teacher and give gives an entertaining talk. It’s about 75 minutes long so you’ll need to block out some time but it’s well worth an hour and a quarter of your attention.

Posted in General | Tagged | Leave a comment

SSH Tricks

Smylers over at the Smylers Blog has an outstanding post on little known things you can do with SSH. Even after years of using SSH daily, there were still a couple of tricks new to me in the post. Smylers mostly assumes you’re using OpenSSH, which unless you’re a Windows user you probably are. Even so, he shows how to do the same things with Putty or Copssh, so this is a worth while read for anyone who connects to a remote system.

Among the things he shows you are:

  • How to share a single remote connection with several terminal windows. That’s handy when you want to have several views into your work on the remote server but don’t want to go through the pain of authenticating several times.
  • How to SCP over an existing connection.
  • How to make an SSH connection persist even if you log out.
  • How to set up an SSH key so that you don’t have to give your password when you sign on.
  • How to move that key to the remote system automatically. This is a real time saver because doing it manually is a pain.
  • How to forward connections from one remote server to another.
  • How to set up host aliases so you don’t have to type a long fully qualified host name.
  • How to configure the user name you use on the remote host if it’s different from your user name on your local host. This removes the necessity to specify your login name when you connect.
  • How to forward X11 connections.
  • How to mount remote files locally over an SSH connection.
  • How to connect to remote services with a local application. For example, if you have a database on a remote system that expects a connection on a certain port on the remote system you can configure SSH to do port forwarding to enable this.

There are some other tricks as well. Some of the commenters offer additional tricks so be sure to read them too. This is a really great post and if you’re an SSH user you should read it without delay. It has some techniques that will really make your work flow easier.

Posted in General | Tagged | Leave a comment

How Passwords Get Stolen

I just stumbled across a nice post on How Attackers Steal Passwords by Joe Golton over at FilterJoe. It’s an interesting look at the common attacks on user passwords. There’s not a lot new or surprising in the post but it’s a good summary of the various attacks and what users can do to avoid or mitigate them.

The attacks fall roughly into 3 groups

  1. Social Engineering
  2. Attacks on the Web site servers
  3. Malware that the user downloads that then sets up a keystroke logger or other attack.

There’s not much we can do to protect ourselves against the second type of attack except to never reuse passwords and to avoid dealing with companies and sites that have demonstrably poor security practices. Avoiding social engineering attacks is mostly a matter of common sense and staying alert to the danger. Golton recommends just deciding in advance that you will never give anyone your passwords under any circumstances. If you are forced to do so in order to perform some needed chore—to import data, say—then immediately change it afterwards.

The third category is the hardest to deal with. Some password managers can help here with their automatic log on functions, which makes it difficult for keystroke loggers to intercept the passwords. Browsers like Chrome that set up sand boxes can also help but as Golton explains, some of these attacks are Javascript based and so operate entirely within the browser. The safest thing to do is to use a separate machine for banking and other high value transactions but not many people are going to do that. At the least, it may pay to quit your browser and start a new instance before doing any banking in order to get rid of stray Javascript.

Golton’s final note is that six of the nine attacks can be blocked with the correct use of a good password manager. He recommends RoboForm (Windows), 1Password (Mac OS X), KeePass (free), or LastPass for those looking for a cloud-based solution. You can read his reasons for these recommendations here.

Posted in General | Tagged | Leave a comment

Administrivia: Captchas

The amount of comment spam has reached intolerable levels: spam comments far outnumber legitimate comments and moderating them is taking an increasing amount of time. Therefore, I have reluctantly installed a captcha to try to bring the problem under control. I’m using the NUCaptcha plugin, which features moving letters that are easier to read so I’m hoping that this won’t inconvenience folks too much.

The captchas appear only to unregistered users so if you are a regular commenter, it’s probably worth your while to register and avoid the hassle of dealing with captchas. Again, sorry for the inconvenience. As usual, a few bad actors ruin things for everyone else.

Update: inconvience → inconvenience

Posted in Blogging | Leave a comment

Emacs Ruler Mode

Sometimes it’s convenient to have a ruler on your Emacs screen. Not often but sometimes. For example, it can be useful for lining things up in artist-mode. Emacs has a very nice ruler that, among other things, tracks were the point is on the line.

You can toggle it on and off with 【Meta+xruler-mode. Often times you (or at least I) want to turn it on for just a second to check something so you can turn it on and then type 【Meta+x Meta+p】 to bring the command up again to turn it off.

This isn’t a command you will use a lot but when you need it, it comes in very handy. If you forget its name, 【Ctrl+h fruler will bring up the on-line documentation.

Posted in General | Tagged | 2 Comments

Emacs Vs

I’ve just run across an interesting site created by Strzelewicz Alexandre called Emacs Vs or Emacs Vote System. Users post their favorite Emacs tricks and the other users vote them up or down—much like Hacker News or reddit. The current favorite is yasnippet, a template system for Emacs.

This site is worth adding to your RSS feed just to keep up with the new submissions. If, like me, you’re always on the look out for new Emacs tricks, this could be a good place to find them.

Posted in General | Tagged | Leave a comment

Diceware Implementation (Part 2)

Last time I presented an implementation of the Diceware method for generating a secure password. Today I’d like to finish up with a few details.

First, the careful reader might wonder why I generated 4 random bytes with RAND_bytes instead of 2. After all, 2 bytes is more than enough to express 7,776 so we’ve wasted two bytes worth of entropy. The reason is that the modulo operation gives a slight bias against the higher numbers and this bias is more pronounced when the modulus and largest random integer are closer together. For example using 2 bytes, the 65,536 integers results in the numbers 0–3,326 being generated 9 times but the numbers 3,327–7,775 are generated only 8 times. That means that the lower numbers are generated 1.125 times as often as the high numbers. That’s a significant bias.

By using 32-bit random integers we get the numbers 0–2,558 generated 552,337 times and the numbers 2,559–7,775 generated 552,336 times. Thus, while there is still a bias it is much less: the lower numbers are generated 1.0000018 times more often than the high numbers.

Second, Apple has deprecated RAND_bytes as of Lion but Google doesn’t know why or what they anticipate will replace it (or at least my Google-fu is insufficient to discover these things). If anyone knows what’s going on here, please leave a comment.

Third, RAND_bytes uses /dev/urandom to seed the PRNG. If your system doesn’t have /dev/urandom (RAND_bytes will return 0) you must seed it yourself with RAND_add.

Fourth, compile the C code with

gcc -Wall -lcrypto diceware.c

Finally, a word about master passwords. As I said in the previous post, you really want to have one master password that is strong but reasonably easy to remember that protects all your other passwords. The question is, how do you store those other passwords safely? The obvious answer to is use a password manager such as 1password or KeePass but if you don’t want to spend money or deal with third party software, you can keep them in an encrypted Org file as explained in this Minor Emacs Wizardry post. This is what I do and it works out fine except that it isn’t integrated into my Web browser the way some of the password managers are. If you roll your own with Emacs and Org mode, make sure you generate strong passwords for your other accounts. You can use something like the makepw utility that I wrote about in my old blog, for instance. If you do use makepw, you might want to have it generate 20 characters instead of 10.

In any event, once you choose a way to manage your passwords, you can use a master password generated by the Diceware method.

Posted in Programming | Tagged | 1 Comment