Rosio Pavoris

I say Scandinavian rather than Swedish because it’s not actually from Ikea, but from some Norwegian company.
And I guess it’s not actually this chair but a chair very like it, only I couldn’t find a picture of this one, presumably because it’s fifteen or so years old. It’s made of wood rather than steel, and the seat is actually not curved to hold a butt, but rigid and full of hate.

It’s completely impossible to adjust the tilt of the seat or the leg rests, or the distance to the leg rests, and apparently their reference human was a three-legged midget.
The end result is that five minutes in this chair will make your back explode with discomfort and physically force your buttocks into your spine, and because the seat is tilted you can’t even just consign it to a corner of the room and stack junk on it, because it will slide off.

The company that made the chair still exists, but apparently doesn’t make them anymore. Even so, most of the products they do still make have at one point or another in their lifetime been recalled for health reasons, so they don’t appear to have mended their ways.
It’s actually more comfortable to just sit on the leg rests.

I should probably get rid of it, but it’s one of the things I inherited from my grandfather.

Anyway.
In completely unrelated news, I deleted Quhan’s blog because it was full of exploit. This makes it the third of our blogs to be compromised.
WordPress is absolute crap when it comes to security, but unless you’re Maia, it’s your own responsibility to keep your installs up to date, people. You have FTP accounts for a reason.

In further unrelated news, I’m never going to finish this Monopoly game. It’s due this Friday.

Christmas and all that.
I got an iPod Nano (though I didn’t ask for one; I just mentioned I needed a new MP3 player, since my old one is a Sony one, and Sony is getting on my nerves; Apple obviously isn’t any better in terms of principles, but at least I can install Linux on it), The Art of Computer Programming, Volume 1, Fascicle 1 (bought because my mom was under the impression it was volume 1, which was a fair guess since it doesn’t even say anywhere on the cover that this is just an update to a single chapter of volume 1, not the actual volume; I don’t know whose idea it was to not label it explicitly, but that person shouldn’t be in marketing), and something purporting to be a chemistry set. Its main feature seems to be “supersnot”, so I question its usability in the manufacturing of high explosives.

Anyway.
I wrote a Facebook application, both because I was bored and because I wanted to see what the Facebook API looks like. Somewhat odd but not terribly complicated, turns out.
Basically all this app does is display your Muffins name and ID and level and avatar in your profile (and optionally your title, equipment, and/or companion as well), and show you a list of friends who added the application and their Muffins names and IDs and levels and avatars.

It’s not terribly useful for Muffins, perhaps, since we only have forty or so active players, and to the best of my knowledge fewer than ten of those use Facebook, but I made it anyway. It would have been handy to have this for something like KoL, but I’m not going to write it, in large part because, to make things simpler, I wrote a script that just queries the game database directly and outputs neatly-formatted code, which the Facebook app interacts with, which I wouldn’t have been able to do without admin access.
For KoL, you’d need an active player session to view player profiles and something to log back in when the session dies because of time-outs or rollover and a parser to extract the needed information and another bit to format that information again and then the whole thing catches on fire and you cry yourself to sleep. So no, not going to do it.

Re: the issue with Muffins! passwords travelling over the network in plaintext: this has been fixed.
The solution involves a nonce, client-side MD5 hashing, and lots of stolen Javascript.

And through the magic of graceful degradation, it will automatically fall back on the old system for people who disabled Javascript. It will also warn these people they should fucking turn on Javascript, because nonces aren’t much fun to implement and if they’re not going to take advantage of them they should go play some other game.

Anyway, the upshot of this is that passwords no longer travel over the network in plaintext (except during registration, which I’m very probably not going to do anything about), so if they get guessed, it’s seriously not my fault.

(Next up, the bruteforce thing. Which is pretty straight-forward: failed log-in attempts are logged, and before it logs you in it checks if there are fewer than, say, three failed attempts in the past fifteen minutes from your IP. If not, it won’t log you in. Shouldn’t bother legitimate users (if it didn’t check IPs malicious users could use it as a denial-of-service attack on users; I guess they sometimes still can through the magic of braindead ISPs), but it makes bruteforce and dictionary attacks completely unfeasible, even for people with very dynamic IPs.
It’ll have to wait until tomorrow, though.)

(Long post! You probably won’t think this is very interesting unless you play Muffins! and have a passing interest in cryptography and/or network security.)

When I started working on Muffins! over two years ago, I was a Japanese language student with no experience in programming or security whatsoever. I had heard about things like packet sniffing, though, and had a vague idea how the internets worked, but my ability to design a log-in system was limited by my ignorance of both PHP and of the possible vectors for attack.
Consequently, when Muffins! was just a blank page with a note saying “Imagine there’s a map here!”, the authentication mechanism sucked. Passwords were stored as unsalted MD5 hashes, and logging in sent your username and password in plaintext to the server, where the password was hashed and compared to the stored hash for your username. The server would then set a cookie with two fields: one for your user ID, and one for your password hash.
With every pageload, the server would look at your cookie and compare it to the contents of the database. If there was something wrong, it’d destroy your cookie and kick you to the log-in page, and that was that.

Read the rest of this entry »

Muffins is back. Seemed right, since it’s two years ago today that it first went online.
Everyone’s been deleted, because I felt like deleting everyone. Development is expected to resume, though probably at a slower pace than two years ago. The only thing changed so far is that accounts are no longer deleted after two months of inactivity.

I can’t deal with this anymore, so now you kids can provide your own content, if you like. Anything even tangentially related to anything can go there, if you so desire.
Those forums will also be the official Rota Hall forums now, in the sense that any complaints, suggestions, or requests about Rota Hall or any of its projects (including Muffins, if you’re still upset about that) go there.

If there’s enough activity, I may add more subforums (one for religion might be interesting, if anyone was actually interested in debating), but I don’t foresee that being a problem.

If you registered an account on the blog, it will work on the forums as well. If you register on the forums, that account almost certainly won’t work on the blog, but if it’s a problem I can always look for the relevant plugin. I’m told one exists.
The theme was made by Terras, because that’s what he’s for~

Now get to activitying.

I set up a blog for Livia/IcLubYou two weeks ago, and she’s finally made her first post.
So go visit and welcome her to the Rota Hall fold, would you?

Three to two in favor of freenode, so #rotahall is moving to freenode, and taking #pharyngula with it.
Goodbye, ZiRC~

For those of you who need Java applets for everything you do, you can get into #pharyngula using this.
I’m working on editing the #rotahall one as we speak.

Edit: Alright, so a rather important complication came up that I didn’t even consider: freenet is huge, and as such, too many nicknames are already taken. So we’re going to synIRC.
The applets all point in the right direction.

This is starting from July 20th or 21st or so. First two-thirds of this month is here.
In line with expectations, roughly. We can afford to start using a lot more bandwidth, though.

You may or may not have been aware of the problems with ZiRC, but the short of it is that all server admins took their ball servers and went home started a new network, synIRC, a few weeks ago.
Most channels are moving away from ZiRC, but I wanted to wait until I found out more about why this happened, both to find out if there was a legitimate reason, and to get an idea of how long-lived synIRC (and ZiRC itself) would be.
Now that I got that answer (tl;dr: prince is a self-important drunk and the only person running ZiRC right now), we are, indeed, moving. The only question remains, to which network?

I’d like to avoid networks without services (EFnet) or with retarded ones (QuakeNet), and ones with a large known population of idiots (DALnet, EsperNet), but other than that, I don’t particularly care.

#pharyngula will probably move with it, though that’s open to discussion, since that’s not just “my” channel.

Edit: ‘kay, apparently we’re moving #pharyngula with it.

I’ve told people WordPress makes a decent generic CMS for any website, not just blogs, on at least three separate occasions so far, without actually having any experience with using it that way.
Consider that rectified.

I was right, too. The only problem is that most themes assume you’re running a blog, not a regular website, so they require a fair bit of editing. If you know a bit about HTML, PHP, and WordPress’ idiosyncrasies, though, that’s easy enough.

It still needs a proper logo, incidentally. The current one is the theme’s default, and it’s neat, but not Rota Hall. Remind me to poke Terru about that.

1. The LBRS forums.
2. SWBHG
3. Mimetex

Of these, Mimetex bothers me the most, because it’s actually part of my blog and I have no idea how to fix it. It’s a compiled Perl CGI script, and it should be working, but isn’t.

Edit: Fixed it. chmod desu~

The LBRS forums should be fairly trivial to fix, I just can’t be bothered to right now because nobody uses them anyway.

SWBHG could take a while, primarily because apparently Mercury wrote it on the assumption register_globals would be enabled. That’s painfully stupid, though fortunately for him, so was our last webhost.
I’m hoping it’s just in the log-in/registration script, and not in the entire application, because otherwise I’m just not going to fix it.

Edit: Oh, goddammit. Mercury, your code has made me physically ill. I don’t want this piece of shit on my server. No more SWBHG.

This is a baby pygmy hippopotamus.

’bout time. Some set-up hiccups, but apparently we’re finally on the new server.
Our new hosting plan allows for 35 GB of webspace (compared to 500 MB on the old one) and three terabytes of bandwidth per month (compared to 20 GB before), for roughly the same price as the old one, and it auto-renews, so no more fucking around with downtime in August.
Best of all, it’s not run by a 17-year-old and his two imaginary employees.

Anyway, all blogs should be up (though some things are apparently broken; I’m working on fixing that now), and all databases should be reasonably up to date. The blogs are from backups taken a few hours ago, but if you posted something interesting (or someone interesting commented) in the meantime, let me know and I’ll retrieve if from the old databases while I still have access to them.
Incidentally, the essentially unlimited webspace means you can use StatTraq again, if you like, though I don’t guarantee those tables won’t crash eventually.

I know SWBHG is broken, and I know Muffins is missing entirely. I didn’t move Muffins because syncing the databases while the game was up would’ve been a nightmare. I’ll get to that in a bit.

I also know all FTP accounts are gone. This is because I don’t have access to the passwords, and without that, there’s no way to move them seemlessly anyway. If you had an FTP account and need it back, tell me so I can make you a new one.
You can still use your old FTP info to get to the old server, if you connect to ftp.ysgonzo.be instead of ftp.rotahall.org.

Everything else (well, such as it is) should be working. Let me know if there are any problems.

Edit: Muffins is back up and seem to be working properly. I know the LBRS forums are still broken (though they were before the move as well), and I’m working on those now. SWBHG, the Selectively Antisocial subdomain, and Terru’s blog seem to be having DNS problems (I think), which I hope will resolve itself in a bit. Otherwise, I’ll look at those next.
Meanwhile, here are the last of the bandwidth statistics on our old server:
Read the rest of this entry »

Presumably.
They spoke of calendar day, not business days, so I assumed they worked on Sunday. Apparently not so much.

Go play these games while you wait. They’re made of not fail.

I’m in the process of uploading everything to our new server right now. The databases have all been set up, and DNS should take care of itself now (though actually transferring it and having it propagate will obviously take a while; possibly several days still), so wooh.

I’m not even going to try moving Muffins until at the very, very end, so there will be downtime there. The blogs, though, should all transfer relatively seamlessly.
If everything goes alright, this will be my last post on the old server, and it’s one I don’t intend to transfer to the new one, so if you’re reading this, the move hasn’t happened yet!

Dogs that are smaller than cats are a cruel, cruel joke.

Incidentally, progress is being made on switching webhosts. Yesterday I made a full file backup of everything on the server now (and I won’t be doing that again, so if you (Rota Hall peoples) upload any files between then and the switch you’ll have to re-upload them afterwards; I’ll be doing final database backups right before the switch, so don’t worry about that), and the domain is being released soon.
There will be downtime, but it shouldn’t be more than a few hours. With luck.

Progress is also being made on that text adventure engine I’ve been writing. Compromising between genericity and actual doingstuffness is annoying, so I’ll probably give up and just write a damn text adventure before I’ve got a releasable engine, but it’s still kind of entertaining.

Pandapile.

A full day of downtime isn’t acceptable, especially for something as simple as MySQL locking up.
If this were the first time, I wouldn’t mind, but anyone who’s read this blog for more than a month knows it’s a relatively common occurence, and it always takes at least a day before anything gets fixed.

Since our contract renewal is coming up, I’ve decided not to renew and instead to switch hosts. Our new host will offer 250 GB of webspace (compared to our current 500 MB) and 2.5 TB of monthly bandwidth (compared to 20 GB) for slightly less money than we’re paying right now, so I think that’s a good idea.

Since this involves domain transferrals and moving everything to a different server, I expect some downtime. And if our current host turns out to be a dick about the domain name, we may have to move to rotahall.com instead.
Still, take heart! Everything will be better in a few weeks.

I’m winning~
I deleted a few dead subdomains, and will be deleting more in the near future. I’d like to make Rota Hall entirely about blogs soon. Maybe I’ll think of a way to integrate them all moar better.

(Last month is here.)

I took SWBHG down, and it’ll stay down. For “undisclosed vulnerabilities”, is all I’ll say.

(By which I mean, a retarded chimpanzee could code a more secure application.
At least we won’t be going over our allotted webspace as quickly in the future.)

Update: Alright, it should be patched now. I’ve brought it back provisionally, but I’ll be watching it closely.
Regarding the webspace, the SWBHG vulnerability wasn’t the cause of it, apparently, though it could have been used to do the exact same thing. Still, that was something else, and that, too, has been taken care of now.)

Why do I manage to get four times as much traffic as Terru even when I don’t post at all?