Rosio Pavoris

Happy birthday.

Re: the issue with Muffins! passwords travelling over the network in plaintext: this has been fixed.
The solution involves a nonce, client-side MD5 hashing, and lots of stolen Javascript.

And through the magic of graceful degradation, it will automatically fall back on the old system for people who disabled Javascript. It will also warn these people they should fucking turn on Javascript, because nonces aren’t much fun to implement and if they’re not going to take advantage of them they should go play some other game.

Anyway, the upshot of this is that passwords no longer travel over the network in plaintext (except during registration, which I’m very probably not going to do anything about), so if they get guessed, it’s seriously not my fault.

(Next up, the bruteforce thing. Which is pretty straight-forward: failed log-in attempts are logged, and before it logs you in it checks if there are fewer than, say, three failed attempts in the past fifteen minutes from your IP. If not, it won’t log you in. Shouldn’t bother legitimate users (if it didn’t check IPs malicious users could use it as a denial-of-service attack on users; I guess they sometimes still can through the magic of braindead ISPs), but it makes bruteforce and dictionary attacks completely unfeasible, even for people with very dynamic IPs.
It’ll have to wait until tomorrow, though.)

(Long post! You probably won’t think this is very interesting unless you play Muffins! and have a passing interest in cryptography and/or network security.)

When I started working on Muffins! over two years ago, I was a Japanese language student with no experience in programming or security whatsoever. I had heard about things like packet sniffing, though, and had a vague idea how the internets worked, but my ability to design a log-in system was limited by my ignorance of both PHP and of the possible vectors for attack.
Consequently, when Muffins! was just a blank page with a note saying “Imagine there’s a map here!”, the authentication mechanism sucked. Passwords were stored as unsalted MD5 hashes, and logging in sent your username and password in plaintext to the server, where the password was hashed and compared to the stored hash for your username. The server would then set a cookie with two fields: one for your user ID, and one for your password hash.
With every pageload, the server would look at your cookie and compare it to the contents of the database. If there was something wrong, it’d destroy your cookie and kick you to the log-in page, and that was that.

Read the rest of this entry »

Time for another quick-and-dirty WordPress plugin.
Since Emiry likes my footnotes, I wrote a plugin that makes making them a bit easier.

Basically, the idea is that you write [1] (where 1 can be any number), and this plugin will replace it with ¹. Then, at the bottom of the post (typically, but not necessarily), you write [f1], and it will replace it with ¹. If the latter is at the start of a paragraph, it will also make said paragraph of class “footnote”, which you can then define in your CSS file or what have you to have a different style, if you so desire.

You’ll note that the ID of the anchor tag starts with a random number. This is to prevent (or at least make very unlikely) collisions in IDs if more than one post is being displayed at a time, since that breaks things. Ideally, it would use the post slug for that, but if there’s a way to retrieve a post slug from within a filter, I couldn’t find it in the WordPress API in under two minutes.

It’s not awesomely efficient (it uses regular expressions), or awesomely awesome, but it works well enough.
The code is here; as always, save that as a .php file, upload to your plugins folder, and activate. If you have suggestions for improvement, let me know.

You can pretend to be teaching OO principles all you want, if you really were you’d be using a pure OO language to do it, and you’d realise just teaching OOP creates crippled programmers at best.
The way you wank on over design patterns reveals what you’re really doing; you aren’t teaching about programming. You aren’t even (for those who think higher education and vocational schooling should have anything to do with each other) training programmers. You’re training typists who happen to know enough programming idioms to wing it some of the time, as long as they’re never asked to create software more complicated than a typical accounting application, or to explain the reasoning behind said idioms.
You aren’t even giving them the tools to pick up languages besides Java and its bastard children, because they’ve never heard of most of the important concepts in computer science.

No wonder there are so many job openings for programmers even a decade after the dot-com bust: colleges and universities just aren’t producing them anymore.

(That is all.)

Cryptography is becoming increasingly important in our daily lives, but there’s still a lot of confusion over even very basic cryptographic concepts in the media, so I thought I’d write a bit about some general cryptography-related topics for a bit.
This may be the first post in a series, or I may get tired of it after this one. We’ll see.

Hash functions have lots of uses beyond cryptography, making it particularly important for people to understand. The media generally seem fond of confusing them with encryption, which they aren’t.
A hash function is any function that takes data as input and converts this input into fixed-length string, or hash. They differ from encryption in that they are meant to be irreversible, while encryption is always meant to be reversed.

Read the rest of this entry »

Today, I spent my Java class reading SICP in the hall and glaring at people who looked like they might be in my class.
It was awesome.

Also, it’s Terru’s birthday. Show him your boobs.

I think I need a better webcam.

Muffins is back. Seemed right, since it’s two years ago today that it first went online.
Everyone’s been deleted, because I felt like deleting everyone. Development is expected to resume, though probably at a slower pace than two years ago. The only thing changed so far is that accounts are no longer deleted after two months of inactivity.