There is a problem with these keys, however, if they are not truly random. This is detailed in a paper I stumbled upon entitled “Brute-Force Exploitation of Web Application Session IDs” by David Endler. It covers ways in which these keys can be “hacked” because they are not unique, but rather follow some sequence which can be guessed. He lists some major websites which he was able to get access to information that should have been private.

The paper got me thinking about how to generate random session keys, so I created some quick Python scripts using Twisted which demonstrates my solution. (This was my first time using Twisted, so it’s very possible that there is a better way to structure the code).

Solution

The character buffer in the server is used to generate new keys.

To fill the buffer:

0. Create a list of websites which themselves deliver random web pages (eg, wikipedia)
1. Select a website from random and ask for a random page
2. Grab the data within the HTML body tags and put that string in the character buffer
3. When the buffer needs more data, go back to 1.

To generate X number of keys:

0. Grab two random lengths of the character buffer. Use one to re-seed the random generator and the other as the basis for the new session key. Create the session key using MD5 and the key seed
1. Update() the current MD5 session key using a generated random character / string
2. Add that key to the buffer.
3. When the key buffer needs more keys, go back to Step 1. For every Y number of keys generated, go back to Step 0.

Notes

We don’t use a a new seed for each MD5 session key because the buffer will be emptied too quickly. Of course, the settings for the buffer size, etc could be tweaked.

Performance

Running the server code on my Mac Mini (2.16GHz Dual Core) and 5 clients on another machine, I was able to service ~8000 keys/sec (~750 million keys/day).

Conclusion

My experiment satisfied my curiosity and answered the questions from my own project.

There are, of course, many tweaks that can be made. Send me the code changes to your favorites and I’ll include them.

Click to download the client server files.

Resources

• Brute-Force Exploitation fo Web Application Session IDs (PDF)

I built it using the Adobe Flex framework. You can get more information about KryptoPhoto at MentalHijack.com.

I’ve always wanted a Point-and-Shoot in addition to my Canon Rebel XT DSLR because it’s not as convenient to carry around an SLR just to take random photos. However, I don’t buy things without justification, but I was able to convince myself that this trip was (finally) my reason to get one.

From the horse-riding lessons I have taken in preparation for the trip, I learned that horses can be devious like three year olds and some will try to annoy you when you’re not paying full attention. I imagined that this could be problematic while handling both the horse and a DSLR since I give the camera a lot of concentration when taking photos, basically opening myself up for horse trickery. My dream ends with me on the ground more times than I would enjoy with an expensive piece of equipment in my hands.
A little Point-and-Shoot is cheaper and easier to replace, can be stowed anywhere and would be much more comfortable to fall on.

I like Canon because they make great equipment at a very reasonable price and they have been at the top of their game for awhile. I chose the PowerShot SD890 IS from the entire PowerShot family because of two features: the image stabilization as well as the more powerful 5x optical zoom. The image stabilization will be handy to minimize blurred photos because horses don’t usually stand still. The bigger zoom will help make up any distance between me and the subject since maneuvering a 1,000 pound horse is an inexact science.

I think the camera is going to be fine for the trip. The only drawback I see is that the ergonomics of the camera are too good for what I need! This model is sloped on the right side to follow the curve of a hand and offers no edge which could be used like a camera grip. This would be immensely helpful for one-handed shooting while holding reins in the other. It’s not as much of an issue for normal use because people generally take photos holding the camera with both hands.

I know that I’ll have more to say about the PowerShot SD890 IS when I return from my trip.

In the resources below I have included links to many of the sites I looked through in the quest to find my ultimate MacBook Air laptop bag. They should give you a good starting point for finding the bag that you love most.

It should go without saying, but I will anyway - as with anything fashionable, women have a much larger selection of cool, stylish and funky MacBook Air cases than men.

Here are some typical, safe, laptop bag alternatives if fashion isn’t a concern: uggghh, ‘khaki pants and sneakers’, death by extreme black-neoprene boredom.

Resources

[updated 2009.03.19] - added Kenakai.com to the list

Orbino.com - look no further than Orbino for stunning leather cases for iPods, laptops, handbags, etc.

• Arista landing page

kolobags.com has an incredible selection of men’s laptop bags.

• knomo by kolobag is my second favorite. It’s a very stylish choice, though not sized especially for the Air.

• knomo picture - tan

Waterfield Bags has a large selection of different styles, all look very high quality.

• Waterfield HardCase

• Waterfield HardCase review

• Waterfield Vertigo

• Waterfield SleeveCase review

Tom Bihn has a small selection of bags for the Air, most are technically complex.

• Ristretto Messenger is a fav

Built NY has some fun cases fashioned from neoprene, if you’re into that sort of thing.

MacCase.com carries a whole bunch of stylish cases for the Air.

Mobile Edge offers a huge selection of well made bags, Unfortunately the ones for men are more on the safe side of fashion, though the women’s cases are cute.

• Mobile Edge men’s laptop bags

• Mobile Edge Paris bag - very European

LaptopStuff has a nice selection of funky and hip bags and cases.

Case-Mate.com offers mainly sleeves for the Air.

Brenthaven has some interesting styles, including several which are airport-scanner friendly.

Timbuk2 offers a solid line of tough, durable bags and cases though mostly of the messenger-style. If you really want something special, try their Build Your Own Bag wizard.

IGIO.com leans towards the boring side, but their Brain Bucket Mini (in color Wasabe) is ok.

• Brain Bucket mini in multicolors

Only sleeves

• Kenakai.com has some fabulously rich sleeves for MacBooks, unfortunately not MacBook Air specific.

• Wrappers has fun sleeves for different things.

Aggregators, blogs, etc.

• BizRate.com is a store aggregator. They list products from elsewhere.

• squidoo.com computerbags is small page with important goodies (for women).

• Six Cool Sleeves for the MacBook Air

One example app which helped me greatly was from a blog posting by Ely Greenfield. If you’re interested, you can view it on his website: chart annotation demo.

Unfortunately, the code you can download from his site is a little old so it has problems compiling in Flex Builder 2+. I have updated the code, fixed some bugs in it and have it available here: download OverlayDemo-fixed.zip.

Ely has other interesting demos on his site which are worth checking out. Some of my favorites are: the variable radius pie chart demo, the interactive bubble chart demo, and the dashed lines demo.

Resources

annotation example by Ely Greenfield

• http://www.quietlyscheming.com/blog/2006/04/03/custom-chart-annotations/
• demo: http://demo.quietlyscheming.com/overlayDemo/index.html

annotation example by Brendan Meutzner

• http://www.stretchmedia.ca/blog/index.cfm/2007/3/28/Chart-Milestones-using-annotationElements
• demo: http://www.stretchmedia.ca/code_examples/chart_milestone/main.html

Normally one would simply follow the Metakit installation instructions, but they are old and didn’t work correctly with 10.5 Leopard. I scraped enough information together from the Internet to get it working, but I had to do a lot of research. To save others the same hassle, I have put together all of the changes and put them here in their entirety:

Building Metakit

Make sure you have Xcode installed on your system before starting.

Get the latest source from the Metakit downloads page. At this time the latest version is metakit-2.4.9.7.tar.gz.

Uncompress the archive in a work directory and run the following commands:

> cd builds
> ../unix/configure --with-python=/System/Library/Frameworks/Python.framework/Versions/2.5

Note: Your Python install might be in a different location. If so, give the --with-python arg the proper value.

“Fat” binary setup

If you need this to run on the PPC architecture you will need to make a couple of modifications to ./builds/Makefile after running configure, otherwise you can skip this step and build the binaries with make.

Find CXXFLAGS = $(CXX_FLAGS) and change to the following:

CXXFLAGS = $(CXX_FLAGS) -arch ppc -arch i386 -isysroot /Developer/SDKs/MacOSX10.5.sdk

Find SHLIB_LD = g++ -dynamiclib -flat_namespace -undefined suppress and change to the following:

SHLIB_LD = g++ -dynamiclib -flat_namespace -undefined suppress -arch ppc -arch i386

Build the binaries

Run your typical Makefile commands:

> make
> make test

Installing Metakit

Rename the shared library which is now in the ./builds directory:

> mv Mk4py.dylib Mk4py.so

And copy the following files to /System/Library/Frameworks/Python.framework/Versions/2.5/Extras/lib/python (be sure to adjust the path name for your version of Python):

../python/metakit.py
./Mk4py.so

Testing Metakit

At this point you should have a working system and ought to be able to run the following command in a Python shell without issue:

>>>from metakit import *

Enjoy !

Resources

• Metakit for Python website

• helpful instructions from www.ospace.net

I found what I was looking for in the article “An architectural blueprint for Flex applications” written by Joe Berkovitz. In it he talks about a way in which he architects Flex applications using pure Flex/Actionscript constructs.

Being a Flex newbie, I learned a lot from his article like how to pass variables to your own MXML tags and even customize them using Actionscript. His architecture also solves an issue I was having with Event messaging/bubbling due to the fact that it only works automatically on DisplayObject components. His design also has an interesting way of handling multiple data-services as well as the operations required for handling service communication.

Source code for the project is available in the article. I would recommended downloading it and browsing through the files.

Resources:

• “An architectural blueprint for Flex applications” written by Joe Berkovitz, http://www.adobe.com/devnet/flex/articles/blueprint.html

Please update your RSS feed links: http://blog.davidmccuskey.com/feed/

I will make the switch permanent in the next couple of days.

Thanks !

I’m pretty excited because I’ve always wanted one ever since the days of the Visioneer Paperport. The idea of a paperless office really appealed to me mostly due to my infatuation to keep around receipts and documents that I receive, be it electronically or on paper. Unfortunately, I’ve never figured out a method to process & save any of the paperwork on an ongoing basis - it usually falls apart when I start to get too busy with life.

I had done a little research several months ago to see if there were any changes in the document-scanner market since the last time I checked. From that I made my rough list for my ultimate document-scanning setup:

• Small, desktop scanner
• Ability to create searchable PDFs
• Software to help me organize everything

I started looking again because I came across two Black-Friday deals related to document scanners: NeatScan to Office by NEAT and the SnapScan S300M by Fujitsu. (The deal from NEAT was for the PC version of the scanner, but I read on their website that they were offering the Mac software for free as long as you provided the serial number of the scanner.)

I found that Fujitsu’s SnapScan always had great reviews so it probably wouldn’t be a bad choice no matter what. One of the cool features it has is the ability to feed and scan multiple documents while scanning both sides at the same time! Very nice.

NEAT released a Mac version of their software last January at MacWorld. From what I could tell from the NEAT website and forums, they are committed to creating a great Macintosh experience and their goal is to match the functionality of their Windows software. One of the cool features of the NEAT software enables you to print directly to the software (eg, print an email receipt from Amazon to the software, which will then process it with OCR/PDF). This could definitely be handy for me since I get a lot of electronic receipts from the things I order online.

Here are some of the reasons I decided on the NEAT scanner:

• It was a little cheaper than the SnapScan
  I wasn’t sure if I was going to appreciate a document scanner
• The included software did OCR (important for making searchable PDFs)
  (Though during this quarter [2008Q4], Fujisu is offering a rebate to get a free copy of Readiris Pro OCR sofware.)
• The included software will organize receipts and documents
  (I was considering purchasing Yep as my tool for organizing PDFs; I always have the choice if I find the NEAT software lacking.)

Resources

• MacNN Forum: NeatReceipts or Fujitsu?

• TUAW Review: NEAT Receipts for Mac

• MacMost Video: NeatReceipts Review

• Macworld Review: Fujitsu SnapScan S300M

• Fujitsu.com: SnapScan S300M

• Readiris Pro Website

• Pricegrabber Review: Readiris Pro 11