Monday, September 30, 2013

what shall i do?!

if i’m to try these out i’ll have to migrate most of my google and ifttt tasks..i mean…i dont have that many things to do…


http://wappwolf.com/dropboxautomator


https://beta.busyflow.com/signup


http://www.elastic.io/


http://www.foxweave.com/


https://cloudwork.com/plans


http://cloud.itduzzit.com/pricing/


https://zapier.com/app/pricing


and also https://www.onx.ms/#!recipesPage


none
what shall i do?!

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Sunday, September 29, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Saturday, September 28, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

why read hn

moxie:


Here is my (obviously biased) view of the landscape:


1) ostel.me :: Like many of the Guardian projects, this is an experiment in combining existing OSS libraries to create an app. In this case, CSipSimple, pjsip, and ZORG. It’s basically a standard SIP/RTP VoIP client with an Android UI. That means it needs to maintain a persistent connection to a SIP server at all times, which doesn’t necessarily work well with the Android process model, could drain your device’s battery life, and could be flaky in scenarios where you’re going in and out of coverage or switching from data to wifi. However, it is ideal for the hacker crowd that wants ultimate control, maximum configurability, and enjoys occasionally drop to the command line. You’re correct that it’s likely not possible to do things like certificate pinning in this context.


2) RedPhone :: While it remains to be seen whether we were correct or not, our development philosophy with RedPhone was to eschew the VoIP libraries and paradigms that were originally developed for the desktop environment in favor of OSS/Free code written from scratch for the mobile environment. Our belief is that the different network and platform characteristics of mobile devices require a mobile-oriented solution. This means that we use a lightweight mobile-oriented signaling protocol instead of SIP, push notifications instead of maintaining a persistent connection at all times, techniques for establishing low-latency routing for global calling (https://whispersystems.org/blog/low-latency-switching), a jitter buffer optimized for mobile data networks (https://whispersystems.org/blog/client-side-audio-quality), and your normal phone number for addressing rather than a new identifier. It also means that, yes, we can do things like certificate pinning for the signaling channel. This is all obviously oriented towards the average smartphone user, though, so it’s sometimes less appealing to the hacker crowd who want to use a SIP identifier or connect through their own SIP server.


2) Silent Circle :: My sense is that Silent Circle is trying to do both. Their stack seems to be based on traditional VoIP protocols (SIP/RTP), and their server-side infrastructure appears to be a FreeSWITCH box in a single Canada datacenter (maybe with a single-DC European presence now or coming soon as well?). However, they are using those desktop protocols to try to create a packaged non-hacker-oriented experience. I’m not sure if that’s possible or not, but I’m obviously biased. It does cost a non-trivial amount of money, though, and their client source isn’t Free.


 


lazzarello:


Hello! I built ostel.co. Nice to meet you.


Regarding signalling encryption. The system uses SIP TLS with a certificate signed by a common CA. Check it out and walk up the chain manually if you’re concerned. Certificate pinning is interesting but in this case the signalling isn’t really what we care about, from a priority perspective. We care about the /content/ of the call, which in SIP land is a completely different protocol with a nice peer to peer key agreement system which is currently unbreakable according to public information. There’s some classified NSA doc that allegedly says it could be done, read all about it…oh wait, you can’t because it’s classified. :(


So the reason there isn’t a bunch of copywriting which discusses the importance of the key agreement in the signalling layer is because I don’t think it’s very important. Now, one could middle the signalling in a clever way and that could, possibly result in a dropped call, which could be classified as a DoS vuln. But that’s unlikely and there wouldn’t be any content leaked. I would be interested in a proof of this attack vector.


Finally, my favorite part about middled signalling is that even if you do it right and a whole forged SIP dialog is built up and Mallory answers on the other end when Bob thinks he’s talking to Alice, you still get to hear Mallory’s voice! So unless Mallory is pro at doing voice impressions, like that dude on SNL can do Jay-Z and Dr. Dre real good, it’s gonna be obvs that something is not right.


Really Finally, I’m using Freeswitch to provide diagnostic services like an echo test. There’s some crazy ideas about offering an IVR that does encrypted voicemail but I don’t know much about that.


none
why read hn

This is the third response in a row in which you're speaking like a marketer. Please understand that on HN this sort of communication is less trusted than no communication at all.

 


Actually, a more believable (if still unsatisfying) answer would have been the last sentence by itself. Your first two sentences are fine, but they don’t suffice in and of themselves: you should provide some supporting details. What aspects of your architecture support interop? Don’t say “innate, interop-supporting qualities”. Say “we’re N+1 for more capacity and reliability” or “we have a ‘carrier’ column in some of our SQL tables” or whatever the actual truth is.


Your third sentence contradicts itself, so it makes you seem either uninformed or deceptive.


If these difficulties should be blamed on non-native English use, please say so.


 


from – https://news.ycombinator.com/item?id=6213087


none
This is the third response in a row in which you're speaking like a marketer. Please understand that on HN this sort of communication is less trusted than no communication at all.

Friday, September 27, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Thursday, September 26, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Wednesday, September 25, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Tuesday, September 24, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Monday, September 23, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Sunday, September 22, 2013

how about the pirate3d bucaneer without the vendor lock-in?

in case you find the bucanner from pirate 3d too singaporean..


http://www.kickstarter.com/projects/117421627/the-peachy-printer-the-first-100-3d-printer-and-sc …just launched.


the bucaneer:


http://www.kickstarter.com/projects/pirate3d/the-buccaneer-the-3d-printer-that-everyone-can-use


- vendor lockin via ‘cloud’


- sell cheap printer but make it back on cartridges


none
how about the pirate3d bucaneer without the vendor lock-in?

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Saturday, September 21, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Thursday, September 19, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

ssh everywhere to convert files. or something like that.

 


i’m not sure why i need to “Manage your SSH like a boss”..


https://github.com/emre/storm


but maybe it helps if u run  “a shell tool for executing jobs in parallel using one or more computers”


https://www.gnu.org/software/parallel/


which perhaps “copy files in a directory, with transformations.”


https://github.com/andrewf/filtdir


none
ssh everywhere to convert files. or something like that.

Wednesday, September 18, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Tuesday, September 17, 2013

about sums it up


People occasionally wonder why I’m so into indie games these days, even the ugly ones and the pretentiously arty ones and the three-minute-long ones.


It seems to me that that indies are passionate about making games. They don’t always have the skill or resources to reach their potential, but you can feel that passion even in something banged together for a 24-hour jam. It’s refreshing.


The big studios, or at least the people who call the shots at the big studios, are passionate about making money, and they’re not a bit shy about throwing out great gameplay for more money. Every ”monetization” decision beyond “here’s our game, it costs $umpty” is an exercise in making your game worse on purpose and then charging to bring it back up to baseline. Occasionally, these decisions are made with enough care and subtlety that the overall experience remains almost as good as it could’ve been…but not usually.


- https://news.ycombinator.com/item?id=6401382


none
about sums it up

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Monday, September 16, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Sunday, September 15, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Saturday, September 14, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Friday, September 13, 2013

its a free world..


yandex mail’s smtp proxy


https://github.com/khanton/NwSMTP


bitdefender gives away their’s for free too..


http://frams.bitdefender.com/


somewhat interesting scheme to stop ddos..


http://blog.unixy.net/2010/08/the-penultimate-guide-to-stopping-a-ddos-attack-a-new-approach/


hmmm..dovecot antispam…


http://blog.unixy.net/2010/08/the-penultimate-guide-to-stopping-a-ddos-attack-a-new-approach/


none
its a free world..

Thursday, September 12, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

grab the latest or(?) greatest for us$5..


there’s also Brutal legend and eets munchies..but even without those 2, this is like not bad for us$5?


Faster Than Light


https://en.wikipedia.org/wiki/FTL:_Faster_Than_Light#Reception


FTL received positive reviews, with praise for the game’s captivating nature and means of tapping into the imagination of players who have envisioned themselves as captains of starships. The game’s approach and setting has been compared to science fiction works; Ben Kuchera of Penny Arcade Report calls FTL ”Firefly by way of the Rogue-like genre”,[20]while others have compared it to Star Trek, Star Wars, and Battlestar Galactica.[16]


PC Gamer awarded FTL its Short-form Game of the Year 2012 award.[21] The game won both “Excellence in Design” and the “Audience Award”,[22] and was a finalist for the “Seumas McNally Grand Prize” awards for the 15th Annual Independent Games Festival.[23]It was also named the “Best Debut” title at the 2013 Game Developers Choice Awards.[24]


While reception of the game has generally been positive, some reviewers have criticized the game’s difficulty level. Sparky Clarkson of GameCritics wrote, “FTL is an absurdly, cruelly difficult game.”[25] The staff of Edge magazine, while generally complimentary towards the game, said, “FTL can occasionally feel punishing”.[26]


The game’s soundtrack was nominated for IGN‘s Best Overall Music and Best PC Sound of 2012.[27][28] Additionally, it was recognized as being among Kotaku‘s Best Video Game Music of 2012,[29] one of the Top Ten Video Game Soundtracks of 2012 on The Game Scouts,[30] one of Complex magazine’s 25 Best Video Game Soundtracks on Bandcamp,[31] and one of NeoGAF‘s Official Game Soundtracks of the Year 2012.[32]


 


Mark of the Ninja


https://en.wikipedia.org/wiki/Mark_of_the_Ninja#Reception


Upon its release Mark of the Ninja received critical acclaim from both mainstream and video game journalists. Aggregate scores in the low 90s are reported at websites Metacritic andGameRankings.[10][11] The game received a perfect score from Brad Shoemaker of Giant Bomb,[21] Destructoid‘s Holly Green,[22] G4TV‘s Adam Rosenberg,[15] and Dustin Chadwell of Gaming Age.[23] The lowest score of 8 out of 10 came from Edge.[12] IGN‘s Ryan McCaffrey felt that it was “easily a contender for Xbox Live Arcade Game of the Year”.[18] In The Penny Arcade Report’s preview of the game, senior editor Ben Kuchera called it “a must-play game that should entrance even those skeptical of stealth games.[24]


Kyle Orland of Ars Technica noted that the various ways of achieving a high score gave the game an aspect similar to puzzle games.[25] Garrett Martin of the Boston Herald give high marks for the game’s cutscenes and stated they were “good enough to warrant a Cartoon Network TV show.”[26] The reviewer from GameTrailers compared the game to a combination between the Nintendo game Ninja Gaiden and the modern open-world game Batman: Arkham City. He also lauded the controls and stated that the scheme “bends and yields to allow you to do exactly what you want precisely when you want to.”[27]


MTV.com‘s Charles Webb praised the game’s ability to focus on stealth yet remain appealing to all players. “[Klei has] taken the key pillars of this type of game and made them transparent while keeping them challenging and fun” stated Webb.[28] Matt Miller, Associate Editor at Game Informer, lauded the animations of the game. He further noted that the interplay of light and shadow further brought the visuals to life.[6] The reviewer form Edgemagazine agreed, and noted that the visuals were of “Saturday morning cartoon” quality.[12]Official Xbox Magazine‘s Andrew Hayward also gave high marks for the visual atmosphere of the game, and further praised the “wealth of options” to complete missions.[19]


Criticisms of the game included minor control issues and frustrating gameplay moments. Kotaku‘s Patricia Hernandez felt that the game had too many puzzles involving laser traps, and noticed that guards would on rare occasion “glitch out and not move and just look back and forth, making stealth impossible.”[3] Leif Johnson of GameSpot felt that the game’s far sight mechanic could sometimes stunt the momentum and pacing during gameplay.[4] The control scheme felt more suited for distanced stealth and less so for close quarters agility according to Eurogamer‘s Dan Whitehead. He cited an example where the player could press the B button to pick up and hide an enemy body. Doing so near a place where the player can hide caused frustration, as the contextual controls also use the B button to hide behind cover.[14] Daniel Bischoff of Game Revolution praised the stealth kill mechanic, but was disappointed that the player character could not combat enemies face to face.[16]


 


Fez


https://en.wikipedia.org/wiki/Fez_(video_game)


Upon release, Fez received widespread praise, with IGN giving the game 9.5/10.[37] By June 2012 the Metacritic average was 89%.[38]


As of April 2013, Fez has sold more than 200,000 copies on Xbox Live Arcade.[39]


Awards[edit source | editbeta]


Fez won the “Excellence in Visual Art” award at the Independent Games Festival in 2008, where it was also nominated for the “Design Innovation” award.[40] It appeared at PAX Prime 2011 as one of the PAX 10,[41] and won two awards, Story/World Design and Grand Jury, atIndieCade in 2011.[42] It also won the “Seamus McNally Grand Prize” at the Independent Games Festival in 2012.[43]


In December 2012, Fez was declared Eurogamer‘s Game of the Year.[44]


 


Trine 2


https://en.wikipedia.org/wiki/Trine_2#Reception


Trine 2 received largely positive reviews, earning a ranking of 9/10 by IGN,[19] and 84% for both the Windows,[20] Wii U and PlayStation 3[21] versions on Metacritic as well as a rank of 85% for the game’s release on the Xbox 360.[22]


none
grab the latest or(?) greatest for us$5..

Wednesday, September 11, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Tuesday, September 10, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Monday, September 9, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Sunday, September 8, 2013

appbin, tales and linkedin. no link whatsoever.


http://www.getappbin.com/about.html


About Appbin


The future of computing is multi-device and multi-platform. Many of us are already living it. We own multiple devices and assign them different roles, often in shared contexts. On the other hand, devices and platforms have no notion that their actions are part of a bigger picture. We will need to amend our old methods of tying information to devices, instead associating them with users. Despite a variety of available tools for transferring and managing information, diffusion of information across devices and platforms remains a major problem.


We created Appbin to address a hard problem, enabling users to seamlessly sync their applications. Can I get my Windows 7 apps to Windows 8? Can I recover my app-data from last month? Can I update my apps silently in the background? These are the questions we ask everyday.


https://github.com/calufa/tales-core


About Tales


Tales (http://en.wikipedia.org/wiki/Thales) is a block tolerant (IP Blocking) web scraper (http://en.wikipedia.org/wiki/Web_scraping) that runs on top of aws and rackspace. Tales is design to be easy to deploy, configure, and manage. With Tales you can scrape 10s or even 100s of domains concurrently.


Tales is made in java, javascript/html and uses mysql, redis, and git.


Tales is simple, light, reliable, and has been tested on production environments scraping more than 200 million urls.


With Tales you can do web monitoring, research, aggregators, etc.


Tales currently only runs on Ubuntu 10.04 Lucid — Tales is calling shell scripts inside the app, this needs to be replaced by a “apache licensed version of sigar”.


 


http://gigaom.com/2013/03/03/how-and-why-linkedin-is-becoming-an-engineering-powerhouse/


- http://data.linkedin.com/opensource/voldemort


- http://data.linkedin.com/opensource/azkaban


- http://data.linkedin.com/opensource/kafka


- http://data.linkedin.com/projects/espresso


- http://data.linkedin.com/opensource/helix


- http://engineering.linkedin.com/data-replication/open-sourcing-databus-linkedins-low-latency-change-data-capture-system


none
appbin, tales and linkedin. no link whatsoever.

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Saturday, September 7, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Friday, September 6, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

why not school


1. is there new evidence that supports the idea of ‘learning styles’?


Our evaluation of the learning-styles concept led us to identify

the form of evidence needed to validate the use of learning-style

assessments in instructional settings (i.e., Figures 1A–1C). As

described earlier, our search of the learning-styles literature has

revealed only a few fragmentary and unconvincing pieces of

evidence that meet this standard, and we therefore conclude that

the literature fails to provide adequate support for applying

learning-style assessments in school settings. Moreover, several

studies that used appropriate research designs found evidence

that contradicted the learning-styles hypothesis (Massa &

Mayer, 2006; Constantinidou & Baker, 2002). Finally, even if a

study of a particular learning-style classification and its corresponding instructional methods was to reveal the necessary

evidence, such a finding would provide support for that particular learning-style classification only—and only then if its

benefits surpass the high costs of student assessments and tailored instruction.

Our conclusions have particularly clear-cut implications for

educational researchers, in our opinion. We urge investigators

examining learning-styles concepts to embrace the factorial

randomized research designs described in the earlier ‘‘Interactions as the Key Test of the Learning-Styles Hypothesis’’

section, because these alone have the potential to provide action-relevant conclusions. The kind of research that is needed

must begin by classifying learners into categories based on


clearly specified measures and then randomize learners to receive one of several different instructional treatments. Equally crucial, the interventions must be followed by a common prespecified learning assessment given to all the participants in the


study. The paucity of studies using this methodology is the main

factor that renders the learning-styles literature so weak and

unconvincing, despite its large size.


http://www.psychologicalscience.org/journals/pspi/PSPI_9_3.pdf


2. is there evidence that schools actually do any good to people who already want to learn?


Compulsory schooling has been a fixture of our culture now for several generations. It’s hard today for most people to even imagine how children would learn what they must for success in our culture without it. President Obama and Secretary of Education Arne Duncan are so enamored with schooling that they want even longer school days and school years. Most people assume that the basic design of schools, as we know them today, emerged from scientific evidence about how children learn best. But, in fact, nothing could be further from the truth.


Schools as we know them today are a product of history, not of research into how children learn. The blueprint still used for today’s schools was developed during the Protestant Reformation, when schools were created to teach children to read the Bible, to believe scripture without questioning it, and to obey authority figures without questioning them. The early founders of schools were quite clear about this in their writings. The idea that schools might be places for nurturing critical thought, creativity, self-initiative or ability to learn on one’s own — the kinds of skills most needed for success in today’s economy — was the furthest thing from their minds. To them, willfulness was sinfulness, to be drilled or beaten out of children, not encouraged.


http://www.salon.com/2013/08/26/school_is_a_prison_and_damaging_our_kids/


none
why not school

Thursday, September 5, 2013

so basically all commercial encryption products and services are to be considered backdoored and unsafe until proven otherwise?

http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security


NSA diagram


This network diagram, from a GCHQ pilot program, shows how the agency proposed a system to identify encrypted traffic from its internet cable-tapping programs and decrypt what it could in near-real time. Photograph: Guardian


 


http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption


Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members.


Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”


“Eventually, N.S.A. became the sole editor,” the memo says.


Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products and services to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.


 


http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=3&_r=0


According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” Sigint is the acronym for signals intelligence, the technical term for electronic eavesdropping.


By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors or by surreptitiously exploiting existing security flaws, according to the documents. The agency also expected to gain full unencrypted access to an unnamed major Internet phone call and text service; to a Middle Eastern Internet service; and to the communications of three foreign governments.


In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.


none
so basically all commercial encryption products and services are to be considered backdoored and unsafe until proven otherwise?

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Wednesday, September 4, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

Tuesday, September 3, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

really host it yourself!


do this!


https://arkos.io/genesis/plugins


because you may not have a vps:


https://github.com/al3x/sovereign/blob/master/README.textile


or a x86 host:


http://yunohost.org/


which were previously mentioned in


http://sorty.tk/2013/08/why-host-it-yourself/


 


none
really host it yourself!

Monday, September 2, 2013

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!

amusingly, i was reminded of justica

File:HK Central Statue Square Legislative Council Building n Themis s.jpg


when i saw


“Even the Swedish so-called justice system is stacked against the families, since they can’t even choose their own lawyer but have to accept one who is paid by the state and has no incentive whatsoever to fight aggressively on their behalf. It is absolute madness and injustice”


 


none
amusingly, i was reminded of justica

Sunday, September 1, 2013

intro to the matasano challenges


http://happybearsoftware.com/you-are-dangerously-bad-at-cryptography.html


You are dangerously bad at cryptography


The four stages of competence:


  1. Unconscious incompetence - When you don’t know how bad you are or what you don’t know.

  2. Conscious incompetence - When you know how bad you are and know what steps you need to take to get better.

  3. Conscious competence - When you’re good and you know it (this is fun!)

  4. Unconscious competence - When you’re so good you don’t know it anymore.

We all start at stage one whether we like it or not. The key to progressing from stage one to stage two in any subject is to make lots of mistakes and get feedback. If you’re getting feedback, you begin to create a picture of what you got right, what you got wrong and what you need to do better next time.


Cryptography is perilous because you get no feedback when you mess up. For the average developer, one block of random base 64 encoded bytes is as good as any other.


You can get good at programming by accident. If your code doesn’t compile, doesn’t do what you intended it to or has easily obvervable bugs, you get immediate feedback, you fix it and you make it better next time.


You cannot get good at cryptography by accident. Unless you put time and effort into reading about and implementing exploits, your home-grown cryptography based security mechanisms don’t stand much of a chance against real-world attacks.


Unless you pay a security expert who knows how to break cryptograpy-based security mechanisms, you have no way of knowing that your code is insecure. Attackers who bypass your security mechanism aren’t going to help you with this either (their best case is bypassing it without you ever finding out).


Take a look at some examples of misused crypto below. Ask yourself, if you hadn’t read this post, would you have caught these errors in real life?


Authenticating the API for your photo sharing website


Message Authentication with md5 + secret


Once upon a time, a photo sharing site authenticated its API with the following scheme:


  • Users have the following two credentials:
    • A public user id that they use to identify themselves (safe to send in the clear)

    • A shared secret that they use to sign messages (must be kept private)


  • The user makes API requests over HTTP/HTTPS (it doesn’t matter). Destructive changes are made using a POST/GET request with specific parameters (e.g. { action: create, name: ‘my-new-photo’ }.

  • To authenticate the message, the user sends their user id as a parameter, and then signs the message with their secret key. The signature is the md5 of the shared secret concatenated with the key-value pairs.

To check that the client is the user he claims to be, the server generates the signature from the request parameters and the secret key it has on file for that user.


The code for this could be:


# CLIENT SIDE

require 'openssl'

## Our user credentials
user_id = '42'
secret = 'OKniSLvKZFkOhlo16RoTDg0D2v1QSBQvGll1hHflMeO77nWesPW+YiwUBy5a'

## The request params we want to send
params = { foo: 'bar', bar: 'baz', user_id: user_id }

## Build the MAC
message = params.each.map { |key, value| "#{key}:#{value}" }.join('&')
params[:mac] = OpenSSL::Digest::MD5.hexdigest(secret + message)

## Then send the request via something like...
HTTP.post 'api.example.com/v3', params

# SERVER SIDE

## Grab the user credentials out of the DB
user = User.find(params[:user_id])
secret = user.secret

## Get the MAC out of the request params
challenge_mac = params.delete(:mac)

## Calculate the MAC using the same method the client uses
message = params.each.map { |key, value| "#{key}:#{value}" }.join('&')
calculated_mac = OpenSSL::Digest::MD5.hexdigest(secret + message)

## Compare the challenge and calculated MAC
if challenge_mac == calculated_mac
# The user authenticates successfully, do what they ask
else
# The user is not authenticated, fail
end

With a basic understanding of how md5 works, this is a perfectly reasonable implementation of API authentication. That looks secure, right? Are you sure?


It turns out that this scheme is vulnerable to what’s called a length extension attack.


Briefly:


  • If you know the value of md5('foo'), due to the way md5 works, it’s trivial to compute md5('foobar'), without knowing the prefix ‘foo’.

  • So if you know the value of md5('secretfoo:bar'), it’s trivial to computemd5(secretfoo:bar&bar:baz) without knowing the prefix ‘secret’.

  • This means that as long as you have one example of a signed message, you can forge signatures for that message plus any arbitrary request parameters you like and they will authenticate under the above described scheme.

Any developer who didn’t know about this beforehand would have easily been caught out. The developers at Flickr, Vimeo and Remember the Milk rolled this out to production.


The point isn’t that you should know about every esoteric detail of the internals of cryptographic functions. The point is there are a million ways to mess up cryptography, so don’t touch it.


Not convinced? OK, let’s try fixing this example and see if we can make it secure…


Message Authenticating with HMAC


You hear about this security vulnerability via your friendly neighbourhood whitehat and he recommends that you use a Hash-based Message Authentication Code or HMAC to authenticate your API requests.


Great! HMAC’s are designed for our use case. This is a drop-in replacement for what you were doing to verify the signature before. Our server verification code can now look like this:


require 'openssl'

## Grab the user credentials out of the DB
user = User.find(params[:user_id])
secret = user.secret

## Get the MAC out of the request params
challenge_mac = params.delete(:hmac)

## Calculate the HMAC
## We'll do the same thing on the client when we generate the challenge
message = params.each.map { |key, value| "#{key}:#{value}" }.join('&')
calculated_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), secret, message)

## Compare the challenge and calculated MAC
if challenge_hmac == calculated_hmac
# The user authenticates successfully, do what they ask
else
# The user is not authenticated, fail
end

That looks secure, right? Are you sure?


It turns out that the verfication code above is vulnerable to a timing attack that allows you to guess the correct MAC for a given message.


Briefly:


  • For a given message, attempt to send it with a HMAC of all one single character. Do this once for each ASCII char e.g. ‘aaaa…’, ‘bbbb…’ etc.

  • Measure the time each request takes to complete. Since string equality takes a tiny bit longer to complete when the first char matches, the message that takes the longest to return will have the correct first character.

  • Smooth out noise from latency in two ways:
    • Run a couple of hundred or thousand requests for each guess to get an average time.

    • Run your timing attack code from within the same data centre. If you’re having trouble determining the data centre, in the worst case you can spin up a box at each of the major providers and find out which box takes significantly less time to ping the target server.


  • Once you’ve determined the first character, repeat for the second by changing the second char onwards, e.g. if ‘x’ is the first char, try ‘xaaa…’, ‘xbbb…’ and so on.

  • Keep going until you have the whole HMAC.

Using the above defined technique, you can reliably determine the HMAC of any message you want to send to the API and authenticate successfully.


Again, perhaps you didn’t know about timing attacks and you’re not expected to. The point isn’t that you should have known the details of specific vulnerabilities and watched out for them. The point is that there are a million ways to mess up cryptography, so don’t touch it.


All the same, let’s go ahead and try to make this more secure…


Verifying HMACs in a time insensitive way


You get around timing attacks by comparing the sent and computed MAC in a time-insensitive way. This means you can’t rely on your programming languages built in string equality operator, as it will return immediately when it finds a single character difference.


To compare strings, we can take advantage of the fact that any byte XORed with itself is 0. All we have to do is XOR each byte from string A with the corresponding byte from string B, sum the resulting bytes and return true if the result is 0, false otherwise. In ruby, that might look like this:


require 'openssl'

## Time insensitve string equality function
def secure_equals?(a, b)
return false if a.length != b.length
a.bytes.zip(b.bytes).inject(0) { |sum, (a, b)| sum |= a ^ b } == 0
end

## Grab the user credentials out of the DB
user = User.find(params[:user_id])
secret = user.secret

## Get the MAC out of the request params
challenge_hmac = params.delete(:hmac)

## Calculate the HMAC
## We'll do the same thing on the client when we generate the challenge
message = params.each.map { |key, value| "#{key}:#{value}" }.join('&')
calculated_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), secret, message)

## Compare the challenge and calculated MAC
if secure_equals?(challenge_hmac, calculated_hmac)
# The user authenticates successfully, do what they ask
else
# The user is not authenticated, fail
end

That looks secure, right? Are you sure?


I doubt it. It marks the edge of my knowledge in terms of potential attack vectors on this sort of scheme, but I’m not convinced that there’s no way to break it.


Save yourself the trouble. Don’t use cryptography. It is plutonium. There are millions of ways to mess it up and precious few ways of getting it right.


P.S. If you must verify HMACs by hand and you have activesupport handy, you’ll get that time-insensitive comparison from usingActiveSupport::MessageVerifier. Don’t code it from scratch, and for crying out loud don’t copy-paste my implementation above.


P.P.S. Still not convinced? Do the Matasano Crypto Challenges and see if that doesn’t change your mind. I’m not half way through and I’ve already had to get in touch with two former clients to fix their broken crypto.


none
intro to the matasano challenges

cargo cults


looked at https://news.ycombinator.com/item?id=6312657


Okay, now the fun part. Here’s how I’m obfuscating the data. When a friend creates an account, their username is salted with a salt in the server config files (this is Rails btw, so ENV['SALT']) and then SHA256′d. The password is generated via BCrypt. The only thing I’m not sure about are how many rounds to do for BCrypt so the server stays snappy; right now it’s at default for ruby’s bcrypt library. A random salt is also saved in the Account for the next step.


 


 Username = SHA256(username + SERVER_SALT)
Password = BCrypt(password)
Salt = BCrypt.generateSalt

When a friend saves their data, it is encrypted using AES-256. So for this, an AES Key is generated using a combination of their plaintext username and password, as well as the salt generated in Account creation. That key is never stored on the server, but created on device at runtime.


 


 PBKDF2_HMAC_SHA1(secret, salt, rounds)
AESKey = PBKDF2_HMAC_SHA1((usernamepassword), Account.Salt, 20000)
Title = AES-256(AESKey, title)
Info = AES-256(AESKey, info)

Also, the whole thing is sent back and forth over SSL, though after the recent revelations I’m not too sure how secure that is anymore.


HN, what did I mess up?



The whole goal is to never save anything as plaintext either. So that’s why the username is SHA256′d, and the password is Bcrypted, and the data is AES256′d.


which lead me to go on to..


http://blog.lastinfirstout.net/2009/11/cargo-cult-system-administration.html


and then to


http://www.informit.com/articles/article.aspx?p=1562220


which are quite fun.


as are:


http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html


and


https://bookofbadarguments.com/


which i think should be made legally mandatory reading for everyone…


none
cargo cults

Umbrella tomolo!

Gonna rain tomolo, how about staying at home to suggest and vote on ideas at Bountyporn.tk?


none
Umbrella tomolo!