Computers: December 2003 Archives
Now you have more authentication options, building on what was mentioned previously.
You can go to your password preferences and set whether your cookie will be tied to your specific IP, or your subnet (Class B), or will work anywhere (like it used to be).
Even if you select the latter, you still get the benefits of having the new more secure cookie value.
Also, when you log in, you can now choose to select a "Public Terminal" checkbox. This does not do secure logins (yet), but it does give you a special session-based cookie that expires after 10 minutes of inactivity, and is unique to that subnet, regardless of your user preferences.
Please let me know if you have any bugs or problems with the new authentication, or with the new RSS (as mentioned in the previous journal entry).
You can go to your password preferences and set whether your cookie will be tied to your specific IP, or your subnet (Class B), or will work anywhere (like it used to be).
Even if you select the latter, you still get the benefits of having the new more secure cookie value.
Also, when you log in, you can now choose to select a "Public Terminal" checkbox. This does not do secure logins (yet), but it does give you a special session-based cookie that expires after 10 minutes of inactivity, and is unique to that subnet, regardless of your user preferences.
Please let me know if you have any bugs or problems with the new authentication, or with the new RSS (as mentioned in the previous journal entry).
I don't "get" celebrating a new year, or a birthday, or any of those sorts of things. It makes no sense to me. Why not celebrate every new month? Week? Moment?
[I am suddenly reminded of a mid-80s Randy Stonehill song/album, "Celebrate this Hearbeat" ("'coz it just might be my last").]
Perhaps this song I wrote in college will help you see why I have problems getting excited about a new year.
[I am suddenly reminded of a mid-80s Randy Stonehill song/album, "Celebrate this Hearbeat" ("'coz it just might be my last").]
Perhaps this song I wrote in college will help you see why I have problems getting excited about a new year.
It's snowed for four of the last five days here in northwest Washington. On Saturday, we had nearly blizzard conditions, with high winds, low visibility, and lots of falling snow. It was never cold enough for more than a few inches to accumulate at once, but it was almost like being in New England.
Updated: See followup.
We've wanted to do personalized RSS feeds in Slash for some time, and we finally got around to starting them. On Slashdot they may be subscriber-only features, but for now, on use.perl.org, they will be available to any registered user.
It differs from the normal RSS feed at http://use.perl.org/index.rss in that it follows your own preferences for the index page, and it gives you the complete "introtext" of the article (for long articles, which have additional text in "bodytext", you still need to click to receive the full content). And if you use SSL to access the site, your RSS will contain SSL links, too.
All you do is add "content_type=rss" to the index.pl request, for example:
http://use.perl.org/index.pl?content_type=rss
That assumes, of course, that your RSS reader can do cookies, and that it has properly authenticated you. Most don't, so we needed a way to authenticate you. For some time, we've wanted to make user authentication better, because right now we put an MD5 digest of your password in your cookie, which isn't very secure. So we created the logtoken.
The logtoken is an arbitrary string that has several benefits over the previous cookie. First, there is no way to "crack" it to recover the original password. While this is difficult with MD5 digests, it is somewhat possible, using brute force. Now it is impossible.
Also, the logtoken will be tied to your class B address, so someone can only use your cookie, if intercepted, if coming from the same class B network. Now, this will cause problems for some people who use the same computer at multiple locations (like many laptop users); perhaps, in the future, we can allow multiple cookies, or allow a user to skip the subnet check. Or maybe we'll give up and throw it out. :-) Please provide feedback; I am leaning toward allowing users to skip the subnet check.
A benefit of all this is that the mere act of logging out will invalidate the logtoken, but not your password. So if you fear your logtoken is stolen, you can log out. Of course, chances are you initially sent your password over cleartext to log in anyway, but not to fear, SSL logins will be coming soonish (on Slashdot anyway ... not sure about use Perl; or other OSDN Slash sites). So you can be at a public terminal, log in over SSL, and then work over plaintext, but with a logtoken cookie being sent/received. When finished, log out, and your logtoken is destroyed.
But since it is tied only to that subnet, your logtoken at home is still valid, unless you log out at home. You can delete ALL your logtokens by changing your password (even by "changing" it to the same thing as it currently is).
So how does this fit in with RSS? Just add "logtoken=$logtoken" to the request:
http://use.perl.org/index.pl?content_type=rss&logtoken=1234567890abcdef
And since the logtoken won't change, unless you log out in that subnet, or change your password, you won't need to change the URL in your RSS reader very often. Well, there is a one-year expiration on the logtoken, just like on your cookie. We might make it so when you re-log-in, your expiration date is reset if you get the existing logtoken (e.g., in a case where you logged in with a second browser on the same subnet, getting a new cookie with the previously existing logtoken for that subnet).
Right now, if you get the logtoken wrong, you get redirected to the home page. We may change this, so you get an error message in RSS if you requested RSS, or somesuch.
There's a URL giving you your logtoken value -- the whole RSS link, actually -- on the top of the home page.
We've wanted to do personalized RSS feeds in Slash for some time, and we finally got around to starting them. On Slashdot they may be subscriber-only features, but for now, on use.perl.org, they will be available to any registered user.
It differs from the normal RSS feed at http://use.perl.org/index.rss in that it follows your own preferences for the index page, and it gives you the complete "introtext" of the article (for long articles, which have additional text in "bodytext", you still need to click to receive the full content). And if you use SSL to access the site, your RSS will contain SSL links, too.
All you do is add "content_type=rss" to the index.pl request, for example:
http://use.perl.org/index.pl?content_type=rss
That assumes, of course, that your RSS reader can do cookies, and that it has properly authenticated you. Most don't, so we needed a way to authenticate you. For some time, we've wanted to make user authentication better, because right now we put an MD5 digest of your password in your cookie, which isn't very secure. So we created the logtoken.
The logtoken is an arbitrary string that has several benefits over the previous cookie. First, there is no way to "crack" it to recover the original password. While this is difficult with MD5 digests, it is somewhat possible, using brute force. Now it is impossible.
Also, the logtoken will be tied to your class B address, so someone can only use your cookie, if intercepted, if coming from the same class B network. Now, this will cause problems for some people who use the same computer at multiple locations (like many laptop users); perhaps, in the future, we can allow multiple cookies, or allow a user to skip the subnet check. Or maybe we'll give up and throw it out. :-) Please provide feedback; I am leaning toward allowing users to skip the subnet check.
A benefit of all this is that the mere act of logging out will invalidate the logtoken, but not your password. So if you fear your logtoken is stolen, you can log out. Of course, chances are you initially sent your password over cleartext to log in anyway, but not to fear, SSL logins will be coming soonish (on Slashdot anyway ... not sure about use Perl; or other OSDN Slash sites). So you can be at a public terminal, log in over SSL, and then work over plaintext, but with a logtoken cookie being sent/received. When finished, log out, and your logtoken is destroyed.
But since it is tied only to that subnet, your logtoken at home is still valid, unless you log out at home. You can delete ALL your logtokens by changing your password (even by "changing" it to the same thing as it currently is).
So how does this fit in with RSS? Just add "logtoken=$logtoken" to the request:
http://use.perl.org/index.pl?content_type=rss&logtoken=1234567890abcdef
And since the logtoken won't change, unless you log out in that subnet, or change your password, you won't need to change the URL in your RSS reader very often. Well, there is a one-year expiration on the logtoken, just like on your cookie. We might make it so when you re-log-in, your expiration date is reset if you get the existing logtoken (e.g., in a case where you logged in with a second browser on the same subnet, getting a new cookie with the previously existing logtoken for that subnet).
Right now, if you get the logtoken wrong, you get redirected to the home page. We may change this, so you get an error message in RSS if you requested RSS, or somesuch.
There's a URL giving you your logtoken value -- the whole RSS link, actually -- on the top of the home page.
"Blawgs":
That's one of the dumbest things I've ever read. Please go kill yourself for inventing that word. But only after this woman kills herself:
Die please. Please. I'm asking nicely.
Law-related blogs -- known as "blawgs" -- have sprung up with the rise of the blogging self-publishing trend in general.
That's one of the dumbest things I've ever read. Please go kill yourself for inventing that word. But only after this woman kills herself:
A 2-year-old model and actor who cut his head at a playground is seeking unspecified lost wages and other compensation from the city.
Konrad Mader of Greenwich was running toward a treehouse at a playground November 4 when he crashed into a railing, according to a claim filed last week by his mother.... The blond toddler received several stitches.
In a letter to officials, she demanded compensation for medical bills, pain and suffering and a "lost wage amount due to his inability to audition or take modeling or commercial jobs while his head heals."
Mader blamed the boy's injury on a green railing, which she said blends in with the landscaping. Mader said the railing should be painted a brighter color.
Die please. Please. I'm asking nicely.
This whole Hussein thing doesn't interest me much, but the one thing that has interested me the most in it is the idea of a trial. In all this talk about how he should be tried, I keep thinking, why does it matter so much who tries him (apart from the penalties involved) if we all know he is guilty, and the U.S. would never allow him to be found innocent? That's about the only way Dean could beat Bush, is if Hussein were acquitted. :-)
Anywhoo, WFB has some interesting thoughts on the matter, as usual, and he has a line in his column that makes me laugh, as usual.
Anywhoo, WFB has some interesting thoughts on the matter, as usual, and he has a line in his column that makes me laugh, as usual.
If there is anybody in town who believes that Saddam Hussein is not guilty of crimes however described, what we need to worry about is him, not Saddam.
Every once in awhile I get email like this:
From: "John R Carter" <xxxxxxx@xxxxx.net>Yeah, well. *blush*
Subject: Orioles
To: pudge@pudge.net
Date: Tue, 16 Dec 2003 23:20:15 -0500
Pudge, please come to Baltimore, we need a GREAT catcher
like you!!!!!!!!!!!!!!!!!!!!!
During questioning a day earlier, one senior official said simply that 66-year-old Saddam was a "wiseass."
I am going to be adding my latop into my stereo setup a bit more by outputting its video to the TV and adding a Keyspan IR remote so I can control it with my Harmony remote, and see/navigate/control iTunes without having to get off my butt.
I needed an additional IR emitter for my Xantech IR setup. I bought 4 dual emitters, giving me 8 total, but I had only 3 of them in use and couldn't find the fourth. I did find an emitter from my old Hitachi DirecTV receiver, that was used for a TiVo-like function (before there was TiVo): you would tell the receiver to record something, and it would send an IR signal to your VCR to tell it to start recording.
So, I grabbed this IR emitter and tried to see if it could work with my Xantech stuff. But it didn't emit a red LED light like my other emitters, so I couldn't tell. Aha, but, I remembered, my DV camera has an IR mode. So I hook up the emitter, turn on the camera, light up the system, and sure enough, I see light coming out of the emitter, so I know it works. Very cool. :-)
I needed an additional IR emitter for my Xantech IR setup. I bought 4 dual emitters, giving me 8 total, but I had only 3 of them in use and couldn't find the fourth. I did find an emitter from my old Hitachi DirecTV receiver, that was used for a TiVo-like function (before there was TiVo): you would tell the receiver to record something, and it would send an IR signal to your VCR to tell it to start recording.
So, I grabbed this IR emitter and tried to see if it could work with my Xantech stuff. But it didn't emit a red LED light like my other emitters, so I couldn't tell. Aha, but, I remembered, my DV camera has an IR mode. So I hook up the emitter, turn on the camera, light up the system, and sure enough, I see light coming out of the emitter, so I know it works. Very cool. :-)
A couple of years ago I got a free CueCat USB barcode reader. I did some stuff so I could use it on my Mac. Well, I wanted to use it on Mac OS X, so I grabbed the old script, installed Barcode::Cuecat, modified my little script to save to the Mac OS X clipboard, and away I go. ... no, YOU'RE a geek!). Also, since I am using ClipboardSharing, I keep the reader connected to my server at my desk, and after running this program, it automatically sends the clipboard to my main workstation. ClipboardSharing is way neat.
#!/usr/local/bin/perl -sUsage:
use warnings;
use strict;
our($c, $p);
use Barcode::Cuecat;
my $bc = new Barcode::Cuecat;
print "Type 'q' to quit.\n" if $c;
while (chomp(my $data = <STDIN>)) {
last if $data eq 'q';
$bc->scan($data);
printf "%s: %s\n", $bc->type, $bc->code;
if ($p) {
open my $clip, '|pbcopy' or die $!;
print $clip $bc->code;
close $clip;
}
last unless $c;
}
[pudge@bourque bin]$ cuecat -pAnd then "086441950" is put onto the clipboard (BTW, that is a scan of the new TV Guide with Aragorn on the cover
^[[28~.C3nZC3nZC3n2D3bWDhvZDxnY.fGzX.C3T1D3DYE NzZ.
UE2: 086441950
I have done a lot of little things to make ssh access on Mac OS X nicer for me, and I've largely succeeded, using a combination of a login plugin called SSHAgentStartup, with some local patches, and some shell startup scripts, and a login AppleScript app, and an app that provides the ssh passphrases from the Keychain on request.
Recently, an app called SSHKeychain has promised to do all of what I do with these disparate tools: create an SSH agent, make it available to GUI apps, add keys to the agent on request, remove them when the Keychain is locked, add them when it is unlocked, store the key passphrases in the Keychain, etc. But not having the time to really look into it, and fearing change, I punted.
Basically, my main concern was that it didn't do things The Right Way, as I see it, which is to work with the real ssh-agent. I didn't know how it could reliably handle the environment if it didn't create the agent before login.
So having opportunity Wednesday, I looked, and saw the key: it creates a static agent path, and puts there a frontend to the agent (which is actually, a named pipe to the SSHKeychain program itself, just as a normal agent path is a pipe to the ssh-agent program; but this one is apparently processed as necessary by SSHKeychain, and then passed to the real ssh-agent).
This allows it to solve many problems. It can set up the environment, because the path to the frontend agent does not change, as it does not need to, as it is not dependent on the actual agent path. This frontend agent can also detect requests for keys, and add them. Very nifty.
It's also got a menu item or Dock item to easily add keys when necessary. For example, it won't automatically add keys if you have forwarded your agent to a host, then the keys have been removed from the agent, and you try to use that agent to connect to another host; but you can just click "Add all keys to agent" in the menu item, and they will be added using the passphrases in the Keychain, and you can continue on your merry way.
I am a bit concerned about security; what potential problems are there for having a frontend to the agent, especially one that is a running application?
Recently, an app called SSHKeychain has promised to do all of what I do with these disparate tools: create an SSH agent, make it available to GUI apps, add keys to the agent on request, remove them when the Keychain is locked, add them when it is unlocked, store the key passphrases in the Keychain, etc. But not having the time to really look into it, and fearing change, I punted.
Basically, my main concern was that it didn't do things The Right Way, as I see it, which is to work with the real ssh-agent. I didn't know how it could reliably handle the environment if it didn't create the agent before login.
So having opportunity Wednesday, I looked, and saw the key: it creates a static agent path, and puts there a frontend to the agent (which is actually, a named pipe to the SSHKeychain program itself, just as a normal agent path is a pipe to the ssh-agent program; but this one is apparently processed as necessary by SSHKeychain, and then passed to the real ssh-agent).
This allows it to solve many problems. It can set up the environment, because the path to the frontend agent does not change, as it does not need to, as it is not dependent on the actual agent path. This frontend agent can also detect requests for keys, and add them. Very nifty.
It's also got a menu item or Dock item to easily add keys when necessary. For example, it won't automatically add keys if you have forwarded your agent to a host, then the keys have been removed from the agent, and you try to use that agent to connect to another host; but you can just click "Add all keys to agent" in the menu item, and they will be added using the passphrases in the Keychain, and you can continue on your merry way.
I am a bit concerned about security; what potential problems are there for having a frontend to the agent, especially one that is a running application?
Rockstar is removing objectionable phrases from Grand Theft Auto: Vice City. Apparently, it is bad to say "Kill Haitians," but to actually do it (in the game) is acceptable. :-)
I hurt my left wrist several weeks ago, and now have it in a splint to help it heal, so I plan on typing less (including not-for-work coding) for awhile. I can still type, but it is a bit painful and awkward.
"It is the common fate of the indolent to see their rights become a prey to the active. The condition upon which God hath given liberty to man is eternal vigilance; which condition if he break, servitude is at once the consequence of his crime and the punishment of his guilt."
