I've moved...

I've recently moved my blog to a new location. The new address is:

http://blog.unauthorised.org.nz/

Things are a tad messy at the moment but that's the new look for 2008.

Forgotten password - It's a security risk!

The 'Forgotten password' function on websites is not a feature. It is a security risk!

The worst of all is the ones that are able to send your current password to your email account. Let's take a moment to consider what is required to accomplish this. The users' passwords must not have been hashed, as it would then be impossible to know what your password is. Therefore, the passwords must be stored in a plain text form on the server. In the event that the server is compromised, your password is directly accessible to the attacker. Even if the passwords are stored encrypted, they aren't much better off. If you're a software developer, always always store password hashes and not the passwords themselves---unless you specifically need the password in it's plain text form.

Sites that allow users to reset their password by answering a security question is also bad. The problem with this approach is that often the questions are so simple that your neighbours could probably figure out the answers. Take for example, 'What is your pet's name?' or 'What is your mother's maiden name?' Just think how many people actually knows the answer to that question and could potentially hijack your account. Think Paris Hilton. While some sites allow users to disable the function by leaving the security questions empty, most sites make it mandatory. In this case, you can still "disable" the function by entering a long random text as the answer.

Security and usability doesn't mix. One additional way to recover or change your password is one additional way to hijack your account. Is it worth the risk just so it's easier to resolve forgotten password situations? I admit I've had to use the 'Forgotten password' function a few times before but it pays to be aware of the risk. Please check out my next blog post on password management tips. I wonder when that'll be.

Mozilla about:config

Need to edit your Mozilla browser preference settings? Try entering about:config in the location bar. You'll find settings that you didn't even know exists.

It's not flash, but it gets the job done. Saves you having to hunt through numerous screens, especially if you know what you're looking for.

For a reference of what the settings are, please visit:
MozillaZine About:config entries

It is by no means a complete reference but it is a good place to start.

Google Video Player File

Ever came across a Google Video Player (.GVP) file? You're bound to sooner or later with the amount of digital video content on the net.

GVP is not a new video format. Rather, it's simply a plain text file that contains metadata about an actual video file. Take for instance, the following:

# download the free Google Video Player from http://video.google.com/
gvp_version:1.1
url:http://vp.video.google.com/videodownload?version=0&secureurl=ugAAAH_1H8Yu95EJtMuzFT6-X9Oaw1AQYKoyH9Pzbi0LnopJ2uFDOMIQ0ELLeWQe0SzIHN44NrpacmK3Q9OEswjpSJzC1RDc6DxZcL3NRLLcFESJLjErtD-iZXXYDenDBkGpvDXG7Xut9SFmBC8RUqGmLqosWMwS20c04qw55N_BTjeU9d0p93rbjGkOF0GLaNd_yhaN8cBFLkg8NPL82ikRp83CfS16JTeVIS3Ab4x9E_H6VnqIiy-5KSBN-0TGiyF9kQ&sigh=21pimKCTGJiC5qXu2nKy1F5YMTk&begin=0&len=3008680&docid=5464925144369700635
docid:5464925144369700635
duration:3008680
title:Discovery_Channel_-_The_History_Of_Hacking_Documentary.avi
description:the history of hacking

That is the content of an actual GVP file. As you can see, it specifies the url, title, description, and length of the video file. If you try to access the url from a browser or any download manager, you'll be able to save the actual video file to your computer.

503 Bad Sequence, polite people say HELO first

If you ever get an email that fails to send with a 503 error, it doesn't mean that you should add 'HELO Bob' to the start of your email and try resending it. The 503 error actually means that your mail server is not behaving properly or that something is wrong when trying to send your email. The latter part of the message is simply the other mail server trying to be cute.

For those of you that are not aware of how mail servers work, here is a brief explanation of how they communicate. Before your mail server could relay your email, it first have to introduce itself by saying HELO. For the more trendy servers, EHLO works too. If you're bored, scream NOOP, NOOP and the other server will merrily reply OK, OK. (Having said that, I don't guarantee that prolonged NOOPing will not upset the other server, prompting it to sever all connections with you.) If you're ever in need of assistance, just ask for HELP and you'll get an appropriate response.

That's the humorous world of digital communication for ya! If you seriously want to learn more about how mail servers communicate (or if you're looking for a cure for insomnia), then have a read thru the following.

RFC2821 - Simple Mail Transfer Protocol
 

Letters to God

Kids certainly do write the most interesting letters. Here is a bunch of Letters to God. Enjoy!

Always @ Work

I didn't realise that I was always @ work. Not until a friend of mine asked me if I was at work on a Saturday for no apparent reason---or so I thought. On the upside, my manager probably thought I was really dedicated.

Windows Live Messenger 8.1, which was released early this year, included a new feature---roaming Display Picture and Personal Message. This means that your display picture and personal message are stored on Windows Live server, and will always be the same regardless of which machine you're signing in from.

This sounds good as it means you only have to set your display picture once and it will be available everywhere else. However, I like my personal message to be different depending on which machine I'm signing in from. This allows me to have an '@ Work' message on my work pc, and a more personal message on my home pc without requiring me to constantly switch between the two. For a while, I thought those days are gone. Luckily, the feature can be turned off. The option can be found under File > Options... > General > Sign In. Uncheck Use the same display picture and personal message wherever I sign in and everything should be sweet again.

prototype.js

Prototype is a JavaScript Framework that aims to ease the development of dynamic web applications. Featuring a unique, easy-to-use toolkit for class-driven development and the nicest Ajax library around, Prototype is quickly becoming the codebase of choice for web application developers everywhere.

I was working on a web application at work when a colleague of mine introduced me to Prototype. Boy, is this great or what! Prototype version 1.5.0 is approximately 70KB in size. Quite reasonable considering the size of web pages nowadays. I find the CSS selector functions, such as getElementsByClassName and getElementsBySelector, to be really useful. I used to think of CSS as an excellent way of separating a document's content from its presentation. Now, I learned that CSS classes can also be used as tags for the various elements in a page. This makes some tasks a whole heap simpler, especially with the CSS selector functions. Prototype also has a nice Ajax library. It abstracts the browser specific implementations and provides a simple interface to code against. I'm looking forward to trying this out. I've been borrowing AJAX books from the library for the past few months but never seem to have the time to read them. To learn more about Prototype, visit the official website at http://www.prototypejs.org/. Quick Links Prototype Download Prototype API Documentation

Microsoft Home Use Program

I've recently discovered through work that Microsoft offers a Home Use Program (HUP) for some of its software products. The HUP offers the employees of Microsoft Volume Licensing Software Assurance customers the opportunity to purchase a licensed copy of the Microsoft product for a flat price of $20. That's 20 NZD for New Zealand users, and covers the postage and handling fees.

I don't normally pay for software I use. However, considering it's only 20 NZD, I thought I might as well get one. I purchased a copy of Microsoft Office Enterprise 2007. I had always been meaning to give Office 2007 a try. It took Microsoft approximately two weeks to process the order and ship the DVD from Singapore.

As with most things Microsoft, there is a catch. The HUP license is intimately tied to your employment and your employer's Software Assurance coverage. The license ends:

1. when your employer's coverage ends;
   
2. upon termination of your employment;
3. if you are no longer a user of the licensed software at work; or
4. if you install and use any other version of the software under the HUP.
   

Even so, I still think it's worth it. At the very least, it saves me the hassle of finding a copy of Microsoft Office elsewhere.

If you work for an organisation that uses Microsoft products, it may be worthwhile checking with your IT department to see if you're eligible to participate in the HUP.

Security Alert: Windows Animated Cursor Flaw

This isn't the most timely security alert, but just in case you haven't already heard. Exploits for these vulnerabilities have been observed in the wild.

A flaw was discovered late last year in the way Windows handled animated cursor (.ANI) files. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

For more information, please see Microsoft Security Bulletin MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902).

If you have Windows automatic update enabled, then this patch should have already been applied. Otherwise, the patch for Windows XP SP2 is available from:
KB925902 - Updates for Windows XP

Now, chop chop! Go check that you do indeed have the update applied.