Redhatter’s Web Blog

Hi All…

I’ve just got back from a rather relaxing weekend. Where was I these last few days? Well, rather atypical behaviour for a geek like myself, I ditched the laptop and other I.T. parafenalia, packed up the car, and headded across to Queen Mary Falls, just outside Killarney. This was a basecamp organised by the Bushwalkers of Southern Queensland, we were camped on a private property right up in the highlands just a short drive from Carr’s Lookout.

We got there about midday, having left Brisbane at around 8:00AM, passing through Boonah, and up the long and windy steep road on the way to Killarney. The afternoon was spent pretty much unpacking the rather heavily laiden car (3 adults packed into a 1982-model Subaru stationwagon doesn’t leave much space for comfort). What was immediately apparent when I first stepped outside, was the temperature and strong wind. We were expecting it to be cold, as we were at quite a high altitude, however just how much colder, was a suprise. The wind was blowing pretty much constantly the whole weekend, changing only in direction. I was wise to leave my hat in the car — I don’t fancy doing a Mary Poppins/Flying Nun impersonation.

Day 2 began with a long walk around the Queensland/NSW border fence down to the Killarney gate… a round trip of 17.6km. There wasn’t all that much in the way of photo opportunities, although I tried to get some shots of the countryside in — mostly rolling hills. We managed to get a shot of Mt. Lindsay (see left) whilst having lunch on top of the ridge, although cloud cover meant the views weren’t all that we’d have hoped.

Towards the end of the walk, we were met by domestic cattle on numerous occasions, coming up to check us out, before running off to the other end of the paddock. At one point… where we had lunch in fact, it looked as if the cattle were guarding the track (see right), but it would appear that it was merely animal curiosity — they quickly moved off when we started walking again.

The walk finished a very steep descent (see left) down to where the cars were waiting. This was hard going on the knees, and before long, my feet were sending messages up my spine about it. This was probably the hardest bit of the walk. Definitely not what it was cracked up to be. Nonetheless, we made it… and of course, we were stiff-legged for much of the evening.

Night soon approached, and we gathered around the campfire for another night of bad jokes, stories and other discussions. This of course presented an opportunity to experiment with trying to photograph the flames. Long-exposure photography is an interesting challenge, and one that can give rise to some nice effects when done right, especially with things like flames and waterfalls.

Day 3 started out with the usual sharing of easter eggs… being Easter Sunday. Cereal and chockies for brekky… Eggcelent! Then came the decision of what to do for the day. We weren’t in the mood for a long walk, however there are quite a few tourist spots around to look at, and a few of us had hatched up the idea of doing the Queen Mary Falls walk this day. It certainly sounded better than just laying around. So while the more adventurous (masochistic) ones tackled Wilson’s Peak, the rest of us piled into a few cars and checked out the local sites.

First stop, was Queen Mary Falls (left). There was a little traffic on the path with various other bushwalkers checking out the place, but it was an easy going, graded bitumen path, a stark contrast to yesterday’s walk. I managed to get a few shots of the falls, which weren’t looking at their best due to the dry weather lately. Nonetheless, it was a pleasant walk, well worth the trip.

Along the way we stopped at another lookout, this time for Daggs Falls (far right), and yes, another snap of the falls… there was also a rather interesting monument erected for Samuel and Mary Young, who owned land which included the reserve (inner right).

Further down the road, we looked at Brown’s Falls (left). Again, quite a bit of traffic on the track, but once we got there, it was quite a nice spot. There was some opportunity for photography on the way, with a moth spotted on the way to the falls, and a couple of birds (feathered) spotted on the return (right).

The remainder of the day’s activities were decided over Devonshire tea & scons before lunch. The general consensus was to have a look at the Condamine Gorge. There was no set-up walking path or lookout for this, basically we were walking on private property. We set off from the campsite on-foot after lunch, and soon arrived at the cliff overlooking the gorge. There weren’t that many opportunities for photos, since much of the view was obscured by trees — and none of us were willing to get close enough to the edge to avoid them.

Whilst the views were glorious despite the obstructions, we did manage to get a few snapshots. We also discovered an echidna (right), unsuccessfully trying to remain hidden under a fallen branch. On the return, we also startled a wallaby which took off at high speed — needless to say I wasn’t quick enough with the camera.

That evening, we discussed the days events. For us, it had been windy pretty much the entire day except for when we were in the gorge checking out the waterfalls. We were surprised to learn that the more adventurous group on Wilson’s Peak had enjoyed practically no wind, and glorious views from the top. That said, a lot of the people on that trek were quite keen bushwalkers, and thus someone like myself would likely find themselves way behind the others.

Weather-wise, we had a pretty good trip… but of course, rule no. 1 when camping: it always rains the day you wish to leave. We had some rain overnight, and in the morning on Day 4, cloud descended over the camp (left). To add to this, it also rained a bit that morning… just to make sure. The weather held long enough for us to get everything packed away, but we wound up having to stuff the tent in the car damp — it is presently stretched out in our garage drying out. That said, it was bright sunshine by the time we pulled into Boonah, and the drive home was uneventful.

I didn’t take as many photos as I have on previous journeys, however it was a great trip, and a place I’d be keen to visit in the future. Trips of the entire camp can be viewed on my gallery site.

I just had a rather amusing email… two in fact, come right out of the blue. Not from a relative or friend… but from a webapp.

A few years ago, I developed a very simple and crude webapp called LANPlanner. It was dodgy, it had lots of rough edges, it was coded in about 15 minutes flat in PHP and MySQL… I suspect there are probably some SQL injection bugs somewhere in it, as I was still quite a novice at that time.

Just a moment ago, I got the following email (names censored to protect the guilty)

Date: Sun, 25 Mar 2007 23:14:33 +1000
Subject: Daily Confirmation Status for event "Bradley Lan"
To: user@host.com.au
From: LanPlanner Service at localhost
Cc: XXXX@longlandclan.hopto.org (my email address)

Hi Some One,
This is the current RSVP status for "Bradley Lan".

-------------------- Confirmed as comming:

-------------------- Unconfirmed:

- Some One  is bringing 1 person/people.  (09:52 remaining to confirm)
- Some One  is bringing 1 person/people.  (09:59 remaining to confirm)

I’m amased there are people still using this webapp. E.T. phone home indeed.

Hi All…

I know many of you are in the web development and security arenas… I figured I’d throw this idea up for everyone to have a look at.

Authenticating users on a website can be quite a challenge at times.  Sometimes, HTTP Basic authentication is all that’s required, re-sending the password with each request.  But the problem with this; is that someone can intercept the username and password, thus knows everything needed to establish a new session.

HTTP Digest authentication is good; but MD5 isn’t as strong as other hashing algorithms available, and more importantly, it assumes the server knows the exact password.  But what if you’re hashing the password?  Also, this doesn’t necessarily solve the issue of session hijacking.

Thus what I have come up with, is “Challenge-Response Digest Authentication”.  My rationale for this method of authentication and session management is as follows:

1. Remove the need for the cleartext password to be stored or transmitted.  Using CRDA, only the hash of the password needs to be stored.
2. The remote user still needs to demonstrate knowledge of the password (or rather, its hash)
3. Various aspects of the client, such as the IP address and user agent, are used when generating the hash, making session hijacking more difficult.

So, how does this actually work?  Well, in a web application scenario, it requires JavaScript on the client side to implement the hashing algorithm (in my case, I’ve settled on SHA1).  The initial authentication phase works as follows:

1. Remote client makes a request to log in by requesting the login form.
2. The server generates a session ID, which is the hash of the following (in this order):
   • IP Address of client (from the server’s perspective)
   • Client User Agent
   • A random salt string
3. The server responds by sending back the requested form; Included on the page in the JavaScript code, are values for a random salt and the IP address of the client.  A cookie containing the session ID could also be included — or on more advanced clients, could be determined by the client.
4. On submitting the form, client side JavaScript takes the information provided, and generates a hash of the following data (in this order):
   • IP Address of client
   • User Agent in use
   • The random salt given
   • The username
   • The hash of the password

   The cookie generated earlier is passed back to the server as well so it can look up the salt value.

5. The server receives the session ID (via cookie) as well as the username and response (via HTTP POST), looks up the salt for that session ID, then checks the following:
   • The session ID is valid for the given IP and user agent
   • The response is valid

If successful, the server generates a random nonce value, and passes this back to the client.  The session key to be used from this point forward, is the hash of the following information:

• IP Address
• User Agent
• Random Salt
• Nonce value

The nonce is then updated at regular intervals.  On an intelligent client, the raw nonce value could be passed back right at the start, and stored — the client incrementing it when told by the server.  On a simpler client, the key may get passed back and forward.

For each request after this initial authentication step, a cookie should be passed to the server containing the following string: “SessionID:SessionKey”.

Anyways… those are my ideas.  I know there are problems with this; most notably, is the effectiveness of hashing when you hash something twice.  I know that SHA1 is less effective in this instance — but the question is, how much less effective?  I figure it’s not really enough to be worried about, but then again, I know there are people who work in this field, and thus will know more about it than me.

I’m still tinkering at this stage, I’ve got a small proof-of-concept webapp going that utilises this scheme at a basic level, and I’ll keep poking at it for now, but I’d be interested in hearing other people’s thoughts on whether this would be effective against preventing session hijacking and keeping a site secure.

Financial types wonder why we simple folk find the stock market confusing… Well… it’s little wonder when organisations like Kitco make confusing statements like this…

Hmmm… yes fellas, make up your minds.

Hi All…

At the moment, stresses are running high.  Exactly why, I’m not sure, but it seems everyone is on edge.  And I don’t just mean the Gentoo Development community — I mean elsewhere too.  Everyone seems to be edgy for reasons I cannot fathom.

I’m not going to speculate about what could be causing this stress… I know in my case, the tense atmosphere has had an impact.  I’m nowhere near the point of doing anything irrational like suicide (I know this will create more problems than it will solve), but I am noticing that I’m not in my usual “stable” mental state.  I think in my case, there are a few factors in play…

• At university, I’m doing a subject entitled “Core Project Initiation”, which heavily depends on groupwork.  We have to form groups of 5 people or so, choose a project, find a project supervisor (typically other lecturers at QUT), then work towards implementing a prototype.  The first assessment item, is due this Friday, and more or less requires the group to be formed.  After having two attempts at forming a group fail, I’ve been in contact with the lecturers and am in urgent need to get into a group.  Basically, if by Wednesday, I’m not in a group — I’ll pull out of the subject, it’s just not going to be viable for me to continue.
• Last semester was rather stressful, having had two major stuffups by the university (in one case, a lost exam paper; in a second, a breech of examination procedure), and winding up failing a telecommunications subject for seemingly unknown reasons.  A total lack of feedback was a big factor — there was nothing to suggest I was offtrack, yet, I got a 2 (7-point scale) as my grade for the subject in question.
• I’m still looking around for work.  I’m quite conscious that I’m basically living out of my father’s back pocket — have been for some time now.  This has been playing on my mind a lot lately.  I know that without any work, I can forget passing my degree, I can forget moving out of home at some point.  And luxuries like attending LCA2008 are definitely out of the question.  I’ve applied to several positions over the last few months without success.
• The weather has been rather hot and humid lately, enough to shorten the fuses of most people.  Add to that the fact that Brisbane (like much of Australia) is in drought, and that the dam levels are dropping to alarmingly low levels.
• Then there’s the censorship debate that’s been raging on for the past fortnight on both gentoo-dev and gentoo-core.

Some of these problems are aggrivated by communications issues stemming from my Asperger’s Syndrome.  Stress is not something I handle well, with depression being quite common in such circumstances.  I’m in the happy position that I haven’t needed any medication to keep things under control however — I intend to keep things that way if I can.  Right now, I’ve just detected abnormalities in my behaviour, and thus know something is up.
At this point, I’m certainly not planning on resigning from Gentoo.  My builds for MIPS1 (little endian) are progressing, having just started Stage 2 this evening.  There’s no major issues to deal with at this time, and I hope to have these out soon.  I’ve also picked a fight with µClibc trying to bash out updated stages — managed to mess something up rather badly there, but I’ll hopefully get that straightened out and have some netboot images for you.

Presently, I’ve got stuff in my personal life that needs my attention first.  Thus, I’ll be “away” for the next fortnight whilst things settle down locally.  I’ll be contactable by email, and may be on IRC sporadically — but I don’t expect to be doing a hell of a lot.  I need some time to reduce some of the external pressure, get myself mentally ontrack again.  Hopefully when I return, not only will things have calmed down around here, but people within Gentoo, and perhaps others globally, might have settled down too.

In short, I’ll be around, just laying low for a while.

A federal jury in San Diego has ordered Microsoft to pay $1.5 billion to Alcatel-Lucent in a patent dispute over MP3 audio technology used in Windows.

In its verdict, the jury assessed damages based on each Windows PC sold since May 2003. The case could have broader implications, should Alcatel-Lucent pursue claims against other companies that use the widespread MP3 technology.

– http://news.zdnet.com/2100-3513_22-6161480.html

Ouch… See Microsoft?  This is why we use Vorbis.

Hi All…

Yep, I dusted off my n32 chroot again this morning (it’s 1:22am as I type this), determined to talk some sense into Portage. I figured I’d give it one last time before I invested the time into trying out Paludis (which I may still do yet, I’m hearing lots of good things about it).

So, what’s been holding me up? Well, the issue has been this nagging bug that I couldn’t figure out. Cobalt doesn’t have any n32 stages, let alone NPTL n32 stages. For the most part, I was able to nick the settings out of default-linux/mips/2006.1/generic-be/n32/* copying this into the default-linux/mips/2006.1/cobalt/ directory, and replacing mips64 with mips64el in the CHOST variable.

This worked quite well, but there was still one nagging issue that cropped up when trying to compile various packages, particularly portage itself:

These are the packages that would be merged, in order:

Calculating dependencies... done!
Traceback (most recent call last):
File "/usr/bin/emerge", line 3316, in ?
mydepgraph.display(mydepgraph.altlist())
File "/usr/bin/emerge", line 1650, in display
verboseadd += create_use_string(key.upper(), cur_iuse_map[key], cur_use_map[key],
KeyError: 'elibc'

On further investigation, I noticed that on all the working environments, there was a USE-expand flag: elibc_glibc. This is susposedly set in the base profile, but for whatever reason, my sub-profile transplant seems to have lopped this flag off. Portage would see this, and b0rk when it didn’t know which libc to use. Thus, I tried something… I hacked around it by setting USE=”elibc_glibc” in /etc/make.conf then gave it another try. Sure enough, emerge –info now listed the illusive USE flag, and packages started compiling once more.

Right now, I’m rebuilding all the system packages in my chroot (which also has lib64 stuff floating in it). This will hopefully get me to the point of producing a first seed-stage for Catalyst, and will allow stagebuilds to be done for n32 at long last. As for n64? Well, time will tell… it’s certainly a possibility. I’d like to first discover why this USE flag is getting dropped… as setting it in make.conf is not an acceptable workaround IMHO, but it’s better than nothing.

I shall keep you all posted on my progress.

Ugh yeah… I’ve got a bee in my bonnet, and I’m having another winge.

I don’t know what the cause is, but for whatever reason, there’s been an increase in the number of people who, instead of properly typing words out, and at least attempting proper spelling and grammar (which I’ll admit, I don’t always get perfect myself), instead, insist on cheap shortcuts. Even on exams, there are people out there who would rather write “2″, “u” and “ur”, instead of spelling those words out properly.
For people who are from a non-English speaking background, yeah fair enough, they won’t know all the intricacies of the English language. But at least they try to get things right. The people I speak of, are those who have only ever known one language, English, have been taught (presumably) literacy skills at school, yet still insist on hard to read, cheap, dodgy shortcuts.
I’ve got a simple motto which I stick by:

If you want a question answered, and not mocked, make sure it can be read.

I don’t know about others… but I do get a lot of email, and I also have a lot of things to do in real life. I’ve got better things to do than to try and decipher a badly written email. Okay, there are some well-known acronyms such as “LOL”, those are fine. But dropping letters for the sake of it (laziness), is not on. On SMS messages, I can tollerate it to a point: you’re working on a telephone keypad, with limited space to write a message. On online games, I’ll tollerate it (to a lesser extent) as one has limited time to construct a message. I won’t, however, tollerate it on email messages, on chatroom protocols such as IRC, or on instant messenger systems, where one is presumably working on a decent-size keyboard and has ample time to write the message.
I mean, how long does it take to type “2″, vs typing “to”, “too” or “two”? How about “u” vs “you”? Are you really saving much time by dropping letters? I’d say no. Are you helping the reader understanding your message? Again, no. In fact, I’ve seen instances where someone has used “2″, and I’ve been left guessing which word they actually meant.

Grammar is an issue too… but less so. Probably the worst problem here, is people writing big long sentences with no breaks. Big blocks of text are hard to read too.

SI units are another point of confusion — more than once I’ve commented to someone about how quick their sub-Hz computer is, not everybody understands that SI units are case-sensitive. This is particularly important when asking networking-related questions… is “mbps”, MegaBytes per second, Megabits per second, Millibits per second?? Okay, B (bytes) vs b (bits) was never standardised, even though this is the common convention, but to be sure, perhaps MBytes or Mbits is better ;-).

Anyway… enough of my ranting… I’ve got it out of my system now. Just to say, next time you’re writing an email to one of us, please do us a favour, and write your message properly. Pretty please?

This has come as a shock, but it seems Steve Irwin, well known for his work in wildlife documentaries internationally as well as numerous other areas, is now deceased.

The this recording was grabbed from Triple M News just 10 minutes ago. There is a full article on the incident here along with a discussion here.  Those wishing to leave a tribute to his family should have a look here.

Yep… you heard right… someone on eBay is selling Pluto.

Quick… dive in now… this is your one in a lifetime opportunity to claim your own planet.

After a recent clean up of our solar system the IAU has realized we no longer need Pluto. We have 1 planet, Pluto for sale. This icy planet would look great on any mantel piece, or a perfect center piece for any room, a great conversation starter.