Who's the idiot disabling SSL on posterous.com?

Has he been fired yet? If not, why not?

By Unknown
at 9/13/2011 3 Kommentare

Link Dump XIX

By Unknown Tags:
at 7/14/2011 0 Kommentare

30 Years

The things that happened in the 30 years I’m around on this ball o' mud, in roughly chronological order:

  • The fall of the Berlin Wall, and the end of the Cold War
  • The end of border checks within Europe
  • Two expansions of the European Union
  • The Internet moving from curiosity to being ubiquitous, and grander than anything cyber-prefixed could ever have been
  • 9/11
  • The Euro
  • Germany’s first involvement in military action as a combatant since WW2 in the Bosnia War
  • Mobile phones becoming as ubiquitous as the Internet, if not more so
  • The rise and fall of EPOC/Palm
  • 9 versions of the Windows OS (From 3.11 to NT to Windows 7)
  • Linux becoming less picky about who its friends are (thanks, Canonical!)
  • The rise of the Chinese Dragon
  • Making friends all over the world (Hi, folks!)
  • Live shows on the internet that I watch every day (Hi, TWiT.TV!)

A happy birthday indeed.

By Unknown Tags: ,
at 7/13/2011 0 Kommentare

Lazy Ruby Cryptography

What is Cryptography?

Cryptography is the art of making clear text illegible by anyone but the original recipients. It is an art that is at least as old as the Roman Repulic, when Julius Caesar used the Caesar cipher to encrypt orders to his centurions in the Gallic wars.

Since then, cryptography has evolved into a science unto itself, which helped kickstart computer science (and thus programming) during World War 2.

I encourage you to discover the history of cryptography. It makes for a good techno-thriller with lots of cloak-and-dagger.

The Two Areas of Cryptography

Cryptogrpahic algorithms are used in two main areas: Validation and encryption. Validation algorithms, or message/hash digests, provide a means to verify that data has not been modified somehow. A rather mundane use of this verification is testing the hash finger print of a file after a download to make sure that the file wasn’t corrupted during the transfer.

Encryption and decryption are used to prevent a third party from reading the message. Online banking or e-commerce websites use this to secure the communication between your browser and their servers when you send payment details.

Get It

You don’t have to install anything, since Ruby includes OpenSSL bindings.

Using Hashes

Important Upfront Note

Unless you have to deal with already existing data, do not use MD5. It is considered broken.

Hashing Data

Consider the following snippet:

require 'digest/sha2'  sha256 = Digest::SHA2.new(256)  sha256.digest("data to be hashed")

After requiring the SHA2 hashing algorithm, we first have to initialize an SHA2 oject with the desired key-length (Ruby supports both 256 and 512 bit keys), before we can digest data.

The key length is important:

sha2_256 = Digest::SHA2.new(256)  sha2_512 = Digest::SHA2.new(512)  sha512_hashed = sha2_512.digest("super secret password")  sha256_hashed = sha2_256.digest("super secret password")  puts sha256_hashed == sha512_hashed

If you run this, you will see “false”. This is obvious enough, since the keylength is different, but it is a gotcha. Make sure you know what algorithm was used to hash the data, otherwise you’ll get false negatives.

The MD5 and SHA1 digests work similarly, but you don’t have to instantiate a new object:

require 'digest/md5' require 'digest/sha1'  Digest::MD5.digest("super secret password") Digest::SHA1.digest("super secret password")

Symmetric Cryptography with AES

Symmetric cryptography, or symmetric-key cryptography means that data is encrypted and decrypted with the same key. That has the benefit that it is much easier to work with, but also means that both the encrypted data and the key used to encrypt this data has to be exchanged somehow. Pulic/Private key (or asymmetrical) cryptography avoids this problem: One key is used to encrypt data, another is used to decrypt data (however, it is theoretically possible to derive one key from another, but there are no known, working attacks of this sort).

Public/Private key encryption deserves its own tutorial, so we will only deal with symmetric cryptography this time.

Let us look at some source code, where we encrypt, and then immediately decrypt clear text:

require 'openssl'  aes = OpenSSL::Cipher.new("AES-256-ECB")  key = sha2_256.digest("super secret password")  aes.encrypt aes.key = key  payload = aes.update("A very secret message.") + aes.final  puts payload  aes.reset  aes.decrypt aes.key = key  puts aes.update(payload) + aes.final

This looks more complex than it really is.

First, we load the OpenSSL bidings, which Ruby uses to do encryption.

Then, we instantiate a new AES cipher object. If you want to know which algorithms Ruy supports, OpenSSL::Cipher.ciphers will tell you.

Now that we have an AES object, we need a key to encrypt data. AES-256 expects an encryption key that is at least 256 bits long (the key size is determined by which AES variant you use). To achieve that, and to make the key harder to guess, we hash a passphrase with SHA2-256.

The next step is to call the encrypt method. That initializes the cryptographical systems needed (like acquiring a source of entropy). Both the decrypt and the encrypt method must be called before any other method!

Finally, we encrypt our data by calling

payload = aes.update("A very secret message.") + aes.final

The important part of this is the aes.final call. This adds the last block of encrypted data to our payload variable plus any necessary padding for AES, which is determined by the algorithm’s block size—the block size are 128 bit chunks of data that each get encrypted, more or less.

To decrypt the data, we reset our AES object, and call decrypt on it. The decryption process works analogous to the encryption. It is symmetric, if you allow me such a lazy pun.

Enhanced Security

If you use the same key to encrypt data several times, you are suverting the security that encryption provides. Sooner or later, parts of the message will repeat themselves and look the same even when encrypted (this is one of the vectors that were used in Bletchley Park by Alan Turing et al to break the Kriegsmarine Enigma system).

Thus, almost all modern ciphers have an Initialization Vector or IV (link is in the Resources section). Ruby cipher ojects have the iv method, which allows you to feed an IV into your cryptography. Make sure that the IV source is random (like Ruby’s rand method), and does not repeat itself.

Do Not Use DES

The DES algorithm has been broken (link below).

Resources

Footnotes

By Unknown Tags: , ,
at 7/09/2011 1 Kommentare

Lazy Ruby Exceptions

Lazy Ruby Exceptions

What Are Exceptions?

Simply put, an exception is an error.

Less simply put: An exception puts a program in a state that is, for lack of a better word, undefined, or cannot—safely—be handled by the language runtime itself.

Get It

Not needed: Ruby has them out of the box.

How do You Use Exceptions?

First things first: Exceptions are not control statements. If you rely on Exceptions to determine what your software is supposed to do, something’s awry.

Use exceptions for:

  • Program state (awfully close to program flow, but I’ll explain later)
  • Resource access
  • Unrecoverable errors

Exception Statements in Ruby

Ruby’s exception syntax is simple, yet powerful:

begin # Awesomeness rescue # Recover from an Exception ensure # Clean up after ourselves end

Two statements in this example are of particular importance:

rescue can take one or more Exception classes (for example: SyntaxError, LoadError, IOError, etc) as an argument. The hash rocket => is used to get a reference to the exception.

ensure is an optional argument, and gets executed no matter what. The code following ensure is, quite literally, ensured to run.

Here’s a toy example:

begin raise "I'm an exception" rescue puts "In the rescue clause..." puts "I give up!" error = "Cannot recover from this!" ensure puts "Ensured to run." puts error end

raise triggers Ruby’s exception handling whenever you need it.

Ensuring Sanity

ensure is useful when you gain access to a resource that should not be left open or lying around. A good example would be a database connection: Instead of leaving an unused database connection around until the database server decides that nobody’s going to use this connection, it gets closed. A good rule of thumb to using ensure is: Am I doing input or output? If so, ensure that my IO access is properly closed.

Eventually this’ll be handled elsewhere, but you cannot rely on it, nor is it very neighborly if we don’t clean up after ourselves.

A Note on Blocks

Ruby provides block methods for IO, like File#read. These blocks have exception handling built in: If you open a file or network socket in a block, Ruby will ensure that it cleans up behind you. So, whenever you can use the black form to access IO (it is a much more natural or readable style, too, in my experience).

Raising and Creating Exceptions

Ruby provides an Exception class from which all other exceptions are derived. I suggest that you, too, derive your custom exceptions from this base.

The base class provides you with backtrace information (where and how was the exception invoked?) at no extra work, which is vey useful:

class CustomException < Exception end  error = raise CustomException.new "Error message" puts error

And as you can see, you can treat an exception like any other object in Ruby with its own constructor.

Exceptions For Program State

Let’s say you have a nifty Ruby program which interfaces with databases. You have wrappers for all the different database engines out there, from SQLite to Oracle, but with littel changes here and there (like DB connections, file access, &c.).

If you don’t yet know which databases are available, you can try to probe for their availability, and if you encounter an exception, you can cross this engine off your list of database wrappers to load.

Another example is checking for teh vailability of gems that are useful, but not necessary for your own program. For example, if you rescue the LoadError if term-ansicolor cannot be found by require, you can still proceed with your program, just without pretty colours.

And, of course, a more mundane use of exceptions and program state is saving a local copy of data when a remote resource becomes unavailable.

Do Not Swallow Exceptions

Exceptions are something the user has to be informed of when they happen (unless you can silently recover, but even then a message is appropriate). Even if you can clean up after yourself, make sure the underlying exception is propagated and kept intact! That you can recover from a specific exception doesn’t mean that everything else can. It’s all abotu being a good neighbor.

Further Reading

Avdi Grimm has written a whole book on Ruby exceptions: Exceptional Ruby: Master the art of handling failure in Ruby. I’ve seen rave reviews of the book, so I recommend checking it out if you have the cash to spare.

Resources

By Unknown
at 7/09/2011 1 Kommentare

Lazy PDF creation with Prawn: A Tutorial In One Part

What is Prawn?

Prawn is a pure Ruby library to generate PDFs. It takes much of the pain away (though, using a publishing tool like Scribus or Adobe InDesign CS5.5 make a more visual approach much easier. However, to create PDFs on the fly, Prawn is the most convenient tool you can find.

Get It

gem install prawn

Use It

require 'prawn'

Creating PDFs

No matter what the PDF shall contain, you will always use the Prawn::Document.generate method. I prefer the block invocation:

Prawn::Document.generate "example.pdf" do end

Sample Content

I want to show off as many of Prawn’s features, so I’ve prepared some sample data:

# Our headings  heading = "The Traditional Filler Content"  sub_heading = "It Has No Inherent Meaning"  # Our body body = <<-EOS Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed doeiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quisnostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.  EOS  formatted = "<b>Inline</b> <i>formatting</i> is a <strikethrough>useless<strikethrough> <u>useful</u> feature!"

Simple Text And Inline Formatting

PDF is, first and foremost, a text format. Everything else is just sugar (or a liability, as the case may be). Since an introduction to everything Prawn (and PDFs) have to offer would be far from a Lazy Tutorial, we will deal with outputting text as PDF.

Simple Text…

Let’s take our sample text, and create a PDF with a large heading, a smaller sub-heading, and a creation date as cover page, and let’s fill the PDF with a bit of dummy text:

Prawn::Document.generate "example.pdf" do text heading, :align => :center, :size => 48  text sub_heading, :align => :center, :size => 32  text "\nCreated on #{Time.now}\n", :align => :center  start_new_page  10.times do group do text body end end end

As you have already guessed, the text method takes text, and outputs it to the PDF, and it takes the :align and the size arguments. If you look at the freshly created PDF, the headings are larger than the creation date, and all of them are aligned in the center of the document.

start_new_page does exactly what it says on the tin, and starts a new page. text body outputs the text we’ve assigned to the variable. And you will have noticed the group do…end block. This tells prawn to keep the stuff enclosed with group do…end as a group, and, if possible, keep them on the same page. Otherwise, the paragraph would overflow.

…And Inline Formatting

I have hinted at it quite a bit, so it won’t be surprising you when I say that Prawn allows for inline formatting, with the help of the tiniest HTML syntax subset: , , , and are supported. However, Prawn will not automatically parse HTML for you. Instead you have to manually invoke the feature:

Prawn::Document.generate "example.pdf" do # ...  font_size 12 do text formatted, :inline_format => true end end

It’s as simple as that. Just so that it looks like I did some work, I’ve also used the font_size size do…end, which does what it says on the tin for everything that’s within the block.

Custom Fonts

One of the strengths of the PDF format is typography: Preserving the typeface of the text you added. Since not every document is (or can be) limited to the “built in” fonts—see Standard Type 1 Fonts for details which are defined, Prawn lets you define custom font_families:

font_families["Nobile"] = { :normal => "./nobile.ttf", :bold => "./nobile_bold.ttf", :bold_italic => "./nobile_bold_italic.ttf", :italic => "./nobile_italic.ttf" }  text formatted, :inline_format => true, :font => "Nobile"

For typographical / dead tree print reasons, it is expected that you define font faces for bold, italic (or cursive), and italicized bold weights. With font my_font you can assign this font for everything that follows. If you want to limit the font directive, you can use the block form, or a :font => my_font hash.

Pagination and Page Numbering

Few documents are exactly one page long, so it’s no surprise that Prawn offers page numbering:

number_pages "Page  of  pages", :at => [bounds.right - 100,0], :page_filter => :all

Simple enough. :at determines where the numbering is printed, and page_filter determines on which page (:all, :odd, or :even).

Resources

By Unknown Tags: ,
at 7/09/2011 1 Kommentare
Subscribe to: Posts (Atom)