« Previous Entries
» Next Entries

Technology

GPF, Internet, Security, Technology
Cookie cunundrum
February 6th, 2008 (9 months, 2 weeks ago) by Jeff | Permalink | 15 Core Dumps
By now, I’m assuming most of you have read Mondays GPF News item. (If you haven’t, shame on you.) GPF is leaving Keenspot, and I’m neck-deep in unit testing the new site with hopes of releasing it to beta testers soon. If you’re interested in beta testing, you can volunteer in this thread on the old forum.

However, I’ve hit upon one little programming snag, so I thought I’d put out an appeal for help. I thought the blog would be more appropriate venue for this than the forum; that assumption could be wrong, but I’ll go with it anyway. For those of you with some Web-based programming knowledge, especially in the areas of PHP and cookies, please put on your thinking caps.

As part of the new site, I’m implementing my own version of Keenspot’s PREMIUM service, reusing the old relabeling of GPF Premium. Keenspot PREMIUM is going away (for several reasons I won’t go into here), but as the service’s biggest proponent and largest beneficiary, I’d hate to lose that functionality. So the new site will launch with its own independent Premium functionality including all the old service’s features (optional ad-free surfing, weekly archives, High-Def archives, tons of exclusives like Jeff’s Sketchbook, etc.) plus a few new features that I’ve been wanting to implement but haven’t had the time or technological hoop-jumping expertise to work on at Keen.

For security reasons, I want to secure Premium sign-ups and account management via secure HTTP (HTTPS). The benefits should be obvious. By encrypting account creation & management pages, you eliminate sniffing attacks and protect user privacy. While these pages may still be susceptible to other forms of attacks (and I’ve coded them to be as resilient as I know how), encrypting the traffic end-to-end can go a long way to cutting off those vectors of attack.

However, I seem to have hit a brick wall when it comes to setting the Premium authentication cookie. Like Keenspot’s implementation, the subscriber’s browser will be “enabled” by “branding” it with a cookie, which will be read and authenticated each time the page is loaded. If valid, Premium features for that page will be turned on; if invalid, the page will default to a non-enabled state, which could be a simple as showing all ads or as complex as denying access to the content within. Unlike Keenspot’s implementation, which was JavaScript based, mine is scripted server-side in PHP, meaning it should be more accessible to a wider range of browsers and in theory more secure (no Premium content is sent at all if Premium is not enabled, rather than letting the client browser decide). My implementation has been thoroughly tested and appears to work pretty much flawlessly… with one hitch.

The problem occurs when I set the cookie over the encrypted HTTPS connection, then try to read it over unencrypted HTTP. I appears that none of my test browsers send the cookie back when the encryption state changes. The reverse is the same; if I change the URL and set the cookie over HTTP, then try to access a page via HTTPS, the encrypted page can’t see the cookie either. It works like an either-or situation, when what I really want is both. If I set a cookie over HTTPS, I want to see it in both HTTP and HTTPS mode.

PHP’s primary cookie interface is the setcookie() method (for setting) and the $_COOKIE array (for reading). setcookie() includes a boolean parameter for secure cookies, i.e. cookies that will only be sent via HTTPS. What’s annoying is that even when I set this flag to false to force it to be insecure, the scripts continue to exhibit the same behavior: cookies set via HTTP can only be read via HTTP and vice versa. I’ve also tried setting the same cookie both ways–first in one protocol, then the other, without erasing the first cookie–but that didn’t seem to work. The second cookie overwrites the first one, effectively turning it off.

I had heard that IE 6 exhibited this behavior as a bug. However, I tried the exact same tests in Firefox 2.0.0.11, Opera 9.24, and Safari 3.0.4 (all on Windows) as well as IE 7, and all reacted the same way. Cookies set over HTTP could not be read over HTTPS and vice versa. It’s a bit frustrating. Obviously, I don’t want my Premium folks to be forced to use the new site in encrypted mode all the time, as this would slow down all the pages and put a significant extra load on the server as the number of subscribers increases. But I want to protect my users’ privacy and settings (and one of my important revenue streams) by encrypting their account access.

So I guess I’m looking for answers to two questions:
1. Is this some new standard of behavior that I’m missing? I was operating under the assumption that secure cookies (those set with the boolean secure flag) were restricted to HTTPS, but otherwise all other cookies should be sent regardless of whether it was encrypted or not. When I use the awesome Firefox Web Developer plugin, it tells me that the cookie should be there regardless of the encrypted state. Yet it still doesn’t get sent. But am I asking too much? Am I not understanding the specifications, or has something changed that I wasn’t aware of? Can I not have my cake and eat it too?
2. 1. If I’m right and this should be working, what am I doing wrong? Is there a feature of PHP I should be use other than setcookie() to do this? Is it a bug, either in PHP or the browsers?
  2. If I’m wrong and this behavior is expected, is there a workaround I can use to let the same Premium features work over both HTTP and HTTPS? Or should I just give up on the encrypted account management and assume my stuff isn’t worth stealing enough to bother?
Any responses via e-mail or (preferred) comments below will be appreciated.

Update March 5, 2008: Thanks to the input of many commentors below, it looks like I’ve got a solution. The problem, as usual, was somewhere between the chair and the keyboard and the faulty component has been sufficiently flogged with a wet noodle. Immense thanks to everyone who provided feedback and suggestions.
Viral propagation:
GPF, Hardware, Technology, Webcomics
Introducing Hermes
January 2nd, 2008 (10 months, 3 weeks ago) by Jeff | Permalink | 4 Core Dumps
Sorry for the quality of the picture. This was taken with my cell phone’s camera, which isn’t the best in quality but all I had available at the time. (I also should have cleaned the screen before taking this. Oopsie.)

As mentioned in Monday’s GPF News post, I’m looking at a number of ways to take GPF completely digital as a way to speed up my process while not taking time away from my family. The history and reasoning behind this transition is pretty well outlined in the News post, so I won’t replicate it here; make sure you read that post to get the gory details. However, I haven’t really discussed the primary tool to implement those changes, which I felt would be more appropriate to talk about here than in the “official” GPF News.

I’d like you to meet Hermes. Hermes, say hello to the nice people. Hermes is a Lenovo ThinkPad X61 Tablet PC. (For those old timers who may be confused by seeing the name “Lenovo” attached to IBM’s old flagship ThinkPad notebook PC brand, IBM spun off its PC business in 2005 to Chinese company Lenovo, who had already done most of the manufacturing for IBM’s PCs for several years.)

As mentioned in the above linked News post and in the publicly accessible Behind-the-Scenes page, GPF has been a half-analog, half-digital process since pretty much the beginning. What I’ve apparently failed to mention in (or perhaps it would be better to say that I’ve failed to update) either the public Behind-the-Scenes page or its expanded Keenspot PREMIUM-exclusive counterpart is that I’ve been using a Wacom Intuos3 tablet for several years now. Wacom is probably the best known manufacturer of digital tablets which are used by digital artists, 3D modelers, and CAD architects the world over. Digital tablets are much more intuitive for artists to work with than most other pointing devices (mice, pointing sticks, trackballs, etc.), usually giving you a pen or stylus to manipulate the cursor on the screen. I’ve spoken to many digital artists over the years who swear by their Wacoms who eventually convinced me to splurge and give it a try. The Intuos is their mid-range line for advanced amateurs and frugal professionals; many of the artists at my day job use Intuoses (Intui?). My Intuos has gone a long way in improving the GPF development process, and it’s only with great reluctance that I fall back to the mouse or other pointing device for really high-precision details.

That said, the combination of a tablet and a laptop is a bit… cumbersome. Usually when I do the digital half of a strip, I’m sitting on the couch in the living room with Apollo, our previous “alpha” ThinkPad, in my lap and the Intuos hovering in my hand above the keyboard. This works well enough as long as I don’t need to type anything, but leads to some awkward flipping of the tablet up and down when I have to change certain settings or use a different pointing device. It also leads to some uncomfortable right hand positions as I try to balance the tablet above the keyboard without accidentally hitting keys. But perhaps the most fundamental problem is the disconnect between what the hand does and where the eyes are looking. Many of us have been trained for years to move a mouse with one hand while looking at the moving cursor on the screen. This becomes a little more awkward for an artist who is used to looking at the art beneath the pencil/pen/brush in their fingers. I minimize this somewhat by having the tablet so close to the LCD of the laptop, but it’s still not as intuitive as I would like. If only I could actually draw on the screen….

Wacom has a line of LCD displays with tablet capabilities called the Cintiq. I’ve wistfully mused about one for some time, but didn’t really covet one until I played with on at SIGGRAPH 2007. The large, crisp, bright display combined with the ability to draw directly on the screen was intoxicating, and I had to admit that I began to rationalize the high price tag just to get my hands on one. After all, I haven’t been to a con in a couple years now, so the GPF checking account has reached all-time highs with much more coming in than going out. But the Cintiq would be wholly impractical in my situation, where my digital art is technically a secondary source of income and the return on investment would be minimal. It would also be impractical from a physical standpoint; having seen one now in person, it’s completely unrealistic to sit on the couch with my son playing in the floor while having this massive 20″+, 16+ lb glowing brick in my lap. I’d have to move the digital work to a dedicated location, further isolating me from my family while working on the strip. If only I could have the draw-on-screen power of the Cintiq in a portable form….

It was about then that my wife called my attention to the latest employee purchase options at her work. Whereas I was laid off from IBM back in 2003, she’s still an IBMer and still has access to their employee purchase program. Since Lenovo now produces IBM’s old line of PCs, the two companies undoubtedly have a deal that allows the old IBM employee purchase program to access Lenovo machines at significant discount. And sure enough, Lenovo has recently added a line of Tablet PCs to the ThinkPad brand.

The Tablet PC is an interesting concept, but one I wasn’t very enamored with when I first heard of it. The concept is to apply the idea of a “notebook” further to the “notebook PC” by introducing the ability to write directly onto the computer’s screen. Handwriting recognition software would translate the user’s hand written notes into traditional computer text, making note taking more intuitive for less tech-savvy individuals. The concept, however, has been pretty slow to take off. In some places, the PDA (admittedly a dying breed of technology) continues to be more portable and better at converting handwriting to text. In others, the laptop is so deeply entrenched that the target users have already made the move to typing over writing and returning to a stylus would be a step backward. (How many words per minute can you type versus write by hand?) But there are two places where Tablet PCs have really taken off: replacing the traditional clipboard charts in hospitals and… digital artists on the go.

Let me start off by saying that I’m really impressed by this little guy. The transition from using a mouse to using the Intuos was rough at first, despite the fact that the tablet is more intuitive to an artist. You get used to doing things a certain way and relearning things always introduces a few speed bumps. The transition from the Wacom to the ThinkPad, however, was a lot smoother and I barely noticed the difference in speed. In fact, text entry has been the biggest speed bump so far. Using the on-screen keyboard is a bit clunky and is probably the biggest bottleneck in terms of physical speed. However, since Hermes has more memory and a faster processor than Apollo, any slowdowns from removing the keyboard from the equation are probably negated by the beefier hardware. I did have one problem with losing the touch strips on the Intuos which are usually mapped for zooming; I never realized just how much I used those until I lost them. However, I was able to remap a couple hardware buttons on Hermes’ screen to emulate the mouse wheel (which also does zoom in Paint Shop Pro), eliminating this problem.

The real Achilles heel in this transition, however, is my software. I’m still using my old decrepit copy of Paint Shop Pro 7 that I’ve been using for years now. I’ve been disappointed in both the increasing price of the software and the constant upheaval Jasc (the original developer) caused with each revision of in the interface, so I never bothered to upgrade. Then Jasc was bought out by Corel, and constant complains from our Corel Draw users here at work have convinced me to steer clear of upgrading my beloved PSP from here on out. I’m still too cheap to justify the ridiculous price tag for Adobe Photoshop, which I’m unwilling to switch to anyhow because I don’t really want to relearn a whole new interface. (I always felt that PSP’s interface, at least in versions 4 through 7, was much simpler and easier to use.) And while my long term goal has been to switch to completely free alternatives like the GIMP and/or Inkscape, that’s yet another completely different way of doing things that I’d have to unlearn and relearn, and the reason I’ve never made that transition is that my time is better spent now making comics than learning new software.

Mind you, overall PSP has worked extremely well with the tablet. It’s not an OS/application problem, as Hermes runs Windows XP, just like Apollo did. The problem comes in with one tiny yet critical aspect of the PSP interface and the apparent lack of precision in the tablet stylus. There’s one control on the PSP palette toolbar that controls switching between flat colors, gradients, and patterned fills. The only way to switch between options is to left-click a little black arrow in the tool, which brings up a tiny context menu with the options. Once you’ve chosen a general option, you can left- or right-click the rest of the control to bring up the option dialog (to switch from, say, linear to circular gradients). The problem is, I can’t for the life of me get the stylus to register a click on this tiny little arrow. I’ve literally tried repeatedly to get this click to work to no avail. There is no keyboard shortcut for this action, which in a way makes sense given the nature of the tool, but is completely frustrating because I could easily remap a hardware button to do this if such a shortcut existed. So for now my only option is to stop what I’m doing, flip the screen back around to traditional laptop orientation, use the TrackPoint to click the arrow and choose what option I want, flip the screen back around to tablet mode, and usually rotate the screen around again so it’s back to the orientation I originally wanted. This is brings my process to screeching halt, completely interrupting my work flow and is annoyingly disruptive. The problem might be easily solved by switching to a different image editing program, but that’s an issue I’ve already addressed.

All that said, I’m really loving this new little toy. It has done incredibly well so far, even though all I’ve done is use it in my traditional analog/digital production flow. The real challenge will be when I start making all-digital strips, which I plan to do with the next story, i.e. once To Thine Own Self… is completed.
Viral propagation:
Personal, Technology
Geeky Christmas loot
December 31st, 2007 (10 months, 3 weeks ago) by Jeff | Permalink | Dump Core
Sorry for the dry spell, all. With the holidays I’ve been largely offline with the exception of keeping up with my daily webcomic reading and uploading new comics into the queue. (Yay!) I hope everyone had a happy holiday, no matter what holiday(s) you celebrate, and I wish everyone a slightly premature Happy New Year (or, if you celebrate Chinese New Year, either a very belated one or a slightly advance one).

Firstly, in case you haven’t seen it or don’t subscribe to the RSS feed, make sure to check out the latest GPF News post. Some important updates are mentioned there. I’ll expound upon one of those in a separate post here.

I thought I’d share with you my list of “geeky Christmas loot” for this year. I don’t do it to brag, but more just to share. I always like hearing about other’s newest geek toys, and I love sharing the same with others. So maybe if I share about some of my new playthings, others will chime in and share as well.

Perhaps my favorite gift this year was not one that I received, but one that I gave, and technically it wasn’t even a Christmas gift. My wife (”kmd” on the forum) has a birthday in December, and I always try to make it special for her. Being a December baby can be tough as many people either buy you one slightly larger gift to cover both the birthday and Christmas or worse, completely overlook your birthday altogether. So I try to make her birthday extra special, take her out to a nice dinner, and just give her as best a day as I can. This year, I gave her one of the brand new third-generation iPod Nanos. One of things that made this special is that it appeals to her geek side; she too is a programmer, and sometimes I know she feels “overshadowed” by me in all things tech among folks who know both of us. It’s also significant because most of her geeky gadgets are my hand-me-downs; when I get something new (like a new Palm), she usually ends up getting the old one. So now she has a brand-new geek toy all her own, as well has her entire “Weird Al” Yankovic collection in her pocket wherever she goes. (I also got her the one “Weird Al” album she didn’t have on CD, so now she has his entire discography in digital form.)

As for me, my geek gifts were numerous and plenty. My parents had a definite Doctor Who theme: I got the third series of the new Doctor Who; the transition between two of my old-time favorite Doctors, Tom Baker and Peter Davison; a Tardis 4-port USB hub; and a “You Never Forget Your First Doctor” T-shirt. There were several other DVDs amongst the list, including one of Pixar short films. My wife surprised me with a terabyte(!) external USB hard drive (because you can never have enough disk space).

But probably the credit for the most unexpected and most played-with gift this year has to go to my sister-in-law and her husband. For now I’m suffering from an affliction I only heard about while growing up: Nintendo thumb. I am now an owner of a Nintendo Wii.

Well, I guess I’m having less problems with “Nintendo thumb” as I am with “Wii shoulder”. I’ve suffered tendinitis in my left thumb for quite a while now (it kept me from drawing for an entire month back in 2002) and I actually think the workout it’s been getting from the Wii has been somewhat therapeutic. But several hours of Wii Sports, especially bowling and baseball, had me running for the pain relievers the next day. Man, am I getting old. I’m doing better now, though. I never had a popular gaming console while growing up (or an unpopular one, for the matter); while most of my friends were playing with their ColecoVisions, Intellivisions, or NESes(eseses), I was hacking away in BASIC on my Tandy CoCo. (Gee, that didn’t date me at all, did it?) So this this was an entirely new experience for me. We quickly ran out and purchased a second controller (”wiimote”) and “nunchuk” and added a game or two to the ones that accompanied the system as separate gifts. The system has been loads of fun, although I must admit I’ve done far less comicking this past week than I had hoped.

So… what nifty geek trinkets did you get/give this holiday? And do you have any suggestions for utterly awesome kick-butt Wii games that I supposedly must absolutely, positively have or my life will be incomplete? Dump core below.
Viral propagation:
Software, Technology
Vista first impressions
December 10th, 2007 (11 months, 2 weeks ago) by Jeff | Permalink | 7 Core Dumps
I had my first brush with Microsoft Windows Vista this weekend. Like most hard-core geeks who are skeptical of just about anything Microsoft, I’ve read all the hype and negative press and have thus avoided it like the plague. I recently bought a new tablet PC (which just arrived today, woohoo!) and made sure to “downgrade” it to Windows XP. But this weekend as I was performing a Good Samaritan deed I was inadvertently forced to directly interact with Microsoft’s latest and “greatest” OS. And while there’s probably nothing new in this post to anyone who’s used Vista already, I’m sad to report most of what I’d heard and feared are true.

First, a little background. This past week, my sister-in-law’s notebook died. Exactly what happened is still uncertain; we know for certain that the video subsystem is on the fritz, which likely means that something is up with the motherboard (since the video is on-board). The LCD occasionally looks like a black light lava lamp, if that makes any sense, although I was surprised to have it actually work off and on with any given reboot. Windows XP crashes on boot on the NVIDIA video driver, which might (or might not) be consistent with a video hardware problem. Throw into the mix the fact that the system spontaneously reboots or locks up after a indeterminable period of time, sometimes as long as several hours or as short as ten minutes. I pulled out ever trick and tool in my geek arsenal and haven’t been able to completely diagnose the problem, let alone fix it. So now the task has become one of data recovery, and with a creative combination of a Knoppix “live” CD, a USB flash drive, and a USB external hard drive this has gone off without much of a hitch.

Now we introduce the new machine. Like its predecessor, it’s an HP Pavilion “media center” notebook. I put “media center” in quotes because while the old machine actually ran Windows XP Media Center Edition, the new machine runs Vista Home Premium. Other than the OS, it’s obvious both machines are built for one thing: to be a portable home theater system. Both have massive widescreen LCDs, dual huge hard drives, several gigs of RAM, and the latest processors for their time. Needless to say, both machines are meant to be powerful multimedia workhorses and they have the muscle to prove it. Thus, there’s no reason to expect the new machine to be sluggish or slow.

And yet, it occasionally was. HP, like many manufacturers, loads its new machines with tons of useless garbage software. That said, I was surprised to see how little junk was really pre-installed on this thing. So the only thing I can think of that was really bogging it down was Vista itself. I can’t be 100% certain of this as I didn’t take the time to really investigate (most of my time was spent extracting data from the old machine), but there were plenty of times Vista seemed to drag and stutter, sometimes becoming unresponsive for a few seconds.

The culprit, I expect, is the new “Aero” interface. Sure, it looks pretty. I’ll give it that. Compared to XP’s default Crayola-inspired interface (which is one of the first settings I turn off on a new XP machine), it looks slick and modern. But it also seems bulky and bloated. The moment I turned it off and went back to the Windows 95-ish “classic” interface the machine become much more responsive and easier to use. While it was cute watching windows “pop” into existence (something that will probably smell suspiciously like copyright infringement to any Mac OS X user) and the translucent window borders are a nice aesthetic trick, the performance cost is pretty high and not really worth it.

Then there’s the security model. I’d like to applaud Microsoft for finally taking security seriously and making a concerted effort to be responsible with its market dominance by forcing users to be more secure. But boy howdy, is it a bear to work with. Apple has been running attack ads against Vista in their “PC vs. Mac” campaign where the nerdy PC character has to ask permission from a Secret Service inspired man-in-black for every single thing he does. I thought that was funny at the time, but I didn’t really realize how true it was. Having now been trained and used to doing things as an administrator in XP, it’s a real shock to be stopped at every other mouse click with a warning that what I’m about to do has serious security implications. It’s not just a pop-up box, either; the entire screen flashes, dimming everything else and forcing to acknowledge the pop-up before you can continue. Yes, I’m aware of the serious security implications; I’m stepping outside the box and doing advanced things outside what a normal user is likely to do. (For example, moving the contents of the old machine’s “Application Data” and “Local Settings” folders, normally hidden, to their new home.) But do you have to warn me every single blasted time? Really. What’s worse is that this extends beyond some of the obscure, funky guru work I’m currently doing. Simple configuration changes are challenged with the same severity as drastic, devastating, and potentially damaging attacks. Where 95/98 was blatantly promiscuous (or more properly naive) and XP (post SP2) was cautious, Vista is downright paranoid. I half expect it to call in the FBI and the National Guard every time I change my wireless SSID.

Maybe there’s someone out there who can help. If you have experience with Vista and you know how to turn these security pop-up off, just for my login, at least until I’m done doing arcane geek magic to finish restoring this machine, please let me know. I think I’d be done in a fraction of the time if I didn’t have to babysit these prompts all the time. Even if it’s a setting that lets me check a box that says “don’t show this again” so I only get it once per action will be a big help.

After all that complaining, let me mention one thing I did like about Vista: parental controls. As a parent who is faced with a future where my young son will be a few clicks away from all the porn and identity theft of the Internet, I’ve been looking hard at third-party (as well as home grown) filtering and monitoring solutions. Vista apparently has this built in. Unfortunately, I have no idea how effective it is. My guess is that workarounds to bypass it are now just a Google search away. But still, just like XP’s firewall is more of an afterthought than a real security measure, it’s got to be better than nothing, and it will probably be easier to train my non-tech-savvy sister-in-law in how to use it than to explain about proxies and packet filtering. Depending on how long this machine is in my possession, I might try to experiment and see just how effective these parental controls really are.

Again, nothing necessarily new here that you probably haven’t seen everywhere else, but I thought I’d share my experiences to anyone interested in listening. I’m leaning more and more toward ditching Microsoft completely and going with a completely FLOSS setup, and Vista is helping push me in that direction. Then again, I had huge reservations about XP when it came out, too, so who knows what the future will bring?
Viral propagation:
Software, Technology
WinHasher 1.2
November 30th, 2007 (11 months, 3 weeks ago) by Jeff | Permalink | Dump Core
I just can’t leave well enough alone. I’ve been mildly annoyed with the “hash in progress” and progress dialogs in WinHasher 1.1. The original idea was to use System.ComponentModel.BackgroundWorker to easily multi-thread very large hashes (say of CD or DVD ISOs or uncompressed video files). This had two benefits: (1) it allows the user to cancel a hash in progress and (2) gives us an opportunity to update the GUI while the hashing takes place in the background, meaning we can inform the user of the progress. Unfortunately, I couldn’t find a method right away to determine the progress of an individual hash. System.Security.Cryptography.HashAlgorithm.ComputeHash() by default takes a byte array or file stream and chugs the whole thing at once, spitting out the hash as a result. There’s no way with this method to determine how far along you are.

However, if you look at the guts of ComputeHash(), you’ll find it reads in chunks of bytes into a buffer, then calls two methods: TransformBlock() for every chunk but the last, and TransformFinalBlock() to hash the last chunk and finalize the hash. The result can then be obtained from the HashAlgorithm.Hash property. If we bypass the convenience of the single ComputeHash() method call, you can read chunks of bytes from the buffer, feed it to the Transform...() methods, and keep track of how many bytes have been read so far. Since we already know how big the file is from the start (System.IO.FileStream.Length), it’s trivial to calculate a percentage complete. Want the progress of a multi-file comparison? Sum the lengths of all files in the batch, then keep track of the total number of bytes hashed along the way.

I’ve bumped WinHasher to version 1.2. It should be available on the official site by tomorrow morning.
Viral propagation:
Internet, Security, Technology
Disturbing: PayPal in cahoots with DoubleClick?
November 27th, 2007 (11 months, 4 weeks ago) by Jeff | Permalink | Dump Core
I don’t usually do link-and-run posts (I prefer to have actual content in a blog), but I thought this was disturbing enough to disseminate. I’ll probably add my own blathering commentary which will make it more than a link-and-run post anyway. (After all, I know all of you who come here really come for the blathering. I’m just so blatherful….)

I’m not sure how many of you out there follow the Security Now! podcast over at TWiT, but it’s probably obvious by now that I do, given recent posts. This past week’s episode, #119, exposes a rather unsettling fact that shouldn’t be ignored. (The high quality 64kbps MP3 can be found at that link, while a 16kbps MP3, a transcript in various formats, and additional notes can be found here.) While I encourage you to download and listen/read the facts for yourself, I’ll see if I can summarize it below for the attention-span impaired.

For a long time, I’ve defended PayPal as a method of monetary transfer. They’ve always been good to me personally, even during the stormy periods where some GPF readers boycotted them for “questionable” practices. (See the PayPal Wikipedia entry for an abbreviated history.) For that matter, many online comics wouldn’t be able to monetize themselves in any fashion if it weren’t for PayPal, as many webcomics use the service for donations and online stores. (PayPal has always been an acceptable form of payment in every incarnation of the GPF Store.) They’ve always had issues with customer service, but they’ve also been champions in anti-phishing campaigns.

But Steve Gibson and Leo Laporte have helped disclose a rather shady new practice: In a previous Security Now! episode, a listener mentioned problems downloading a software service from PayPal, only to discover that the download link was sending him to a server over at DoubleClick rather than PayPal. Since he was locally blocking access to the domain “doubleclick.net” in his hosts file, the link failed and the software would not download. Gibson promised to investigate the incident and after a number of side-tracks finally presented his results.

DoubleClick, for the few out there unfamiliar with it, is one of the Internet’s largest online advertising agencies, serving ad banners to millions of Web sites (including, indirectly, GPF). DoubleClick has long been unpopular among netizens for its questionable policies of tracking Web surfers across multiple sites, using a trick with tracking cookies to follow you from site to site. Privacy concerns were raised even further when Google, a company that itself stores and indexes a lot of personal information about its users of GMail, Ad-Sense, and other services, recently purchased DoubleClick. DoubleClick eventually bowed to pressure from the Net at large and created an opt-out page so their tracking cookie would contain “non-personally-identifiable information” and thus negate some of the tracking cookie’s effectiveness. (This opt-out page is still linked to (now indirectly, as the URL has changed) from the GPF privacy policy page.) Many folks these days, however, including myself, simply run spyware scanners like Spybot: Search & Destroy or Ad-Aware and periodically delete such tracking cookies, or just block the “doubleclick.net” domain and its subdomains using the hosts file trick mentioned above. (This is how, in part, Spybot’s immunization against cookies works.) This eliminates or at least minimizes the opportunity for your Web surfing habits to be linked personally to you.

However, PayPal’s new links bypass many of these anti-drive-by-cookie-ing techniques by sending you directly to DoubleClick’s servers, rather than inlining content like Flash or images from their site. Since these are internal PayPal URLs and not links that are expected to send you to the outside, they should be immediately suspicious. What’s even worse is that if you examine the URL closely, there appears to be some sort of “user ID” like number included that may personally identify you if you click on it. What’s even more disturbing is the number of these links you run across as you surf the PayPal site; while some obviously ad-like images contain the “doubleclick.net” URL, many links in the site bar that look like ordinary navigational links contain it as well. While Gibson points out–quite rightly–that there is no evidence to support any sort of conspiracy theories that many come to mind, it is obvious enough that some sort of information sharing is going on between the two companies, and that if a unique user identifier is indeed being passed along with the URL, there’s a likelihood that both companies can link your potential spending habits with PayPal to your surfing habits tracked by DoubleClick.

Now it’s easy to be alarmist and to say everyone should boycott PayPal. Unfortunately, so many of us in webcomics depend on PayPal for survival, so there’s no way we can easily remove ourselves from it. And there’s no competitor out there with enough critical mass to really challenge PayPal for dominance, so there aren’t many viable alternatives. Thus the only current immunization option is diligent observation.

The good news is that the DoubleClick URLs within PayPal’s site all contain at the end PayPal URL you will eventually be redirected to. It’s trivial to copy the URL, paste it into your address bar, crop out the DoubleClick portion, and go directly the the PayPal internal destination. Laporte even suggested that it won’t be long before someone comes up with a Firefox plugin that does that for you on the fly. The problem I see with this is that it won’t be long before the diabolical duo figures out savvy users are bypassing the links and they find a better way to obscure the redirection target URL so the copy/paste/edit trick will no longer work. While true encryption might be a bit too much server load for them to handle en masse, a simple ROT13 or Base64 encode might be enough to thwart all but the most stalwart gearheads.

So… should you avoid PayPal? That’s up to you. I can’t, but I’ll be a lot more careful of where I click on their site from now on.
Viral propagation:
Technology
Virtualization is cool!
November 26th, 2007 (11 months, 4 weeks ago) by Jeff | Permalink | Dump Core
Okay, so the subject line kinda screams “I’m a n00b!” But at least it’s true.

I had a new task added to my plate recently. We’re in the process of consolidating some servers at work, moving some of the work to virtual machines using VMware. Like just about everyone one else in the tech industry who hasn’t been living under the PDP-11s, I’ve heard all the hype about virtualization and how it’s going to revolutionize everything there is to revolutionize. Naturally, the idea sounds cool. Who wouldn’t want to create a “virtual computer” living inside their current hardware that you could simply delete and recreate as easily (almost) as if you were working with a simple text file? Of course, all I’ve really been exposed to until recently was the hype, and maybe what little I know about virtual machines and emulation that I’ve picked up from playing with Java, MAME, and DOSBox.

Well, I was recently assigned the task of creating a new virtual Linux box (openSUSE for the nosy distro snobs out there) to serve as our new source control server, using primarily Subversion and Trac. (Yes, we’re a Microsoft shop using Open Source source control and tracking tools. I enjoy the irony too.) It was a bit surreal firing up VMware and creating this new, clean slate to install upon. You specify what type of virtual processor to use (and how many), how much memory and disk space to allocate, and click the start button. Hello, BIOS! The setup took a bit longer that I expected (mostly because we downloaded packages from an online repository instead of just downloading the DVD ISO) but within a few hours I had a brand new openSUSE “box” ready to go. I’ve been configuring it off and on for several days now, setting up SVN and Trac and finding the best way to migrate our existing projects over without losing any ticket or module ownership data. But the wildest part of it all is that once I’m done building this thing, I can just export the virtual machine files to the new, final host and kick it off again, and it’s as if the machine had always existed there. Surreal, I repeat. Surreal.

About the only thing keeping me from creating a blue billion virtual computers around the house is (a) time and (b) system resources. (I doubt I can justify leaving that many virtual machines running at once.) Geek fun!
Viral propagation:
Internet, Miscellaneous, Technology
Comments restored… for now
November 19th, 2007 (1 year ago) by Jeff | Permalink | 2 Core Dumps
Follow up from the last post: Comments should be working again, although not in a fashion that I’d prefer. I had to completely disable Admin-SSL, thus login and login cookies are no longer secure. If you logged in while it was active, you’ll likely need to log in again before you can post, even if you check the “remember me” box. I’m still looking into why it doesn’t work. There’s a known limitation that shared SSL setups will fail to recognize logins in insecure mode, but they say nothing about dedicated setups like mine, which I would think would imply that it ought to work. Then again, I also had some mod_rewrite rules in place, but I experimented with removing those and so I don’t think they’re part of the problem.

I suppose this isn’t a big deal for you guys, since I doubt anyone will be all torn up over making sure their logins to some random guy’s blog are secure. It affects me more than anyone else, because I’d feel much safer if I could protect the admin parts of the site with a layer of encryption. Still, in places where I really need encryption I can verify it still works, so I guess the blog will just have to be open. :\
Viral propagation:
Internet, Miscellaneous, Technology
Comments broken, still working on it
November 19th, 2007 (1 year ago) by Jeff | Permalink | Dump Core
It has come to my attention that comments don’t appear to be working here at the moment. I strongly suspect this is due to the Admin-SSL WordPress plugin that I’m currently using to secure parts of the blog. It seems to forget that you’re logged in when you’re not accessing a secure URL (i.e. you’re not in SSL mode). I’ve tried a few of the workarounds suggested, but none are working. I have a hunch on a few things to try, but that will have to wait until I have more dedicated time to work on it. (I’m currently watching the little guy by myself at the moment.) I’ll post an update when I think it’s been fixed.
Viral propagation:
Software, Technology
WinHasher 1.1
November 9th, 2007 (1 year ago) by Jeff | Permalink | Dump Core
I was downloading Fedora 8 yesterday with every intention of (eventually) upgrading Demeter, our Linux box, currently running Fedora Core 5. I say “eventually” because finding time to back everything up, install the new OS, restore all the files and third-party apps, and then spend hours debugging what went wrong is the hardest part of the whole process.

Anyhoo, I thought I’d put good ol’ WinHasher to use to verify the SHA-1 hash and make sure the download was successful. That was, after all, the primary reason I wrote the thing. But then I noticed something incredibly annoying. The DVD ISO for Fedora 8 weighs in at around 3.18GB. WinHasher has no problems hashing such a file as it hashes the file stream as it reads it, so it can hash any file of arbitrary size. But while it’s doing so, there’s absolutely no feedback to the user. In fact, if you use the right-click “Send To” shortcut, unless you go into the Windows Task Manager and check the process list, you won’t even know the thing is running. It seems to go off into la-la land until mysteriously, a minute or two later, it comes back with a mysterious pop-up box with a cryptographic hash in it.

Bad programmer! Bad!

Well, this annoyed me enough to fix it, so I’ve tweaked it now so it actually runs multi-threaded. This is ridiculously easy to do when you use the System.ComponentModel.BackgroundWorker object in .NET. You just create the object, create a few event handlers for it, and tell it to go do its thing. The hardest part is if you want it to report its progress; then you have to tweak your working code to generate a percentage complete so it has something to display. I learned this trick when I was working on Mandelbrot Madness! 2.0; I have no idea why it never occurred to me to incorporate it here. The annoying part about this addition, though, is that there’s no way to report on the progress of an individual hash. System.Security.Cryptography.HashAlgorithm doesn’t provide a way for you to know how far it’s gone, so there’s nothing to feed to BackgroundWorker.ReportProgress(). The comparison feature does, however, let you know how many of the files have been processed so far in the batch.

So if you’re one of the few brave souls who downloaded WinHasher 1.0, please grab 1.1 at the official site. It officially goes up tomorrow (a delay caused by Keenspot’s parsing to insert the advertising codes). If you haven’t already downloaded it, why not give it a try?
Viral propagation: