Archive for August 2006
I enjoyed reading this article on how an XSS attack works. I’ve always just done the
alert("Game over!") XSS which isn’t really an attack at all, just a proof that there’s a possibility for an attack.
That trusted computing is bad for consumers is something I’ve known for a while, but apparently TC is bad for security as well. Every security measure has its side effects, I’m not convinced this one is unintended though.
Here’s a prime example of just how bad laws like DMCA can be. If this holds up we basically allow the law to force us backwards in time. (I just have to sneak in Cory’s excellent write-up on Europe’s broadcasting flag here.)
Network neutrality is a complicated subject. Ed Felten has done a lot lately to clarify things for me with his Nuts and Bolts of Network Neutrality. I still have to find the time to look through his blog a bit more carefully.
Why is this such big news? An update for Ubuntu broke X. Boohoo! I bet most people complaining don’t have a shadow of a leg to stand on in this. They don’t pay, they don’t contribute, they only bitch in the forums/mailinglists/blogs/etc. It only took 8 hours to fix!
Just in case the UK government wants a good reason to not introduce bloody ID cards and national databases to keep records of everything everyone does—here it is!
Looking to replace M$ Office? Here are a few MS Office killers.
I wouldn’t mind having my desktop look like this!
I’ve actually wondered how to uniquify a list in Python for a long time.
Python is moving up, or maybe it’s down, I don’t know.
Want to learn Python and PyGTK? This blog on learning Python seems like a good place to get inspired.
Erik, it just works for me. I have LUKS on a partition on a USB stick. When inserted I get a dialogue box asking for the LUKS password. I had to configure
hal a little to give the desktop icon a good name:
<device> <match key="volume.uuid" string="d23647f8-22be-4a8c-86f8-8f59975e9e61"> <merge key="volume.label" type="string">StickSecret</merge> </match> </device>
For various reasons I wanted to see just what was required to roll my own basic authentication using Django. I am aware there’s a built-in authentication module,
django.contrib.auth, but it’s overkill for my ultimate goal and it depends on the session module in ways that only further study can reveal. I heard rumours that the authentication module would be pluggable. The only pluggable aspect of it that I found was the backend (i.e. the data model).
In the end the most relevant reason for doing this was that I wanted to
So, what’s involved in it? It turns out, not much!
First I created a middleware class that extracts the authentication credentials (read username and password) and sticks a ‘user object’ in the
request depending on just how successfully it does this:
from base64 import b64decode from models import User, AnonUser, BadUser class MiniAuthMiddleWare(object): def process_request(self, request): auth = request.META.get('Authorization', '') or \ request.META.get('HTTP_AUTHORIZATION', '') if not auth: request.user = AnonUser() return name, pwd = b64decode(auth[6:]).split(':') try: u = User.objects.get(name=name) if pwd != u.passwd: request.user = BadUser() return request.user = u return except User.DoesNotExist, e: request.user = BadUser() except AssertionError, e: request.user = BadUser() return
The model related to this is rather minimal:
from django.db import models class User(models.Model): name = models.CharField(maxlength=50, primary_key=True) passwd = models.CharField(maxlength=50) def is_authenticated(self): return True class AnonUser: name = 'Anonymous' passwd = 'NoPass' def is_authenticated(self): return False class BadUser: name = 'BadUser' passwd = 'NoPass' def is_authenticated(self): return False
Then I decorated the functions/urls that required authentication with the following:
def _RequireAuthorization(func): def _wrapper(request): if not request.user.is_authenticated(): response = HttpResponse() response.status_code = 401 response['WWW-Authenticate'] = 'Basic Realm="Silly Realm"' return response else: return func(request) return _wrapper
That all seems to work just fine
At the same time politicians seem to be involved in more security theatre (look here for an explanation of security theatre). The police is busy showing us that they really need 90 days detention without charge. I wonder if we’ll ever see some intelligence at the top.
Luckily for Dr. Evil he asked for sharks, the poor US Navy will soon be carrying out test on “frickin’ goldfish with frickin’ lasers attached to their frickin’ heads”.
This site contains quite a few facts about Chuck Norris. Here are some facts about our crypto-hero Bruce Schneier. (The last site also has a very nice t-shirt with our homeboy, Knuth.) Of course the world wouldn’t be right without a site with facts about Mr. T.
I’ve spent a few hours tonight playing with django. I have a small project in mind and at first I thought I’d just go for cherrypy since I’ve played with that before. After hearing Guido’s praise for django on FLOSS weekly I decided to take a look at it.
At first I was overwhelmed. Then I was confused. Then I was impressed. I’ve decided to play a bit more and it looks like I’ll end up using it.