Apparently, SHA-1 might have been broken. Well, I say ‘broken’, but it’s not like it’s a code to ‘break’. Rather, some guys have been able to figure out a way to make a collision with a hash much easier. No more MD5, no more SHA-1 – what’s next?
Software Development
Javascript in the IE Links bar
I discovered this in the course of some work at a customer’s site – you can put Javascript into IE’s links bar!
The links bar is intended to give you buttons to take you to your commonly used websites (although it is nowhere near as good or useful as Firefox’s links bar, which is more like a menu). You press a button, it goes to that page.
However, in HTML in an anchor tag you can specify to Javascript to run, rather than just a page address. Out of interest, I tried doing this with IE’s links buttons, and it worked.
I was looking for a way to get a substring of the URL that the browser was currently at. The URL was of the form:
http://server/instance/app.dll?action=x&id=1234&next=y
and I was trying to get the value of the ‘id’ parameter (1234 in this case).
What I came up with was a URL that I put into a link. The URL was (one one line):
javascript:x=/id=([0-9]+)/i;x.exec(window.location);
window.clipboardData.setData("Text",RegExp.$1);alert(RegExp.$1);
To break it down:
javascript:
specifies that it is javascript code, not just a page address.
x=/id=([0-9]+)/i;
sets up a regular expression to get the ID
x.exec(window.location);
applies the expression to the current location of the browser window.
window.clipboardData.setData("Text",RegExp.$1);
copies this ID to the clipboard.
alert(RegExp.$1);
confirms that this has been done.
And it works! Hard to believe, but it really works! I’m sure that there must be some sort of security issue here – I need to think about how this might be abused, but there should be a way. Will let you know when I think of something…
Calculate the most similar string in an array
Didn’t know you could do this, but PHP supports functions for finding the ‘Levenshtein’ algorithm. Given an array of strings, and a target, you can easily find the string in the array most like (though not necessarily the same as) the target.
Passwords, Secret questions, and expiring Authentication
An interesting morning, not bad given that it isn’t 0915 yet. Anyways, I’ve just read some fascinating articles…
A guy I work with had been asking about how to figure out the entropy of a password. This is, put simply, measuring the disorder of a password – the more disordered, the harder it is to predict. And this is very hard to do, for reasons I’ll explain some other time.
Anyways, we then discussed passphrases. Instead of being a word like ‘Bgc4$4q2’ or something equally obscure, you use a phrase that would be difficult to reproduce – ‘Eat flying doughnut on Thursday’. This is still difficult to figure out the entropy for – you could choose an easily predicted password (e.g. ‘In the beginning God created the heaven and the earth’) – but is generally more secure.
So this morning I read a fascinating article by a guy from Microsoft PSS Security about passphrases. Worth a look for all techies, certainly I’ll be looking at using passphrases from here on.
I’ve also just read an article about how authentication never expires in e-commerce sites. An interesting point – it should be possible to terminate accounts on e-commerce sites. I mean, if you don’t, if the account is still valid, then your details could be used. But I can’t say that I know of a way to go to Amazon and tell them to disable my account.
I guess one option would be that if an account just hasn’t seen any activity in a while, you send out an email warning of it’s impending shutdown. If there is no response, close it down. Not perfect, but you’re making the window for the abuse of that username/password smaller.
And lastly, there is an article on why secret questions are a bad idea for password recovery. Basically, it’s the old ‘Security is as good as it’s weakest link’. Never liked these things anyway.
Javascript to Copy to clipboard
Apparently you can use Javascript to copy to the system clipboard. Don’t know if this works on non-Windows systems, but certainly, Internet Explorer seems to support it.
I’m sure that there must be a security risk here – but I haven’t really thought about it yet. And certainly, it appears that Mozilla agree that there is a security issue as it works another way, as shown at Krikkit.net. In short, you have to sign your code or drop your security level…
More on Realm Authentication with Tomcat
Okay, so I had a play with Realm Authentication…
Continue reading “More on Realm Authentication with Tomcat”
JDBC and database access
Slow day today, so I finally (after 2 years of saying I’d give it a go) got around to trying to use JDBC.
I wrote a simple class to query a mySql database. It worked like a charm! Now all I need to learn is good design practice (which could, I fear, include Beans). I’m not entirely sure how the object model matches up to the database structure – I guess that this is what I need to learn…
import java.sql.*;
import java.util.Properties;
public class JDBCTest {
public static void main( String args[] ){
Connection conn= null;
try{
String cURL = "jdbc:mysql://localhost/jtest";
Properties p = new Properties();
p.put("user","root");
p.put("password","voodoo");
Class.forName("com.mysql.jdbc.Driver").newInstance();
conn = DriverManager.getConnection( cURL, p );
Statement s = conn.createStatement();
ResultSet r = s.executeQuery( "SELECT * FROM jtable WHERE iID = 1" );
r.first();
System.out.println ( r.getString("cFEN"));
}
catch ( Exception e ) {
e.printStackTrace();
}
finally {
if( conn != null ) {
try { conn.close(); }
catch ( Exception e ) {}
}
}
}
}
Chinese Chess Engine Again
Work continues…
Gaze of Death – Kings may not face each other directly without an intervening piece
and I have this thing through to the point that it will read a FEN (a notation describing a board state, like
4KAr2/4A4/3Hr4/7h1/9/9/9/9/4aP1R1/3ak3C w---1
), create a board recording that, work out the valid moves for each piece (that is, the squares that that piece can move to), then work out what moves are ‘allowed’ – that is, the move doesn’t result in check, or causing the Gaze of Death.
I’ve used bit boards for most of it, but I haven’t precomputed them, as has been the case for some chess engines. The reason, mainly, was being unsure how to cope with ‘Blocking’ rules – that is, some pieces can be blocked by a piece up close to them. For example, Knights can’t jump – they move 1 square straight, and another diagonally. If there is a piece on the straight square, they can’t move that way.
I couldn’t figure out how to precompute this, though now I wonder if a second bit board with ‘blocked’ squares on it would have sufficed. Still, the precomputation might have been a bit much – 90 squares, times 8 for the number of ways it could be blocked is 720 combinations, plus 90 for the blocked squares masks.
Actually, it might be worth a look. Anyway, speed is not a huge issue for this right now – it’s only point is to determine valid moves, and I intend to cache the result in a database, so that valid moves can be referred to by FEN…
Chinese Chess Engine
Okay, so few people in the West have heard of Chinese Chess, or Xiangqi, but trust me, it’s pretty cool. It doesn’t have as many Pawns, and there is a piece called the Canon that can only take if it jumps over another piece on the way.
I’m wondering about making a chinese chess website, to play online. It’s a bit trickier – chinese chess has a 9×10 board (not 8×8), so bit boards will be more complex.
But I might give it a go, building an engine. I think I have the guts of it worked out, although I’m concerned about efficiency…
Computer Science isn't Programming
I’ve often thought this, and it’s interesting to see that Joel Spolsky agrees.
Computer Science is the science of, well, computation. It’s a question of what is possible with computers, is more like a branch of Mathematics, and much of it can be done without computers. I mean, a lot of the fundamentals had been figured out before the development of the transistor.
Software writing, well, that’s an Engineering skill. It’s got a practical end. I guess it is the difference between someone proving by thought that bridges can cross rivers, and someone actually building a bridge to cross a river this wide, strong enough for that type of cart, etc..
And at the moment, nobody really teaches Software Engineering. Which is a shame. But at least it explains how I came to software writing from a Cybernetics background without suffering much of a disadvantage. Just like Computer Science, we’d picked up programming as just one of our ‘tools’ during our studies…
Andy Burns' Blog 