Neubia

Crypto on Rails presentation

pelleb — 2006-09-20T04:53:38-05:00

I gave a talk last night at Copenhagen.rb about EzCrypto. The meeting was great and very informative with Ruby celebs like DHH and David Black present.

My talk Hide your (users) tracks was I think pretty well received. There were many great questions afterwards.

The gist of the presentation is:

As an Application service provider YOU are one of the biggest threats to your users. I’ve written more indepth about this in Trust points and Breach points in Web Apps
Basic usage of EzCrypto
Basic usage of ActiveCrypto

EzCrypto has really been developing quite a lot over the summer. If you haven’t looked at it for a while take a look. It now includes support for Digital Signatures and Certificates.

The new iPod games are very cool

pelleb — 2006-09-13T07:01:55-05:00

I am quite enjoying the new iTunes 7 and the new iPod games. I’ve bought Texas Holdem and Mahjong.

Both are pretty good, but in particular the Texas Holdem game is cool. I’ve never played it on a desktop before so I’m comparing it against a Java version I have on my phone. I haven’t explored it yet, but I’m wondering if there is a way to keep listening to your own music while playing it.

EzCrypto now released with signature support

pelleb — 2006-08-09T16:47:27-05:00

This should be coming along into gem within the next hour. I am now happy to release 0.6 of EzCrypto which has support for Digital Signatures and Certificates.

This release has been made to support Tractis a new Ruby on Rails application for colaborative writing and negotiation of contracts.

EzCrypto now has support for x509 certs

pelleb — 2006-08-01T14:43:17-05:00

I have wrapper functions for a good deal of the OpenSSL pki code right now.

   cert=EzCrypto::Verifier.from_file "testsigner.cert"
    assert_equal cert.email,"pelleb@gmail.com"
    assert_equal cert.country,"DK"
    assert_equal cert.state,"Denmark"
    assert_equal cert.locality,"Copenhagen"
    assert_equal cert.organisational_unit,"testing"
    assert_equal cert.organisation,"EzCrypto Test Certificate"
    assert_equal cert.organizational_unit,"testing"
    assert_equal cert.organization,"EzCrypto Test Certificate"
    assert_equal cert.name,"EzCrypto Testing"
    assert_equal cert.common_name,"EzCrypto Testing"

Trust stores are supported:

    trust=EzCrypto::TrustStore.new
    valicert=EzCrypto::Verifier.from_file "valicert_class2_root.crt"
    starfield=EzCrypto::Verifier.from_file "sf_issuing.crt"
    wideword=EzCrypto::Verifier.from_file "wideword.net.cert"
    trust.add valicert    
    trust.add starfield
    assert trust.verify(wideword)

Still missing are CRLs and OCSP.

If you want to play with it before release get it from:

svn://rubyforge.org//var/svn/ezcrypto/trunk/ezcrypto

New early signature support in EzCrypto

pelleb — 2006-07-26T14:09:51-05:00

I’ve started implementing Digital Signature support in EzCrypto. It is pretty early stage yet but my proof of concept unit tests are working.

The aim is to have 2 easy to use classses:

Signer
Verifier

They both will have a few simple static methods like in EzCrypto for generation and loading of Private/Public keys. Otherwise Signer has a sign(data) method and Verifier a verify(sig,data) method. All the other stuff such as certificates and whatever I aim to hide within the code.

A sample of code would be:

signer=EzCrypto::Signer.from_file "testsigner.pem"
sig=signer.sign "I promise to obey this"
verifier=signer.verifier
assert sig.verify sig, "I promise to obey this"

Keep an eye on this space for more.

New EzCrypt release 0.5

pelleb — 2006-07-20T02:37:57-05:00

I just released EzCrypto 0.5. It’s available as a ruby gem, just type gem install ezcrypto to install it.

From a user standpoint there really shouldn’t be much difference as I’ve been pretty strict on keeping the api the same. However the internals of ActiveCrypto have had some pretty heavy refactoring to make some things cleaner in preparation for the up and coming release of the act_as_capability Rails plugin.

There is nothing there yet as I am learning about generators right now. I will probably start checking things into svn when I get back from a couple of days vacation to Las Perlas (of Survivor fame).

This plugin is extracted from WideWord and will allow you to create your own Secure URL (Capability in security researcher parlance) based services in Rails just like WideWord and WideBlog.

Rails, Queues and Mongrel?

pelleb — 2006-06-29T03:36:32-05:00

After having been through some major Java and MQ Series root canal surgery in the last few days, I’m thinking that while MQ (an IBM product) really is ridiculously evil the queue type system is fairly useful in itself.

Then in a mid meeting psychosis day dream state I realized that it wouldn’t be particularly hard to at least rustle up a quick rest based Queue framework in Ruby. I’m thinking Camping on Mongrel would be particularly suitable for this. Think REST and ActiveResource as the API.

Should not take too long to develop. The big question is if there really is a need for a Queueing based system for Rubyistas?

Why I like Capistrano

pelleb — 2006-06-15T06:25:23-05:00

Major update to Talk.org

pelleb — 2006-04-24T20:02:49-05:00

So as promised I’ve released a major update to Talk.org. See here for the full Talk.org release announcement

The main new feature is optional user registration. I have used Technoweenie’s Acts_as_Authenticated. Since I use page caching I’ve had to resort to some tricks to provide the user account features. So what I do is I call an action which has a rjs template, which enables the user specific features.

Nokia N80 shipping?

pelleb — 2006-04-24T07:57:25-05:00

Wow it looks like the Nokia N80 is shipping at expansys. It is still pretty expensive at £600, but this is no doubt the coolest phone to come out in a while with Wifi, UTMS and Quad band. Skype is supposed to be supported on it as well soon.

Launching TimeCert

pelleb — 2006-04-17T11:57:23-05:00

I am now officially launching TimeCert which is a trusted third party service for proving the existence of a file, object or document at a certain time.

Applications

Lets say your application managed confidential documents or emails. You could use TimeCert for maintaining a proof that a document or email existed at a certain time. As this timestamp is generated outside your own server, it is evidence that you did not manipulate say a contract after the timestamp. It would also be pretty easy for someone to add timestamping to their blog software.

You could also use it to timestamp a sourcefile to help out with Intellectual Property issues.

The Details

Basically TimeCert receives queries based on a SHA1 digest of an object. The first time it receives a query it creates a small record in a database with a timestamp.

If you are not familiar with SHA1 digests, it takes any binary object and creates a tiny 20 byte “fingerprint” (all though TimeCert uses the 40 byte hex encoded variety), which uniquely identifies it. This is relatively secure cryptographically speaking even though it is not as secure now as it was before. However for most applications it should be secure enough.

TimeCert is not really intended as a end user application, but more as a third party service for existing applications to hook into.

Try it

Have a go at it your self. Go to the TimeCert Interactive Digest Generator to create and timestamp your own test data. This is really for testing purposes only, but I do not store the raw data you post.

This generator could potentially be very CPU intensive under high loads, so I might disable it if it’s abused.

REST API

It uses a standard REST style API where you create a HTTP GET to:

http://timecert/DIGEST for end user link
http://timecert/DIGEST.txt for a plain text file with ini style parameters
http://timecert/DIGEST.xml for xml
http://timecert/DIGEST.yml for yaml

Where DIGEST is a 40 byte hex encoded SHA1 digest that your own application generates. The reason why your own application should generate this is that this way you can actually maintain the object itself private from me. The only thing you make public is the digest.

Client libraries

I have a Ruby class which will call the service and will publish a Java one ASAP. As soon as my RubyForge project is up I will post them. If you want to write a client in any other language, just let me know.

Server details

The server is written in Ruby and uses the new Camping micro web framework and the Mongrel. The actual server OS is OpenBSD.

I will be releasing the extraordinarily simple application under GPL as well under the hope that other people will run similar services. As I think it best if there is at least a few other trusted third parties around.

What’s in it for me?

This is an App I have wanted to do for a long time. My original plan for it was to use digital signatures, but I do not think there is any real need for this any more.

The service will always be free to use. I need something like this for my own applications, which is the real reason why I’ve created it. The nature of the application does not call for accounts free or commercial, so I can’t ever see that will happen.

Creating a honeypot for Trackback spam

pelleb — 2006-04-04T05:15:35-05:00

So as some of you know, this blog used to live on the Talk.org domain. I recently launched a new fun project there (which you should all try out).

An unexpected consequence of this was that I was receiving an awful lot of incoming trackbacks and referrer spam that were getting 404 errors.

So, I decided it would be very easy to write a quick little trackback honeypot for harvesting the IP addresses of these Trackback spammers.

Basically I have a simple rails controller which intercepts all hits to my old Movable Type cgi directory. It then stores an entry containing information about the request in the database. I have a simple little algorithm to decide if it was actually spam or not. This I use to create a blacklist which I can feed directly into my firewall. At the moment I do this manually so I can monitor that it looks correct. It would be trivial however to do this in a cron job.

I might take it down again, but I have published the blacklist for you to use in your own firewall or anti spam measures.

Next job is to create a tarpit akin to OpenBSD’s amazing and hilarious Spamd.

Experimental mobile support for Talk.org

pelleb — 2006-04-04T05:00:43-05:00

You may or may not have tried my new taggable web forum system Talk.org. But I have always wanted a mobile interface.

Now I have got it mostly working with my own phone the Sony Ericsson K608i. I assume it works for most other newer Sony Ericsson models as well.

Cut you please do me a favor and see if you can first of all browse it easily from your phone and then if you can post a message to a conversation. This Mobile Talk conversation would be a good place for a start.

It is just uses xhtml and a super simple handheld css profile, so there was not a lot of extra work involved. I did find that at least on the Opera Mini it displayed the google ads I have on each conversation article. I have to figure out how to disable this for mobile use.

I used the following css for disabling most unnecessary stuff:

#sidebar {display:none}
#tags {display:block}
#menu {display:none}
#toofast {display:none}
#password_section {display:none}
#nick_field_link {display:none}
.count {display:none}

Comedy of errors in hosting

pelleb — 2006-03-16T01:49:46-05:00

You know, sometimes I really feel like giving myself a good beating up. Since yesterday morning most of my sites have been basically flaking out due to one of the servers being down. I had dns hosted on that server so it affected not just sites hosted on that server, but also dns for all my other servers.

Firstly the main server was hosted at Layered technologies. The powersupply died. Unfortunately they took about 12 hours to fix it and boot up the server after they received the support ticket. That is just not on. My main ISP EasySpeedy provides fantastic support. I can not imagine this ever happening there.

Ok, at this point you might ask your self if you know anything about dns, why didn’t his secondaries kick in? Well I asked myself that as well and quickly ignored the question. Bad move. What I did do was to setup dns servers on all my other servers and change the nameservers for my domains to include these. This gave me flaky dns rather than fully working dns. Meaning a domain would work and then an hour later it wouldn’t.

This morning I checked and the failed server was up but I still had problems accessing my other servers via dns. After a long time playing around with my 2 new dns servers I couldn’t find anything wrong there. In the end it struck me that maybe it was my original secondary server (which I should have realized yesterday). Basically the firewall on that server was blocking incoming dns requests and it looks like it has done so ever since I first installed it. Duh!

This particular server runs Suse linux and I had configured the firewall via Yast. Unfortunately this doesn’t give you an option for UDP ports (like dns port 53). So I had to dig a bit. It turns out you edit your /etc/sysconfig/SuSEfirewall2 file and set the following settings like this:

FW_SERVICES_EXT_UDP="53"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="DNS"
FW_SERVICE_DNS="yes"

After this run as root:

/etc/init.d/SuSEfirewall2_setup restart

Well all should be well now I hope.

Am i the latest Danish victim of Islamist hackers?

pelleb — 2006-02-17T07:23:54-05:00

I am officially starting to get worried now. I have 2 servers at the superb Danish Dedicated server ISP EasySpeedy are all down. This is where I host my other blog Stake Ventures as well as my apps:

The EasySpeedy site is down as well at the moment.

Danish sites have been hit hard by Islamist hackers in the past couple of weeks as a revenge for the Mohammed drawings. Most of these have been defacements, but this smells more like a massive Denial of Service attack on my ISP’s routers.

I just checked it once more and I got through for a moment, but now they are all gone again. Damn.

Update Thankgod it was just a temporary breakdown at one of their carriers. They just wrote me. I have to repeat myself I am really impressed with their customer service and whole business philosophy.