The good new is that this is already possible! I asked a question on Get Satisfaction and a Spotify employee Emil Hesslow answered straight away that this feature already exists. Here’s some examples:

• Check out George Benson’s guitar break: Uncle Albert/Admiral Halsey 4:04
• A Nice hammond organ break from Greg Rolie: Toussaint L’Overture 0:46

You can also use the spotify protocol:

e.g: spotify:track:39Bi2scq80BWdgnxz2llWT#04:04

The format for the link is just a simple fragment identifier added to the end of the link in the format #mins:secs e.g: #4:04

From using this (I’m running Spotify under wine) I’ve found you need to URLencode this in the “http://open.spotify…” links for it to work so #4:04 becomes %2304%3A04.

The notes are available on slideshare.net

I’ve had to pull the presentation from slideshare.net temporarily – I’ll re-upload as soon as possible The problem at slideshare has now been resolved.

These days I mostly listen to Spotify (running under wine) on Ubuntu which of course doesn’t have applescript. What I wanted was a similar script so I can hit a keystroke and pause spotify and lock the screen at the same time.

With a few utilities I was able to programatically tell if Spotify is playing and get focus on the Spotify window and send a keystroke to get spotify to pause. But the solution it has to be said is far from perfect.

The need to know if Spotify is actively playing is as a result of there only being a play/pause toggle activated by spacebar. Without testing this locking the screen with Spotify already paused and open would result in it starting when you lock the screen.

You’ll need the following packages installed to get it to work:

sudo apt-get install wmctrl xvkbd

wmctrl is a window manager CLI tool and xvkbd is a vitual keyboard that also has a CLI interface to send keystrokes.

Here’s the script:

#!/usr/bin/env bash

# By Stuart Colville
# http://muffinresearch.co.uk/archives/2009/10/22/ubuntu-lock-screen-and-pause-spotify/
# sudo apt-get install wmctrl xvkbd

# Check the title in the window list to work out if it's playing
TITLE=$(wmctrl -l | grep -o -e "Spotify.*$")

# If it's playing pause it
if [[ "$TITLE" != Spotify ]]; then
    wmctrl -a "Spotify" && xvkbd -q -delay 100 -text '\ '
fi

# Lock the screen
gnome-screensaver-command --lock

exit 0

Save it somewhere and make it executable e.g. chmod +x ~/bin/lock_screen.sh.

If you want it to work on a keycombo then just add an item to System -> Preference -> Keyboard Shortcuts

Known Issue: A problem I’ve spotted is that locking the screen causes Spotify to start playing if it’s open and paused. So I need to add a way to detect if Spotify is currently playing without which this script is pretty much useless. Fixed with libinotify-tools

The EPIC Hack here is using libinotify to detect if Spotify is playing by watching file accesses to the Storage directory. Can’t help but feeling there’s got to be a better way. It also means that a delay of 5 secs is needed to wait for an event. – There was a better way! This is now done by interogating the window list via wmctrl

Updates and suggestions are welcomed.

There was an interesting article on the Google Webmaster Central blog back in Jan talking about open redirects being abused by spammers.

One point they didn’t go into too much detail on is that of phishing vectors. If you’re running a site with any kind of user registration and you have a redirect script that allows redirects to any arbitrary urls. Then it’s fairly likely that you’ve straight away made it possible for a 3rd party to phish your registration form.

Let’s see an example of how something like this would work, first a standard redirection script:

Target Site

buyeverythingawesome.com

Attack URL

http://buyeverythingawesome.com/redirect?url=http://buyeverythingawesomee.com/login/

Attacker’s Bogus Domain

buyeverythingawesomee.com

The target site has a script which blindly redirects to anything passed to it.

All the attacker has to do is send a victim an email telling them to login to their account to view the latest offers. The link they send is http://buyeverythingawesome.com/redirect?url=http://buyeverythingawesomee.com/login/

On the bogus domain the attacker will have prepared a copy of the site’s login screen. All they need to do is get the user to login and then redirect the user back to the original site and if possible directly to the failed login page of the original site.

The way to mitigate this is to only allow redirects to your internal site or provide a whitelist of external urls that are allowed to be redirected to.

Open Redirect Login Script

Open Redirects in a login script are even worse in a way as the attacker will send the user to the real site’s login script.

The symptoms of this kind of problem are visible with a setup like so:

Target Site

buyeverythingawesome.com

Attack URL

http://someawesomsite.com/login?after=http//:somewawesomsite.com/loginfailed/

Attacker’s Bogus Domain

somewawesomsite.com

All the attacker needs to do is to get the unwitting victim to visit http://someawesomsite.com/login?after=http://somewawesomsite.com/loginfailed/

The user will be presented with the login screen for the genuine site. Once they login they are redirected to a bogus site with a “Your login has failed message – please try again” simply copied from the real site. The second time the user logs in they are logging-in to a bogus copy of the real site. Once the credentials are stolen the user can be redirected back to the real site where they are successfully logged in (This is because they aren’t redirected until they sucessfully login).

This is particularly nasty because the start and end points of this hack are the genuine site and as a result this kind of attack is much more likely to slip by unnoticed.

As a picture speaks a thousand words see this diagram of the flow: Open Redirect Phishing Vector (.png)

Preventing these kind of attacks

Firstly make absolutely sure you only allow redirects to internal links or whitelisted sites. If you need to redirect to arbitrary sites an interstitial page might be necessary to make it absolutely clear that the user is being redirected to a third party.

You might think that your site is already checking that links redirected are only internal ones. However it’s crucial that you take care to check more than just validating that the url starts with a slash.

Check you’ve covered all eventualities

It’s possible to write a link as //foo.com and the scheme (http/https etc) will be inherited from the base URI. So if you’re on http://baz.com and there’s a link with an href attribute of //google.com this will resolve to http://google.com. It’s therefore important that any validation of redirect URLs covers this case or you could be caught out.

Note: If you’re interested this aspect of how URIs work is covered by examples given in rfc 3986

As an example http://has-open-redirect.com/login/?done=//google.com would redirect to http://google.com after login if vulnerable.

Why is any of this important?

Right now you’re probably thinking that there’s nothing behind the login to your site that a hacker would want.

However, have you stopped to consider that your users might also use the same username and password to login to their amazon account for example?

Lot’s of people will only have one username and password for every site they use (this infosecurity magazine article claims 46% of all UK adults us the same password). If it’s possible to phish accounts on a low profile site – the chances are there will come a point when the attacker will hit the jackpot and get access to every site that user frequents with same username and password.

Update: The GMail team has a nice post detailing some good tips for choosing a good password. Tip number one is don’t use the same password for all sites

Brilliant animation – and nails exactly how I feel about Smooth Jazz. via BoingBoing

The Python keyring lib provides a easy way to access the system keyring service from python. It can be used in any application that needs safe password storage. It supports OSX, KDE, Gnome and Windows’s native password storing services. Besides this, it is shipped with kinds of Python implemented keyring for the left environments.

It’s also been written in a way that makes it possible to create your own Keyring backend if you want to.

As this provides a native Python interface to the OSX keychain I’d certainly recommend looking at this over and above my own noddy OSX keychain wrapper.

Good stuff!

See the site for more info: http://home.python-keyring.org

<?php
$handle = fopen("http://muffinresearch.co.uk/robots.txt", "r");
$contents = stream_get_contents($handle); // PHP5+ ONLY
echo $contents;
?>

Using wireshark for capturing and calling that script 3 times I got 3 DNS lookups because fopen doesn’t make use of any DNS lookup caches:

Not only is this a problem for fopen but I also found the same problem with file_get_contents too.

The comment in the manual suggests using gethostbyname which uses the DNS cache. You can then use this to provide the ip address in the arguments to fopen. However as soon as you’re trying to fetch something which uses name-based virtual hosts this approach will fail. This is due to there being several sites on the same server all being served on the same ip address; if you contact the server by ip address it will simply serve you content from the default virtual host which is the conf which happens to be first alphabetically.

A Solution

The cURL library (php5-curl is the package you’ll need on Ubuntu) is the preferred way of fetching content with PHP, mainly because it gives you far greater control over requests.

The other big benefit of using cURL is that it makes use of the DNS cache so we can save a DNS lookup for repetitive calls to the same hostname:

<?php
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "http://muffinresearch.co.uk/robots.txt");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $output = curl_exec($ch);
    echo $output;
    curl_close($ch);
?>

Running that script three times now results in only one DNS request (I manually cleared the DNS cache with sudo /etc/init.d/networking restart first)

Conclusion

If you’re using php to fetch data from the web cURL is a much more powerful solution than relying on fopen or file_get_contents. Not only that if you’re fetching a lot of data from the same hosts frequently your scripts will run faster as a result of only making the minimum DNS requests.

$ VBoxManage clonehd WinXP-IE7.vdi WinXP-IE8.vdi
VirtualBox Command Line Management Interface Version 2.2.4
(C) 2005-2009 Sun Microsystems, Inc.
All rights reserved.

ERROR: Cannot register the hard disk '/home/scol/.VirtualBox/VDI/WinXP-IE7.vdi' with UUID {3858b1b1-c306-4505-8264-235af812f337} because a hard disk '/home/scol/.VirtualBox/VDI/WinXP-IE7.vdi' with UUID {3858b1b1-c306-4505-8264-235af812f337} already exists in the media registry ('/home/scol/.VirtualBox/VirtualBox.xml')
Details: code NS_ERROR_INVALID_ARG (0x80070057), component VirtualBox, interface IVirtualBox, callee nsISupports
Context: "OpenHardDisk(Bstr(szFilenameAbs), AccessMode_ReadWrite, srcDisk.asOutParam())" at line 603 of file VBoxManageDisk.cpp

Talk about a completely ambiguous error message! The solution is to provide an absolute path to the source VDI and target VDIs (leaving the path off the target will put the image in ~/.VirtualBox/HardDisks by default):

$ VBoxManage clonehd $(pwd)/WinXP-IE7.vdi $(pwd)/WinXP-IE8.vdi
VirtualBox Command Line Management Interface Version 2.2.4
(C) 2005-2009 Sun Microsystems, Inc.
All rights reserved.

0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Clone hard disk created in format 'VDI'. UUID: b7166421-9743-4808-aedf-3c90aeb7c902

I’d certainly recommend subscribing to the rss feed – as there will be some interesting posts coming up.

here’s an example of using brace expansion to create log files for apache:

sudo touch {access,error}.log

Something seen less often is a blank entry like so:

cp foo{,.bck}

Which is shorthand for cp foo foo.bck. This is really useful when copying and moving files around using long paths. Using brace expansion can minimise the amount of typing and help avoid errors caused by typos too.

Another use of brace expansion since BASH v3.0 is the possibility of using ranges within the lists like so:

for foo in {1..10}
> do
> echo $foo
> done
1
2
3
4
5
6
7
8
9
10

Or alternatively with letters too:

echo {a..f}
a b c d e f

See the advanced bash scripting guide for more examples.