log of Logfish.net

Today I installed Dropbox and got an idea. It turns out that if the service has your file already, it will not upload it again. Syncing an 600 MB ubuntu iso took me less time then it took me to download the file, and my upload is not faster then my download. There must be some kind of hashing going on there (they would be stupid not to do it).

However, the speed of the sync got me thinking about a security bug that was discovered in SSH a while back. The problem was that it was possible to notice if a user existed or not because the time it took to respond to an existing user was different then to a non-existing user.

The same holds true for Dropbox: if I create a random file, I'm able to check whether a user on Dropbox already had it by timing the sync speed in correlation with my network output (or even just looking at the network traffic amount will do the trick). Now the question is: what kind of security related file, or personal information format, will be best to randomly generate and try to find?

Theoretically it should be possible to download all Dropbox data this way, hopefully somebody will one day find a good way to exploit this optimization.

Met afstuderen komt natuurlijk ook afbetalen, in mijn geval dan. Dus besloot ik op mijn-ib-groep eens te kijken hoe alles er voor staat.

Twee dingen die ik niet leuk vond om te zien: simpele content injection (wel gedeeltelijk ge-escaped, maar toch). Kijk bijvoorbeeld hier. En dat ze als verificatie het ip adres van hun interne proxy laten zien (zie screenshot). Denken ze dan dat ik daar wat mee kan? De paranoia nerd in mij denkt dat de overheid niet te vertrouwen is met computers.

I had some time to kill, so I pulled up my system monitor and had a look. One thing bugged me: Firefox was doing something while I was not doing something with Firefox. So I dove into the settings and documentation and this long post deals with all the things I could find.

The gedit indent lines plugin was removed. I then looked at the documentation with F1, but the Shortcut keys manual page had a parsing error and yelp didn't want to show me more then the first few keys. I then turned to the internet and found nothing.

Turns out this is one of those: it's to easy, so it doesn't need any documentation cases. The indent key is now TAB instead of Ctrl+M and Ctrl+m. So now you can use TAB and Shift+TAB to indent and un-indent your selection in gedit.

After installing Ubuntu Lucid alpha 1 I found out I had to download the OpenTTD data files again, so I decided to create a package for it. It is a very ugly package, but does the trick. Have fun!

I had the problem that Empathy would disconnect almost immediately when trying to make an audio call. I started it on the command-line and got the following output:

The solution was simple but also weird: remove the .gstreamer-0.10 directory from your home directory (so ~/.gstreamer-0.10), after that no more problems with the rtp element being created.

After having some last minute problems with both the build system and the licensing, I finally released ccbuild 2.0.0. Bring on the issues! Reasons to expect issues to pop up are multi-threading support using OpenMP and using a single top-level o directory, instead of one per directory. Any command depending on the directory structure (like makefile).

One problem with https is that it is not possible to do mass virtual hosting, because the certificate is connected to the hostname, but the hostname is determined by the request. Chicken and egg problem there. In the end you can make a snake-oil certificate for one domain, but it won't work with other domains. If you decide to strip https support for those people who find a way to get there, here is a .httaccess file that will do that:

RewriteEngine on
RewriteCond %{HTTPS} on
RewriteRule ^.* http://%{HTTP_HOST}%{REQUEST_URI} [redirect=permanent]

You may already know youtube-dl, a popular Python script which allows you to easily download a youtube video. Well, there is another program which mimics this behavior, but works for more then just youtube, and it's called cclive.

CClive started out as a perl program under the name of clive, but the C++ rewrite is simpler and has a smaller memory footprint. Cclive has the same usage as youtube-dl:

I wanted to use this, so I decided to package it for Ubuntu, there was no package available yet, so this blog entry is to tell you about my new PPA entry for cclive. Debian unstable has a package for it already, so for debian you can find it here.

The 0.5.5 release supported sites are

People often say that Python is an easy language, but like other easy languages it is often harder to make sure you are working in a safe manner. I'm not talking about security, but bug-free.

A) Assert allot: