Why, in the name of all that is 8-bit?

For one, it’s fun. The core protocol is well defined by the RFCs.  In the web development world you don’t often get to program to specifications like that; it’s a nice change of pace. There’s no need for any front-end work either. I get to write Python, which I haven’t done for a while. And finally, it’s my own free time, nowgetoffmydamnlawn grumblegrumble

Networking

I wrote basically zero networking code – gevent does all the hard work.

gevent is a coroutine-based Python networking library that uses greenlet to provide a high-level synchronous API on top of the libevent event loop.

Pure goodness. It’s also ridiculously easy to use.  Note the mention of coroutines – gevent abstracts away not only the bit pushing of low-level networking, it also takes care of the handler threads greenlets. Here’s the networking code of the IRC server, all four lines of it:

def handle(socket, address):
    fileobj = socket.makefile('rw')
    # From here on, I can just use fileobj as a simple file object.
    # Yes, fileobj.close() will close the socket.

server = gevent.server.StreamServer(('127.0.0.1', 6667), handle)
server.serve_forever()

Design and implementation

The server has four main components at the moment:

• abnf.py: Parses and checks the ABNF grammars specified in the RFCs. No regular expressions, but not a full-fledged ABNF parser either; just some helper functions that can be considered to be a semi-complete DSL. Pretty strict syntax checking.
• dispatcher.py: loads and calls command handlers as needed. Uses some importlib trickery to load handlers based on the incoming commands.
• commands: Command handlers. They get and return abstract Message objects, and operate on the server database.
• db: Contains the server state: users, channels, other servers when I get to that. Currently just a simplistic implementation with dictionaries, but it’s probably enough for this project.

Currently enough commands are implemented to allow irssi to connect, join a channel, and have a conversation in a channel or in private (no user lists yet though). Adding new commands is pretty simple, so I hope to have a mostly functional server soon. I’m not too optimistic about how the current parser can be extended to support less compliant clients; it’ll probably have to be replaced with a more robust design.

Anyway, go ahead and make it crash :D I know you want to.

The facts

HP has released the Pavilion g6 series in two (correct me if I’m wrong) versions; I can only comment on the one with the AMD/Intel switchable graphics. But I could keep commenting on that all day.

The specs look good, but they don’t mention that the switchable graphics only work with DirectX applications. You don’t get to use the beefy AMD card for OpenGL apps and games – that includes any WebGL apps, Minecraft and SpaceEngine, just to name a few. Also, the only supported operating system seems to be 64-bit Windows 7 (see here).

The story so far

Poeple have been complaining; there’s even this support question that lists all the previously unanswered questions. A possible workaround, which has been released for the some other lines (dv* and envy), is disabling switchable graphics from the BIOS and always using the dedicated video card. No such BIOS update has been released for the Pavilion g6 yet.

There’s a third-party driver project for AMD/Intel switchable graphics that releases with the newest versions of both drivers. This might be a solution, but it didn’t work for me. What’s more, after fooling around with three different versions of it, Windows 7 now reboots after a split-second BSOD – even in safe mode. Good thing I only use Windows to play games.

HP doesn’t release Linux drivers. Switchable graphics via vga_switcheroo get as far as powering the discrete graphics card up or down, but my up-to-date Arch Linux system freezes when I actually try to switch to the AMD card. The official proprietary Linux AMD drivers (fglrx 12.3 and 12.4) supposedly support switchable graphics. The newest version of Xorg is not supported yet, but let’s downgrade to an older version, and what do we find? The drivers don’t want to make friends with the hardware and complain loudly, saying “Invalid ATI BIOS from int10, the adapter is not VGA-enabled”. After which they don’t recognize the screen as usable; X11 fails to start.

Conclusion

There is no way to use the main selling point of the notebook with OpenGL applications, or at all on Linux. Not good.

Solution: a user script that adds whitelist and blacklist filtering. It looks like this:

NetPincér menu filter

It works in both Chrome as a user script and as a Gresemonkey script in Firefox. You can get it from userscripts.org: https://userscripts.org/scripts/show/130399

The model was done in an hour or so, but without any tests. I decided to do only manual testing, which added some time at the end, but whatever. The UI took a bit longer, and it doesn’t look as good as it could. It’s also not optimal, but it’s good enough. It’d be great if someone could spend some time polishing it… *nudge-nudge, wink-wink*

Anyway, here’s the game: http://static.abesto.net/mastermind

And the GitHub repo: https://github.com/abesto/mastermind

GitHub repository

Google Prettify doesn’t provide highlighting for Clojure. GitHub does, go there for pretty colors.

(ns net.abesto.calc_clj.core
  (:gen-class)
  (:use seesaw.core))

(native!)

(def stack-size 4)
(def stack (ref []))
(def gui-stack (ref []))

(defn push [x] (dosync (ref-set stack (concat (next (deref stack)) [x]))))
(defn popn [n]
  (dosync
   (let [ret (take-last n (deref stack))]
     (ref-set stack (take stack-size (concat (repeat n 0) (deref stack))))
     ret)))

(defn sync-gui [] (dorun (map value! (deref gui-stack) (map str (deref stack)))))

(defn number [n]
  (action
   :handler
   (fn [e]
     (dosync (push (+ n (* 10 (first (popn 1))))))
     (sync-gui))
   :name (str n)
   ))

(defn operator [label operator operand-count]
  (action
   :handler (fn [e]
              (let [operands (popn operand-count)]
                (push (apply operator operands)))
              (sync-gui))
   :name label))

(defn -main [& args]
  (invoke-later
   (dosync
    (ref-set gui-stack (take stack-size (repeatedly #(text :editable? false))))
    (ref-set stack (repeat stack-size 0)))

   (sync-gui)
   (-> (frame
        :title "Hello",
        :content
        (vertical-panel
         :items [
                 (vertical-panel :items (deref gui-stack))
                 (horizontal-panel :items [
                                           (action :name "Enter" :handler (fn [e] (push 0) (sync-gui)))
                                           (operator "+/-" - 1)
                                           ])
                 (grid-panel
                  :rows 4
                  :columns 4
                  :items [(number 7) (number 8) (number 9) (operator "+" + 2)
                          (number 4) (number 5) (number 6) (operator "-" - 2)
                          (number 1) (number 2) (number 3) (operator "*" * 2)
                          (number 0) ""         ""         (operator "/" / 2)
                          ])
                 ])
        :on-close
        :exit)
       pack!
       show!)
   ))

Why are the buttons gone?

As IE before, WebKit has introduced styleable scroll-bars. (Whether that’s a good idea or not is not the point of this article.) The new Google design uses this new feature in a lot of places. This has two effects: 1) the scroll-bars fit in nicely and 2) the scroll buttons are gone. The special CSS selectors provide a very detailed, if verbose, way for making sure the scroll-bars on the site match the design; there’s a great article explaining them at CSS-Tricks.

The solution

I haven’t managed to find a way to disable this feature in Chromium; there’s no way to disable these customized scroll-bars. The best solution I could find is creating visible elements via a user stylesheet where the buttons should be. We can do anything with them, but in this example we’ll just make simple gray boxes.

1. Find the file / text box for custom stylesheets

For Chrome (and Chromium) you’ll need to find a file. The changes will be applied as soon as you save it – there’s no need to restart the browser.

Windows:
%LOCALAPPDATA%\Google\Chrome\User Data\Default\User StyleSheets\Custom.css
(%LOCALAPPDATA% is usually C:\Users\username\AppData\Local, where AppData is a hidden folder)

Mac:
/Users/username/Library/Application Support/Google/Chrome/Default/User StyleSheets/Custom.css
Linux:
~/.config/chrom(e|ium)/Default/User\ StyleSheets/Custom.css

In Safari you don’t even have to leave your browser: you can create stylesheets in the Preferences → Advanced tab. Note that by default you’ll have to restart your browser for changes to take effect. Check out this Macworld hint if you want to work around that.

2. Add custom styles

Any CSS  you enter here will be applied to all pages loaded in the browser. The following snippet makes sure that the scroll up/left button at the start and the scroll down/right button at the end of the scroll-bar are visible as a gray box. It does not contain anything to apply it to only Google applications, but chances are that if you want the scroll buttons here, you’ll want them everywhere.

::-webkit-scrollbar-button:start:decrement,
::-webkit-scrollbar-button:end:increment {
  background-color: #ddd;
  height: 16px !important;
  width: 16px !important;
  border: 1px outset silver;
  display: block !important;
}

This is really unacceptable from a design perspective (read: it looks bad). It’s also ridiculous that we have to resort to hacks like this to have scroll buttons… Still, this is the only way I could come up with (other than disabling this extension in the Chromium/WebKit source and compiling).

• The working example is here
• And the docco-annotated source code is here

Some links and introductions are in order

Raphaël: ”a small JavaScript library that should simplify your work with vector graphics on the web”. It also includes a handy light-weight event framework called “eve” (yes, another one; yes, its good enough to exist). It’s a very useful common interface to SVG and VML (which is what IE supports instead of SVG).

Knockout: a library implementing MVVM for the browser, with dependency tracking and template support using jquery.tmpl.

MVVM: a design pattern that can be considered an alternative to MVC in some respects. The idea is that view-models (VM) and views (the first V) are bound once, and they automatically update anything connected to them when they change, while updating some kind of storage (the first M). The storage is neglected in the example, but it’s supported just fine by Knockout.

• Always keep your system up to date with security patches. No amount of configuration can save you if your version of sshd allows anyone born before 1970-01-01 to log in as root.
• Always employ the Principle of least privilege: give users only the permissions they strictly need.
• Check that your system doesn’t run a telnet daemon by default.
• Use a firewall to close all unused ports manage ports available for local applications to listen on.^[2] See ufw (Uncomplicated Firewall) for a simple iptables-based solution.

The less obvious

• Disable administrative interfaces like PhpMyAdmin, the Nagios web GUI and cPanel when not used. You may also consider disabling the web-based interfaces of Cacti, Munin and friends; they should be password-protected at the least.
• Even when you use them, they should be behind strict firewall rules^[1] and HTTPS. A self-signed certificate will work just fine for the HTTPS part. The nginx manual has a simple procedure for setting this up here. The configuration options for apache are listed here (you might want to follow the key creation procedure from the nginx manual; it’s summed up rather nicely).

SSH

The goal of many attackers is to gain shell access to your box. Hardening your sshd configuration is an important step in preventing this. Everything you’ll find below is tested with OpenSSH. The configuration options must be added to the sshd configuration file, usually /etc/ssh/sshd_config. Changes to this file will take effect after you restart the sshd server or reload the configuration options with /etc/init.d/sshd reload (replace init.d with rc.d if needed :))

Restrict remote login to users that really need it

Why:

Less users mean less targets, obviously. Specially, root never needs SSH access. Note that disabling login by setting the login shell to /bin/false prevents only a subset of the attacks handled by this solution.

How:

Use the AllowUsers and/or AllowGroups directives. Users not covered by either directive are not allowed to log in via SSH.

Example:

AllowUsers user1 user2 user3
AllowGroups group1 group2
PermitRootLogin no

Disable password authentication

Why:

Password based authentication is inherently less secure than the public-key alternative. You can find an easy to follow comparison at Rongchaua’s blog.

How:

1. If you don’t have a GPG SSH^[3] key yet, you’ll have to create one. See this GPG Quick Start guide On Unix-based systems ssh-keygen will create your SSH keypair after you answer a few simple questions^[1], or see this guide for PuTTY on Windows.
2. Once you have the private and public keys, paste the public key into the file $HOME/.ssh/authorized_keys on the server. OpenSSH is quite picky about the permissions of files, so make sure that only you can access it (“chmod 0600 $HOME/.ssh/authorized_keys“ should be good enough).
3. Make sure you can log in without entering your login password. If you disable password authentication without setting this up correctly, you can lock yourself out of the system.
4. Disable password login and other unsecure login methods:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Force the usage of SSH-2

Why:

 The older protocol, SSH-1 is less secure, and all modern clients support the new protocol. Using only SSH-2 in sshd is also the default in modern servers^[1].

How:

Protocol 2

Use a non-standard port

Why:

Running the SSH daemon on a random port requires little effort, for a little security through obscurity decreasing the number of attackers a bit^[1].

Why not:

A decent port scan will usually still find the service. It might not be worth the effort; decide for yourself.

How:

The port number should probably be below 1024, because binding to these ports require root privileges, thus reducing the risk of port hijacking. Make sure you choose a port not already associated with an application (eg. by checking that it’s not in the nmap-services file).^[1]

port $PORT

You can then log in via the command-line client using the -p switch:

$ ssh -p $PORT user@host

Take this a few steps further, and we get port knocking. It’s a technique not universally accepted as a useful solution in production environments. Setting up port knocking is out of the scope of this article, but there are plenty of resources out there.

Monitoring tools

The steps outlined above make it harder for an attacker to gain access to your system. It should be noted that this is far from being a complete guide on setting up a secure server; there are whole books dedicated to the topic for a reason.

Anyway, when a bad guy manages to access your system, you want to know about it, fast. Finding out about the problem from a request to stop brute-forcing another server does not qualify as fast.

fail2ban ”scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.” This will stop brute-force attacks, but not DDoS attacks. Dealing with denial of service attacks is still not a completely solved issue; see this article for some of the problems and solutions.

ossec is “an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.” Chances are it will pick up the side-effects of most intrusions. Be sure to configure at least the notification address where alert emails are delivered, even if you leave other options on their default.

 IANAD

(I am not a disclaimer. Oh wait, yes I am.)

I’m not a system administrator by training. All of this information can be found online; this is only a collection that I hope may come in handy for someone. Let me emphasize that you don’t necessarily get a secure system just by following these instructions. That said, I’ve listed all the security measures I’ve taken to protect the server running this blog at the time of writing; this setup is good enough for me. Still, the server has no sensitive information, and I’m not a sysadmin.

Update: Coming out and stating that this is the setup I use is not acceptable from a security perspective. I accept the risk, and the potential fun it will bring. What I really want to say is: I eat my own dogfood. Even if stating this makes said dogfood less tasty for me.

[1] Thanks to kdorf for pointing this out in this comment on reddit
[2] Thanks to ngroot for pointing this out in this comment on reddit
[3] Thanks to mowrawn for pointing this out in this comment on reddit

Why?

We all know the old argument on why PHP is often seen as a “bad” language: the barrier of entry is low, so lots of people will write PHP code without learning the fundamentals. However, the arguments usually stop there. Known fact, there’s nothing we can do. But maybe there is?

What?

Let me be clear: I don’t want to teach design patterns to everyone who makes a worship site for their dog. What I’d like to see, and what I’m really missing, is a central repository of best practices for solving common middle to high-level problems. Ideally in a wiki format. What would this bring to the table? It would tell you that is, indeed, thoroughly solved, and also how it’s done. It can also be thought of as a FAQ of sorts, or a collection of best practices (emphasis on best).

Yes, Google is usually your friend. What Google doesn’t do is code review of blogs and tutorials. Let me give a trivial example: I’ve googled really hard when I needed to implement a secure authentication scheme. What I found was tens of “simple login script with PHP and SQL”. What I finally ended up with is basically what Phpass is doing – dynamic and static salts, bcrypt, you know the drill. It’s not as extensible or general, but the theory (and probably the security) is there. What I didn’t know was that Phpass existed. My Google-fu must have been weak that day or something.

I just looked until I found something good enough and went with it. I feel this is characteristic of a lot of development, and not always a bad thing. On the other hand it takes real experience to know what’s good enough, and this experience can come at a high price (especially when considering security).

So what would this proposed wiki say on the topic of secure password storage?

Probably something like: “Use Phpass”. There, it’s not that complicated. Probably include a few good samples of using it, and we’re golden. A full framework-independent example of a complete secure authentication scheme would be killer. Mention OpenID as a full-fledged alternative, probably.

Yes but this still assumes that the developer who needs the information realizes that s/he needs it!

Indeed. However, by making it explicit that such-and-such information can be found here, it’ll be constantly at the back of the developers mind. If it’s easy to reach, maybe we’ll start looking even when we have a full solution in mind. You know, just in case. We can do that now, but (a) making sure we don’t miss a good resource because it’s three pages down in DuckDuckGo and (b) making it really quick to check on a topic instead of reading several articles can only be a good thing.

Why is it that only PHP need such a resource?

This is a valid question. I’m pretty sure some languages/frameworks already have this (probably called a manual or somesuch). It’s usually the documentation of a framework, so of course the documentation of PHP-the-language can’t be expected to contain these things.

Why doesn’t this exist already?

I can probably be convinced that not even PHP needs this. Or is there such a site out there already, and I just missed it? If there isn’t, why not? Is it redundant, not worth it? Does everyone just go with “good enough”?

Is this feasible? Let’s start one!

PS.

Phpass being the bestestest password storage solution is not the point of the post. Feel free to name alternatives. Also, most of this rant is based not on any statistical data, only my “gut feeling”.

I’ve been working on a moderately complex hobby project for a while using Node.js and CoffeeScript. This is the first of a few posts on what I’ve learned so far. This time: using CoffeeScript on the client- and the server-side and auto-compiling client side scripts on the fly with Express.

The goal of the project is, by the way, to illustrate some common algorithms in the browser. You can check it out at GitHub: https://github.com/abesto/algo, or see a running version at http://algo-abesto.dotcloud.com. The blank area next to the controls is where you can draw your graph.

Server side

The theory is simple: CoffeeScript code is equivalent to JavaScript code. Node.js can thus be programmed in CoffeeScript. In practice, things turn out to be just as simple: write your code in CoffeeScript, use the file extension .coffee, and use coffee app.coffee to start your application. Even require works out of the box. You can see an example here (using Express)

Client side

This section assumes you’re using the Express web framework.

Express has support for compilers, and a compiler is shipped for CoffeeScript. Setting up the paths is not well documented, unfortunately. Here’s how it works: for each compiler you’ll specify a src and a dest folder, without a trailing /. The request path sent by the browser is appended to this.

http://localhost:9000/js/foo/bar.js will map to the source file src/foo/bar.coffee and the compiled file dest/foo/bar.js. If the compiled file doesn’t exist or is older than the source file then it will be (re)compiled. If there’s an error during compilation, then the browser will receive a 500 error.

What will NOT be done is:

• Express won’t remove the compiled file if the source file is removed
• Express won’t create any missing directory structure. If dest/foo doesn’t exist, then Express will return a 404 error to the browser. If you know how to work around this, please write a few lines :)

Note: this was originally posted to a previous version of this blog on 01. November 2011.