serialized delusions

To content | To menu | To search

Sunday 11 December 2016

Thought about Python 3

The post prompted me to consider . While I don't reject py3k out of hand, there is some foul smell.

Continue reading...

Sunday 10 April 2016

Scripting the web

This blog, as any blog, attracts plenty of comment spam. But so far there's not much traffic and I was filtering it manually. There is lot of repeated spam, which should be easy to filter automatically.

Continue reading...

Wednesday 2 March 2016

Wget malignant featuritis

I had problems to find stuff in deedbot archive, so decided to make a mirror to be able to grep things in. Such a simple website would be an ideal job for wget, no?

Continue reading...

Wednesday 2 December 2015

Tragedy of web security

I have found myself in the middle of depressing discussion about XSS. A security company released scary video how it is used in practice to hijack admin session. And the reactions? As usual.

"This won't happen with $magicunicornframework, ain't no shitty PHP."

"Easy, just tie it to user's browser version, system version, IP address, geo location, shoe size...."

"That's banal bug, we only need proper sanitation of user input."

As it happens to me more and more often recently, such situations ring my "let's invent us an profitable hard problem" sense. In this case.. really there is no option how application A running on computer AA can uniquely authenticate to application B running on server BB? I thought this is solved problem in crypto, we have Diffie-Hellman, PKI,...

But it's impossible when A may run rogue code and access these secrets! We can't do much about it!

Oh really, then why do you have that shit code manage secrets?

*Silence*.

I can't believe no one ever thought of a way for browser to authenticate a session without giving out secrets to anyone, including javascript. It would be really worthwhile addition to HTTP protocol... but let's instead do compression and pipelining and whatnot. Actually it goes way back to the beginning, when HTTP login authentication went largely unused because browser vendors forgot to include logout button. Just sad.

Update: got a reply from security company owner, and it's really symptomatic:

Nonsense. We have so much work that we'd like to solve interesting problems and not trivial bullshit. And there are many more areas that need better security. Our goal is better internet and I don't know any pentester who has fun to submit same bugs over and over. We also want new challenges and to move on so I believe such bugs will soon really be solved with frameworks, better session management and proper separation of contexts (text, html, javascript, data, css, data from user, data from server, ...)

Saturday 23 August 2014

First impressions of ownCloud

ownCloud is a package that claims to provide one with synchronization of private files, calendar, documents and contacts from one's own server, without handing them out to any third parties. Till now I have only combined commercial "cloud" services like Dropbox, Google with own haphazard CGI scripts.

Continue reading...