Skip to main content

Posts

Showing posts from 2013

An open source C++ snippet library...

For the past month and a half, I've been delving deep into C++ land, wrestling with the intricacies and annoyances of writing cross-platform code. My biggest gripe with the major libraries out there is that they all have a 'string' class and then proceed to use their 'string' class everywhere, which basically means that if you want to use a specific library, you end up using all of it. I also wanted to push the performance envelope to the limit, which means putting storage on the stack instead of the heap.

At any rate, check it out:

Cross-platform C++ Snippet Library

My favorite class is Sync::TLS, which implements a temporary memory allocator that outperforms system malloc()/free() by a factor of up to 19 times! When I saw the stats, my jaw hit the floor and I drooled a little. It was awesome. I was expecting for Sync::TLS to get crushed soundly.

I'm also rather happy with the little UTF-8 library that's included. A minimalistic Unicode implementat…

Outlook 2007 and later supports 'blink'...

...WHY?!

For Outlook 2007, Microsoft removed the embedded Internet Explorer engine for displaying HTML e-mail and dropped in some half-baked solution. From Word. Apparently, the same engineer (an idiot) who thought that margins and padding in 'div's were bad (because Outlook is now pretty much incapable of that) also decided that support for blinking text is good.

The ancient, decrepit 'blink' tag isn't implemented, so how does one accomplish this atrocity? With 'text-decoration: blink'.

That's right, the same engineers who could have spent their time figuring out how to space things out on a screen with margins and padding, instead wasted those precious moments writing CSS support for blinking text. Sigh.

Okay, so HTML e-mail is bad to begin with, but good software developers don't implement stupid stuff until more important things are implemented. Please prioritize what is important. Got it? Cool.

What are C and C++ pointers? A simple explanation.

The question constantly comes up. It is a sticking point and everyone has a different answer for new C and C++ developers. There was even a stop-motion animation created once upon a time to explain them (Pointer Fun with Binky). They are just one of the reasons that a lot of developers are cutting their teeth, so to speak, on other programming languages (but there are other reasons as well).

C/C++ pointers.

I've given a lot of thought over the years on the best method to explain C/C++ pointers in a way that can be more universally understood. Even if the programming language you are using doesn't have pointers, understanding pointers helps gain an understanding of how the underlying hardware operates behind the scenes to execute code. In other words, they are still relevant to you. A lot of what I'm going to say involves gross oversimplifications of several concepts, but the goal is to understand how pointers work as succinctly as possible.

First, we need a grid:

Being a forklift operator possibly leads to car accidents. An example of bad UI design.

I ran into this comment the other day on the Internets:
If you think that driving a car with reversed turn signal and wiper levers is bad, try driving a fork lift which slams into reverse every time you hit what would normally be the left turn signal.

That is not the scary part. I have known numerous forklift drivers that got so used to using the lever to switch from forward to reverse throughout the day, that at the end of their shift they would get in their stick shift car with it in first gear, start the car, turn on the left turn signal, look over their shoulder, release the clutch and drive into the car in front of them.

Life Lesson: Never park directly in front of a fork lift driver. I'm sure there is a reason for the lever to be conveniently placed at that location, but, if the bigger picture is taken into account, this is a pretty good case of UI design that results in expensive damage to property. Car insurance providers should take a look at this scenario to see how c…

We've been doing multithreaded and asynchronous UI programming all wrong!

About a year ago, Microsoft released version 4.5 of the .Net Framework to the world. No one really cared much but every programmer out there should. Why? Lurking in the shadows of that release was THE solution to our multithreading woes. If you've ever done multithreaded programming, you know three things:

1) Multithreading is painful.
2) Multithreading is messy.
3) Multithreading is painful.

Multithreading is even harder in a GUI environment because most GUI libraries will crash (and crash the whole application too) if a programmer tries to do operations on the UI from another thread. So, the programmer ends up having to write a ton of plumbing to get back onto the UI thread after completing a multithreaded operation to do UI stuff. In addition, multithreaded programming requires thinking outside of how programs and programmers are really wired to think: That is, we think sequentially.

The solution that needs to be ported to every programming language we care about (inc…

Setting up WPA2-Enterprise + AES with Ubuntu 12.04.2 + FreeRADIUS with EAP-TLS only (The Definitive Guide)

After spending a LOT of time researching, waiting, more researching, and almost giving up on WiFi, I've finally figured out a secure enough WiFi setup that I think has a pretty good chance of standing up to scrutiny. It is called EAP-TLS and it is serious Kung Fu (aka REAL security). Unfortunately, to implement said Kung Fu, the protocol requires a RADIUS server. And, to get said RADIUS server at an affordable price, FreeRADIUS is needed and therefore Linux is necessary. And the easiest Linux to use is (usually) Ubuntu. But, after scouring the Internets, I've also determined that there are NO good tutorials on setting up a basic FreeRADIUS EAP-TLS system at home under Ubuntu 12.04.2 using the apt-get packages for FreeRADIUS. This, therefore, is the definitive guide mostly cobbled together from a number of different sources.

I'm assuming a half-decent understanding of Linux command-line editing, a fresh installation of Ubuntu Server 12.04.2 LTS on a computer on the n…

Security is a moooooving target

Earlier today, I had a "free heart attack" when a new thread showed up on the PHP Internals list:

[RFC] more secure unserialize()

I love serialize()/unserialize() because it is nice and easy to use. Unfortunately, with ease-of-use comes greater responsibility. In this case, it is important that users can't submit their own serialized data structures to the server. When the server calls unserialize(), it expands out any data type, including objects. Upon destruction of an object, __destruct() is called by PHP automagically, which then executes whatever code is in there. The "free heart attack" I mentioned earlier came from the fact I send serialized data to the SSO client in the encrypted cookie. Fortunately, a look at the encrypted cookie code revealed I had been using json_encode() and json_decode(), which allowed me to breathe a sigh of relief. For now.

This just goes to show that security is a moving target. Or, if you are a cow, it is a mooooooving…

Just use grep! Don't use find + grep (+ xargs + whatever)...

I've been looking for an alternate to find + grep under Linux so that I can do similar queries to 'findstr' under Windows such as:

findstr /sic:"my_function" *.php

Recursive search for PHP files containing the string "my_function". The typical response to "how to search for some type of file containing some text" under Linux is usually along the lines of:

find "*.php" -exec grep -H "my_function" {} \;

Not only is that cryptic and longer and more difficult to type, it fires off a new, separate process (grep) for every PHP file it finds. I've seen a zillion incarnations of the above. Every time I run that, I end up waiting ten times longer than I would have waited for 'findstr' for the same operation. find + grep performance is terrible. So I said to myself today, "Hmmm...maybe grep has the solution already?" Lo-and-behold, it does:

grep -nir --include="*.php" "my_function"…

Need a good book to read? Read this technical novel!

If you are in the mood for a not-so-boring "technical novel" (there apparently is now such a thing), may I recommend reading this lovely 730 page book:

Engineering Security by Peter "Long-Winded" Gutmann

Reading it does require a level of technical expertise and understanding of how SSL/TLS, SSH, IPSec and a number of rather boring protocols work to truly appreciate what he has to say. For those who don't have the time to read 730 pages, I'm going to summarize:

Security, or at least the average programmer's understanding of it, is...severely lacking. We've had two decades to figure out how to not screw up security and, yet, we still find new, extraordinarily stupid ways to do so. The real problems are a lack of accountability in software development and that anyone can own a computing device without any training whatsoever.

The book then proceeds to attempt to describe fixes for the problems, but I'd wager that around page 50 or so, most reade…

Extending the block size of any symmetric block cipher

Extremely important update: The technique described in this post has been directly confirmed to extend the block size of any symmetric cipher to any desired length by Bruce Schneier himself - he is one of the leading crypto experts in the world. Ladies and gentlemen, we have a winner! On the other hand, the other aspects of this post remain untested, so keep that skepticism handy. However, this post is good news in the event of a major cryptanalysis breakthrough that breaks multiple widely-used and trusted algorithms. Stay tuned...hopefully more good news to come!

Before I begin, I need to preface this with the fact that I don't consider myself to be a cryptanalyst. Coming up with a new cryptographic algorithm that is deemed strong is hard to do and really takes a team of people. I know enough to be dangerous. Therefore, what is presented here is to be viewed as merely a theory to extend the block size of any trusted symmetric block cipher without modifying the core algori…

Are Internet mailing lists a dying breed?

That is the question I've been asking myself lately. Mailing lists used to be a staple communication mechanism on the Internet. Now nearly all of the mailing lists I'm subscribed to are very quiet - still have 10,000+ subscribers on most, just no one seems to use them. The distinct trend I am noticing is that people are forgoing mailing lists and using quick question and answer sites like Yahoo! Answers and StackOverflow to get the answer to their questions. (Or using the Facebook commenting system or Twitter - but that depends on your friends, connections, and followers). Experts Exchange used to hold the position and used to do quite well but then shot themselves in the foot by putting annoying barriers in the way. People went back to mailing lists after that fiasco.

Unfortunately, there are two significant problems with the Q&A websites out there that mailing lists solve and StackOverflow is demonstrating the problems quite well.

The first problem is community and…

Setting up MySQL + Postfix + Dovecot to do Gmail-like 'youremail+whatever@domain.com' plus multiple delimiters

When I set up my Postfix + Dovecot + MySQL installation, I wanted GMail-like filtering for my domain. GMail allows you to do 'youremail+whatever@gmail.com' and it will automatically be delivered to 'youremail@gmail.com' with the label 'whatever'. From there, it can be filtered into the folder of your choice. I figured something similar would be very useful when registering on websites where I'm not necessarily wanting to use a mailinator address but do want to track whether they sell my e-mail address or not. Well, I thought doing the same thing would be useful, but more on the difficulties I've encountered with special characters like '+' in a bit.

In MySQL, I have 'virtual_aliases' and 'virtual_users' tables. If I remember correctly, Postfix first attempts to find an e-mail address in users, then aliases, then tries again without the extension specified by 'recipient_delimiter'.

To set up Postfix with a 'reci…