Vulnerabilities in PHP modules endanger (once again) numerous web applications - and once again it's XML-RPC. They are still using eval - and that's for evaluating tags. Seriously? Sorry, folks, but this is just ridiculous - eval has already blown up in your face, why weren't all those calls removed back then? Or at least properly secured?
And people wonder why I don't have much faith in PHP software ...
The new Wordpress 1.5.2 should finally fix the slow posting - caused by pinging - by moving the pinging to the shutdown, i.e. after the actual request-response chain. In German: with 1.5.2, pinging should no longer cause an eternal wait on the browser. It would be very nice if that actually works.
Since there are also security fixes included, an upgrade is generally sensible. Although WordPress, for a PHP application, functions surprisingly stably - but still, there are undoubtedly one or two skeletons in the closet.
Update: well, it hasn't really gotten faster when posting ...
Seashore is an image editor for OS X based on GIMP libraries and formats. It already looks quite nice, even though it currently has almost no features (especially the filters are missing). But maybe something like this will one day become a native OS X GIMP ...
sudo mdutil -i off -E /Volumes/VOLNAME/ should disable Spotlight on a volume and discard the index. Hopefully - it's annoying when my backup drives are supposed to be indexed every time. Or when the found applications appear in the Open With lists, even if the drive is not connected at all ...
trac is a web interface for Subversion repositories. However, it is not just the appropriate web interface - it also includes a wiki, a bug tracking system, a milestone management, and very comfortably created reports based on the bug tracking. And all of this in a very easy-to-install package - on Debian, an apt-get install trac is sufficient and then with trac-admin initenv a Trac instance can be created. It also looks quite appealing and the functions are very well integrated - links from the tickets to the wiki or links from changeset descriptions to the wiki or the bug tracking are easy to make and of course help enormously in managing software changes. Additionally, there is a nice timeline that documents and links changes to the system over time - among other things, also to a very comfortable changeset browser.
I have now thrown away all the handmade stuff for TooFpy and switched to trac. Just the possibility of assigning my ToDo list, which was previously managed in the source tree, to planned releases via tickets brings a lot of overview to the project.
Yep, anyone who has to manage a software project should definitely take a look at trac, because anyone who is not necessarily a control fetishist will certainly be happier with the rather open structure of trac than with some overengineered parts.
kenosis is a Python library for a simple P2P protocol that is based on XMLRPC. Simple and straightforward, but without any form of encryption - should therefore be used over externally encrypted or otherwise secured channels.
Nitro is a web framework for Ruby. Clearly positioned as a competitor to Rails, it addresses some of Rails' weaknesses - for example, the rather meager Object-Relation-Mappers in Rails via ActiveRecords. Nitro uses Og instead. Otherwise, the features are significantly more developed - more code, less hype.
After I already wrote about it in April, it's now also in the Heise Ticker: RFC-ignorant: All .de domains under suspicion of spam. The ignoramuses of RFC-Ignorant will certainly not change their minds, but perhaps now the one or other provider will remove this absurd block list from the mail configuration.
Fuck, I'm slowly getting really annoyed by awstats.pl. I'm already considering switching back to webalizer, which only produces stupid static output. But it can also do less.
In IRC, identd, and Privacy I complained that proxies with SOCKS support were rather thin on the ground - meanwhile, things have improved significantly. Because X-Chat Aqua is now in a state that can be described as very usable - after many years of using Snak, I have actually switched.
X-Chat Aqua supports SOCKS and thus allows direct use of tor. However, this is not SOCKS4A - therefore, DNS resolutions are still visible. Ideally, you simply enter the server's IP address, so no name resolution needs to occur.
With Jabber, things now look very good with PSI - PSI is very usable under OS X and the display problems of older versions have also been fixed. And PSI also works with tor.
Browsing over tor was already possible before, but with the current Mac OS X Builds of tor, it is also very easy to install. Tip: I created my own network configuration, with which I can easily change the proxy settings. With this, I can then simply turn Privoxy+Tor on and off in the Apple menu as needed. Of course, this only works with browsers that get their proxy settings from the system settings.
Using ssh over tor is easily done with the ProxyCommand stuff. Instructions are in the Torify HowTo. Many of the tips mentioned there also work under OS X, as there is a normal Unix underneath.
Nothing comes to mind other than a hearty: Keep it up, Mr. Stoiber! - it's true, the Left Party couldn't wish for a better election helper than the raging dwarf from the backwoods. Okay, his outbursts lack a certain degree of appropriateness - it's quite annoying when people in Bavaria are supposedly so terribly smart, but the head of state once again doesn't understand what democracy means. Well, whatever happens, Mr. Stoiber, one thing is certain: we will not be governed by Bavaria. And the way you are currently dismantling Mrs. Merkel, suddenly everything is possible again for the SPD. Thanks to you and your colleague Schönbohm, who with their absurd statements have probably mobilized more East German voters than Gysi and Lafontaine together ...
It's quite bitter when OS X Intel is already hacked before it's actually available:
MacBidouille reports that the Apple Developer kit version of Mac OS X x86, released to developers in early June, has been "hacked" to work with a PC notebook. The report includes a video showing Mac OS X x86 booting natively on a Pentium M 735-based notebook.
And this despite TPM and similar tricks. Maybe Apple should switch back to PowerPC after all, which is not more secure, but at least there's no alternative hardware at bargain prices like with Intel.
In das Netzbuch: last.fm verhärmt sich selbst Ralf describes how last.fm is leaving reality. I will also have to say goodbye to my earlier recommendation - there are already enough proprietary streaming clients, we don't need another one - especially not if it doesn't even work properly. Too bad - it was a nice way to discover new and interesting music. But not like this.
Speculation is rife that a lawsuit by an eFax company against competitors for using Asterisk could be related to SCO and all the nonsense surrounding it:
Now, Groklaw is speculating about the extent to which the move could be a general patent attack on free software. The reason for this is a close connection between the SCO Group and j2. Among the supporters of the software company, which has been in a heated dispute over intellectual property in Linux components, particularly with IBM, for a long time, is the investment firm Krevlin Advisors. It is also a major shareholder in j2.
But even if there's nothing to the rumors, the whole thing will certainly be idiotic and annoying again - and yet another proof that software patents and business method patents are utter nonsense. In any case, Asterisk (essentially a telephone system implemented in software) could soon become another battleground - if only because it may appear as a threat to one or another manufacturer of smaller telephone systems. And the market for telephone systems is, after all, characterized by very strange sales strategies and even stranger contractual situations (not without reason, telephone system maintenance contracts are occasionally declared invalid for violating good morals).
XchatPython is a plugin for X-Chat that allows you to write extensions in Python.
BlackDog is a PowerPC computer with 64 MB of memory and a 512 MB flash disc in a mini case that you can plug into any PC with Windows or Linux via the USB port. The PowerPC processor then takes over the keyboard, mouse, and screen, and starts its Debian Linux, whose desktop you can then see on the PC.
The device runs solely on USB power and also has additional biometric access control via fingerprint. Wow. A nice little hacker kit for on the go, you just need to find a host computer.
And it is completely open and hackable in terms of architecture - there is even a hacking competition to develop interesting applications for it. Although I already know what I would put on it - all the necessary network tools. I think I need to motivate the boss at the company to take a closer look at what you can do with such a device. I haven't had such a strong desire to have something for a long time.
The rumors about the Canon EOS 5D already sound quite interesting - a full-frame sensor camera for 3500 could certainly tempt me. The previous contenders in the full-frame sector were just outrageously expensive (yes, the 5D is too, but the utopia has come a bit closer).
The Oracle Cluster File System could already be a nice alternative to GFS and Coda - at least if this really happens:
The Linux developer responsible for the Linux Kernel 2.6, Andrew Morton, wants to include the Oracle Cluster File System version 2 in the official Linux Kernel as soon as possible. Linux 2.6.14 could already contain OCFS 2 and would then be the first cluster component in the official Linux Kernel.
The previous cluster file systems suffer from the lack of integration - most of the time you can't use them in every kernel version. What is interesting to me is how independent the nodes really are and whether there is also a single point of failure in the Oracle Cluster File System, as there is e.g. the Locking daemon in OpenGFS. So far, we have not been very successful in evaluating cluster file systems in the company, actually they were all somehow stupid ...
In The Hidden Boot Code of the Xbox the X-Box-Linux programmers explain how the security code of the X-Box is structured and how Microsoft built in 3 errors in 512 bytes of code. Lots of kindergarten security mistakes. - as Bruce Schneier calls it.
Also nice is the conclusion of the article:
So with the first version of the MCPX, Microsoft was too naive and apparently did not understand basic security concepts. After they had learnt their lesson, they designed a pretty good system with the second version of the MCPX - but the implementation still contained at least three security holes (Visor, MIST, TEA). They were too fast releasing a new version of the MCPX, spending a lot of money in trashing tons of already manufactured MCPX chips and manufacturing updated ones, apparently without any further code audit which should have revealed the security holes.
512 bytes is a very small amount of code (it fits on a single sheet of paper!), compared to the megabytes of code contained in software like Windows, Internet Explorer or Internet Information Server. Three bugs within these 512 bytes compromised the security completely - a bunch of hackers found them within days after first looking at the code. Why hasn't Microsoft Corp. been able to do the same? Why?
Exactly. Why doesn't Microsoft get this right? Why does Microsoft repeatedly fail so badly at security? And don't give me the silly excuse that the bugs at Microsoft are found so quickly because it has so many users - this is basic knowledge that would be required. This is just sloppy.
Shit hits Fan for SCO:
A: There was a release of SCO LinuxWare release 7.1.2 that included the Linux kernel personality and SCO Linux-release 7.1.3 included the Linux kernel personality. At first when it first shipped it did include the Linux kernel packages which were subsequently removed.
I find this somehow fitting when SCO is caught using the Linux kernel - which is under GPL - in their products at least temporarily and delivered with them. Could be one reason why they are now trying to denounce the GPL as un-American and unconstitutional.
Not Intelligent Design, but rather the Google-Bombing of the expression naturally.
This time with a direct attack on common sense and the bio-system: EU Commission approves import of genetically modified corn:
Controversial genetically modified corn may now be imported into EU countries as animal feed. The EU Commission made this decision unilaterally.
I'll repeat: I am actually pro-EU and see only a functioning European Union as a viable long-term path for our region. But not with an EU Commission that makes arbitrary decisions that go against common sense. And all of this only for the financial benefit of a non-European company whose sole aim is to crack the European market and dominate it just like other markets.
Here's the translated Markdown body:
now he's really going off the deep end:
In detail, McBride lists ten points that speak for SCO and against Linux. Thus, OpenServer is supposedly much cheaper than Linux systems that work with hidden annual licenses, has a superior kernel, and offers significantly higher security than Linux systems where security gaps remain open for weeks. McBride repeatedly emphasizes that his company owns Unix and, for this reason, enjoys greater trust among customers. Furthermore, SCO, as the owner, ensures that there are no splinter groups of incompatible system variants.
Rarely seen such a compact block of bullshit
It's almost modern to talk about how bad you were at math (I wasn't, I was very good at math - and yes, I really enjoyed math), but when you read James Gosling asking questions about sine/cosine and the meaning of the period definition with 2*Pi, you really scratch your head. Slava Prestov at least sees in this the explanation why most programmers ask really stupid questions about the simplest mathematical problems, when even the big shots in the industry don't understand basic trigonometry ...
International Components for Unicode is a library of reference implementations of all Unicode standards, specifically concerning character transformation, normalization, and sorting, but also many other localization issues such as date formatting, etc.
PyICU is an integration of the ICU C++ interface into Python. Seems quite comprehensive in terms of scope. Integration with Python string data types is also provided.
I thought I knew most of the tricks of ssh. But I stumbled upon one that is banal and simple, but was not known to me: the ProxyCommand option. With this option, you can define a tunnel for a specified host that is established before the actual connection is made. With the program nc (Netcat) on the computer one before the target system, you can tunnel through a chain of firewalls wonderfully, especially when working with Auth-Forwarding. Simply build a section similar to this into the .ssh/config:
Host safe
Protocol 2
User me
HostName 192.168.0.42
ProxyCommand ssh door nc -q 0 safe 22
Here, when ssh safe is used, a connection to the computer door is established internally via ssh door, and then a Netcat connection to the ssh daemon on the actual target computer safe is created there. This can also be used wonderfully over several ssh hops to transport files directly between two systems through a chain of firewalls. Ssh is just genius, if it didn't exist, you would have to invent it.
(in my case, I needed this for darcs - it can only push repositories over ssh)
Springer is taking over ProSiebenSat.1 - and will likely soon launch their neoliberal opinion campaign multimedially and then send their trash on all channels. A democracy needs an independent, strong press - but one that does not pursue its own political agenda. Therefore, we can probably say goodnight to another piece of democracy when a corporation like Springer will soon bridge the media gap.
Connecting databases to Python with SQLObject is a quite nice introduction to SQLObject - one of the nicer Object-Relation-Mappers for Python.
It was to be expected, the state government presents environmental policy goals - and what does that bring:
Environmental protection will also have "high priority" in the new NRW state government - promises Environment Minister Eckhard Uhlenberg. But he wants to reduce the influence of nature conservation associations.
And then there are various other niceties, in principle a dismantling of what has always distinguished NRW's environmental policy from the rather weak stance of the federal government (and probably a merit of Mrs. Höhn - not that anyone believes the SPD in NRW has been particularly environmentally conscious).
Unicode HOWTO for Python. Python programmers should read.
Crypt::PasswdMD5 is a Perl module that hashes MD5 passwords the same way Linux and Solaris do.
md5crypt.py is the same algorithm for MD5 passwords, this time in Python.
Not quite new (it was new last summer, but I somehow missed it, the underlying paper is even two years old), but still interesting: Project RainbowCrack is a project aimed at creating tools for faster cracking of hashes. Hashes can normally only be resolved through brute force - supported by algorithmic weaknesses (as recently found in MD5 and SHA1). However, there is an approach to create the more complex calculations that arise during the brute-force process (i.e. essentially algorithmic sub-steps) in advance - for example, if you only intend to crack passwords with a maximum number of characters.
Of course, this does not come for free: you trade computing time for storage space. Tables for cracking up to 14-digit Windows passwords occupy a casual 64 GiB of memory. The practical relevance of the approach and the tools may become obvious from this quote:
Some ready to work lanmanager and md5 tables are demonstrated in Rainbow Table section. One interesting stuff among them is the lm #6 table, with which we can break any windows password up to 14 characters in a few minutes.
There is also a web interface to a distributed computing cluster for Project RainbowCrack, through which you can send MD5 hashes to an MD5 cracker, which then - if it is a string with a maximum of 8 characters - spits out the plain text. And this thing is constantly building more Rainbow Tables, making cracking faster and faster.
Just as a warning for those who think that a simple MD5 hash (or ultimately almost any hash) on the password would be sufficient. Unix systems typically use salted hashes - the password is extended by a plain text and then the hash is formed together with it. This extends the password in principle, even if the extension is of course not secret - for the computing time or the table size it doesn't matter, the passwords are simply longer and thus harder to crack. But it is also only a matter of space until they are not secure.
Better are passphrases instead of passwords - just simply normally long sentences. On the one hand, you can often remember these better (many people cannot remember a phone number, but can quote lines from poems) and on the other hand, they are simply longer (and especially flexibly long), so that Rainbow Tables as an attack method are out of the question. The algorithmic weaknesses of MD5 and SHA1 remain, of course.
Bruce Schneier on Shoot-to-Kill and specifically a proposal by the International Association of Chiefs of Police. Translated from the proposal:
... such a person exhibits "various unusual behaviors" such as wearing a heavy coat or thick jacket in warm weather, carrying a suitcase, shoulder bag, or backpack with bulges or visible wires. The person shows nervousness, avoids eye contact, or sweats profusely. There may be chemical residues on the clothing or hands. The person may be mumbling prayers or rocking back and forth.
Note what is to be done with such persons is clear to the Chiefs of Police: shoot them in the head. Final killing shot. And of course, no further reason is needed for this:
... the threat to the officer does not need to be immediate, as taught in normal procedure. Officers do not need to wait until a person suspected of being an attacker makes a move, as would be necessary in the normal use of firearms. An officer only needs to have a reasonable suspicion that the suspect could detonate a bomb.
Bruce Schneier rightly asks if we would really feel safe if such a directive were implemented. Every pickpocket shows enough characteristics to be shot down at some point if such a dehumanizing directive were actually implemented.
We know how quickly dehumanizing ideas suddenly make it onto the agenda here ...
A Treeview in JavaScript that can be used within pages (without frames) and still remembers its state.
Cisco customer passwords are gone - this is so embarrassing, it really hurts. Oops. And it's Cisco.
In Django, lighttpd and FCGI, second take I described a method how to run Django with FCGI behind a lighttpd installation. I did run the Django FCGIs as standalone servers so that you can run them under different users than the webserver. This document will give you the needed information to do the same with Apache 1.3.
Update: I maintain my descriptions now in my trac system. See the Apache+FCGI description for Django.
Update: I changed from using unix sockets to using tcp sockets in the description. The reason is that unix sockets need write access from both processes - webserver and FCGI server - and that's a bit hard to setup right, sometimes. tcp sockets are only a tad bit slower but much easier to set up.
First the main question some might ask: why Apache 1.3? The answer is simple: many people still have Apache 1.3 running as their main server and can't easily upgrade to Apache 2.0 - for example if they run large codebases in mod perl or mod python they will run into troubles with migrating because Apache 2.0 will require mod perl2 or mod python2 and both are not fully compatible with older versions. And even though lighttpd is a fantastic webserver, if you already run Apache 1.3 there might just not be the need for another webserver.
So what do you need - besides the python and django stuff - for Apache 1.3 with FastCGI? Just the mod rewrite module and mod fastcgi module installed, that's all. Both should come with your systems distribution. You will still need all the python stuff I listed in the lighttpd article.
mod_fastcgi is a bit quirky in it's installation, I had to play a bit around with it. There are a few pitfalls I can think of:
Now here is the config snippet you have to add to your httpd.conf. I use the same directories as with the lighttpd sample, you most surely will have to adapt that to your situation.
FastCgiExternalServer /home/gb/work/myproject/publichtml/admin.fcgi -host 127.0.0.1:8000
FastCgiExternalServer /home/gb/work/myproject/publichtml/main.fcgi -host 127.0.0.1:8001
<VirtualHost *> ServerAdmin gb@bofh.ms
Servername www.example.com
ErrorLog /home/gb/work/myproject/logs/django-error.log
CustomLog /home/gb/work/myproject/logs/django-access.log combined
DocumentRoot /home/gb/work/myproject/public_html
RewriteEngine On
RewriteRule ^(/admin/.)$ /admin.fcgi$1 [L]
RewriteRule ^(/main/.)$ /main.fcgi$1 [L]
</VirtualHost> ```
You have to allow the webserver write access to the logs directory, so you might want to use a different location for them - possibly in `/var/log/apache/ `or whereever your apache puts it's logs. The FastCgiExternalServer directives must be outside of the virtual host definitions, but must point to files within the virtual hosts document root. But those files needn't (and probably shouldn't) exist in the filesystem, they are purely virtual. The given setup reflects the setup I did for the lighttpd scenario.
Now restart your apache, start your django-fcgi.py and you should be able to access your django application. Keep in mind to copy the admin_media files over to the document root, otherwise your admin will look very ugly.
django-fcgi.py --settings=myproject.settings.main --host=127.0.0.1 --port=8000 --daemon django-fcgi.py --settings=myproject.settings.admin --host=127.0.0.1 --port=8001 --daemon
Have fun.
What nonsense. If the proposal goes through, using open-source software will become risky:
A new draft law by the European Commission aims to allow lawsuits against users in case of suspected copyright infringement in software. In addition to the perpetrator, companies that feel safe due to their licenses would also come under fire. This was reported by the British trade magazine 'ZDNet UK'.
Given the current impression of the SCO case, it should be clear to everyone that such an idea is complete nonsense - because that's exactly what SCO wanted to do, to extort all Linux users. There are hardly any ideas stupid enough that they couldn't occur to a politician ...
Now that I have a Garmin Geko 201, I naturally have to take a look at the information about Geocaching. Does anyone have a good link to Geocaching activists in Münster and the surrounding area? That would be something for our upcoming vacation. Jutta always complains that she doesn't know the Münsterland well enough, so checking out Geocaches would be the ideal method to explore the area.
As a first starting point, I will take a look at the entries on geocaching.de for Ruhrpott and Emsland - we are neither Ruhrpott nor Emsland, but close enough to be included in both.
In addition, I now have a good reason to tell Jutta why I bought the thing.
And when I look at instructions like those for Vaders Stein, it will even be perfect for Jutta - she loves puzzle games. Hey, it could easily become a new hobby ...
There's always news, but this time there's a very interesting feature again: the inspectdb command delivers all the tables and fields from a PostgreSQL database in the format of a Python data model. Additionally, foreign keys are also found if they are stored in the database. Very practical if you need to build an interface for an existing database, you save a lot of typing work.
Well, I've also registered in one of these great social (in this case rather business-social) networks, specifically the O'Reilly Connection. Don't want to be considered bitter and aged.
Anyone who manages to find me there can define a connection to me. And laugh at my silly photo ...
Ian Bicking on what's currently happening with SQLObject - it had become quite quiet around one of the nicest SQL object layers for Python, but now it's moving forward again. The most interesting point for me: Tool support for database upgrades. A point that, for example, is still missing in Django.
... but only when your own central bank becomes the target of a patent infringement lawsuit: European Central Bank sued for patent infringement. Will this perhaps wake people up at the EU Council? Oh, forget it, they won't wake up in this life, then they would have to recognize their own corruption ...
The equivalent to Apple FileSafe under Linux: Automatically mount dm-crypt encrypted home with pam_mount. Very useful for laptops, but also for workstations of administrators (due to the many security-relevant files that accumulate in the home directory).
Philip J. Eby has provided a patch for the implementation of PEP 342. This means that the chances of Python having coroutines in the future are very good.
And that, in turn, means that Python will get a - albeit primitive - form of continuations. Now all that's missing is for something like statesaver to be integrated into Python - for multishot continuations (ok, first just copyable coroutines, but that would be a start at least).
All of this, of course, just to finally be able to work with continuations in web frameworks. Ok, it's already possible with CherryFlow, but it would be nice if all of this would make it into mainstream Python.
Whoever wants to deal with larger Erlang software and try out a Jabber server, might find ejabberd interesting - a Jabber server that uses all the nice features of Erlang to offer, for example, simple clustering and good data distribution.
First Intel processors and now more than one mouse button. And even something similar to a scroll wheel. Shocking.
And another Linux-on-Mac story. This time an iBook and Gentoo. Quite useful for a small and affordable Linux box for on the go.
The Linux on an Apple Powerbook HOWTO provides exactly what I would need if I wanted to switch my 12" Powerbook to Linux - the author even uses exactly my model. And no, I don't want to switch yet.