Inklings: a tumblelog

The Authoritative Guide to OAuth 1.0

Timing attack in Google Keyczar library

Since the return value is a SHA-1 hash string, the operation devolves to a byte-by-byte compare against sig_bytes. In both Python and Java, this is a classic sequence comparison that terminates early once an incorrect match is found. This allows an attacker to iteratively try various HMAC values and see how long it takes the server to respond. The longer it takes, the more characters he has correct.

It may be non-intuitive, but the symmetric nature of MACs means the correct MAC value for an arbitrary message is a secret on-par with key material. If the attacker knows the correct MAC for a message of his choosing, he can then send that value to forge authentication of the message to the server.

Completely non-intuitive, but it also makes complete sense to check for, even outside of MACs; there’s plenty of places I can think of in my code where there may be time-sensitive string comparisons. Audit ahoy!

Twin Musical Tesla Coils playing Mario Bros

YouTube - The Most Useless Machine EVER!

YouTube - God Is An Astronaut - Fragile (Live)

Windows 'openness' hailed in Nintendo game defeat

The ruling has been seized upon as a victory for those building homebrew games or who install non-Nintendo games on systems via the Flash carts, and were worried that Nintendo’s lawyers would come after them. The carts allow non-Nintendo games to be run on systems like the popular DS. The carts do this because they bypass Nintendo’s DRM.

Maxconsole wrote: “Nintendo is deemed to be ‘illegally’ protecting their system by locking users out. Therefore, developers should not actually require separate development kits and should just be able to develop applications as they wish on retail versions of Nintendo’s consoles.”

Sweet! While I don’t think it’ll have any real substantive effecton the ability to independently produce content for the DS or Wii, it’s still pretty nice, even if this only really applies to France.

Things UNIX can do atomically

Useful for knowing when locking and the like can be avoided.

Bazaar Loom

Loom is a Bazaar plugin to assist in developing focused patches. It adds a ‘loom’ to a bzr branch. A loom allows the development of multiple patches at once, while still giving each patch a branch of its own.

Just uploaded the Pictoria bzr repository

Pictoria is my highly divergent branch of Ivan Voras and Neven Mrgan’s Isaac. I haven’t worked on it in a while, but I’m considering reviving my work on it. There’s no Trac instance for it yet, but when that becomes useful, I’ll put one up. For now, you can clone it.

ports/142793: dns/unbound: no default for unbound_enable and PID file in problematic location.

FreeBSD PR I’m tracking.

ports/142828: databases/libmemcached: Fails to build due to missing atomic locking primitives in GCC

FreeBSD PR I’m tracking.

draft-sayre-http-hmac-digest-01 - HMAC Digest Access Authentication for HTTP

DELPHIC - This Momentary

Libidn - GNU Project

yob.id.au: Thinking Sphinx And Unicode

Actually, the useful thing here for me isn’t Sphinx, but character folding, i.e., the lossy conversion of Unicode codepoints to ASCII near-equivalents, which is something that needs to be done for at work when supplying contacts to the Afilias EPP servers, which only support <postalInfo type="int"/> with contacts.

Autoconf, Automake, and Libtool: Library Versioning

I always forget this stuff.

Building an RPM package: a guide for the unwilling

This is the same quick guide I knocked as a memory aid for building RPM files as I originally posted here, but I’ve moved it here.

A CSS Naked Day concordance

The date of this years’s CSS Naked Day is just a bit problematic - neither the 9th nor the 5th are available according to the criteria, thus I’m proposing that we split the difference and have it on the 7th this year. With that in mind, here’s a lump of PHP code that will tell you, given any POSIX timestamp, whether it falls in CSS Naked Day. Here’s the code:

function is_naked_day($now) {
    $y = gmdate('Y', $now);
    // The 7th is our fallback if neither the 5th or 9th work.
    foreach (array(5, 9, 7) as $try) {
        $day_of_week = gmdate('N', gmmktime(0, 0, 0, 4, $try, $y));
        // Best if it's a Tuesday, Wednesday, or Thursday.
        if ($day_of_week >= 2 && $day_of_week <= 4) {
            $d = $try;
            break;
        }
    }
    $start = gmmktime(-12, 0, 0, 4, $d, $y);
    $end = gmmktime(36, 0, 0, 4, $d, $y);
    return $now >= $start && $now <= $end;
}

You can use it like so:

<?php if (is_naked_day(time()) { ?>
    <p>w00t!</p>
<?php } ?>

Mass Effect 2 Launch Trailer

I am so very, very much looking forward to this coming out - the first Mass Effect game–the main quest anyway, the side quests were somewhat mediocre and repetitive–was some of the best fun I’ve ever had gaming.