Skip to content. | Skip to navigation

Personal tools
Log in
Sections
You are here: Home

jorgenmodin.net - Blog

Proof of work to prevent DOS and DDOS attacks of web pages

If an attacker had to expend a bit of work to access a web page, then it would get prohibitively expensive to dos such a site. I suggested this at a lunch with programmers today, and one of them - Rene - suggested that one could use a TLS certificate with a short key, and the client would need to use javascript to brute force it to access the web site for which the certificate is required. One would need to have a stash of these certificates ready though. I wonder how computationally expensive they would be to manufacture.

I had thought more about just having some kind of mathematical trap door where it should be easy to check that work has been expended, such as giving the client a product of primes and it needs to tell which primes were used in order to access a page. This verification of work should be done very cheaply at the edge of your server's system.

Hashcash seems to have triggered ideas in the direction of proof of work to mitigate DOS attacks: (A paper in ps format).

I wonder if one could make an implementation such as any new visitor gets a cookie. The cookie is set to the product of a number of primes, and the browser sets another cookie for the same domain, with the answer. At the next request the cookies are read server-side and a new cookie is presented as challenge. The server keeps track of what challenges it has served out and invalidates any request giving the answer to an already solved challenge. All of this should be done as early as possible in the processing of a request.

Furthermore the system should only be enabled when a dos attack is detected.

The following page Final post on Javascript crypto | root labs rdist points out that an attacker may use something else than javascript on a normal computer to do an attack (faster languages, other hardware). He attributes this insight to the below paper I think, but it does not have the same author as given by the link:

Pricing via Processing or Combatting Junk Mail - Abstract

This paper also talks about favoring memory bound instead of CPU bound problems to thwart custom hardware I suppose, as is also the idea behind scrypt (given the right parameters, which apparently was not the case for Litecoin et al).

Oct 30, 2014 12:25

SSH keys for two accounts on GitHub

You cannot use the same SSH key for two accounts on GitHub. So you need two separate keys. This is how I did it, roughly following the guide Multiple SSH keys for different github accounts.

Let's assume that you have created a second account on GitHub with the username "secondaccount" and the e-mail address "secondaccount@example.com".

You need to create a new set of SSH keys. Do that with:

ssh-keygen -t rsa -C "secondaccount@example.com"

Where the e-mail address is the one you use for your second GitHub account. ssh-keygen will ask you for the name of the key to store. Tack on the user name_secondaccount" so it becomes "id_rsa_secondaccount".

Then you need to edit the ~/.ssh/config file. If it is not there, create it. Put the following into it:

#secondaccount account
Host github.com-secondaccount
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_rsa_secondaccount

This makes SSH associate a connection between the private key having the same ending as the domain after the dash sign (they could have different endings but in my experience naming everything the same where possible saves a lot of searching).

Then when checking out a repository from the second account, tack on "-secondaccount" to the Internet host, so if it looks like this initially:

git@github.com:secondaccount/my-git-repos.git

It will then look like this:

git@github.com-secondaccount:secondaccount/my-git-repos.git

Lastly, enter the repos and issue the following two commands:

git config user.name "secondaccount"

git config user.email "secondaccount@example.com"

You should now be able to push to your second account from that repository.

Your first account should continue to work as normal. At least mine does.

 

 

 

Oct 28, 2014 08:40

Python: Don't use class attributes as default values for object attributes

This bit me today. If using class attributes as default values for object attributes works or not depends on the data type used. So it is best to stay away from the habit. If you are using a list, for example, its value will be shared among objects. Example code:

class Foo:
    messages = []

    def append_message(self, m):
        self.messages.append(m)


class Bletch:
    messages = ""

    def append_message(self, m):
        self.messages += m

foo = Foo()
foo.append_message('foo')
bar = Foo()
bar.append_message('bar')
baz = Foo()
baz.append_message('baz')
print baz.messages
#  prints ['foo', 'bar', 'baz']



foo = Bletch()
foo.append_message('foo')
bar = Bletch()
bar.append_message('bar')
baz = Bletch()
baz.append_message('baz')
print baz.messages
# prints 'baz'
print foo.messages
# prints 'foo'

 

 

Oct 27, 2014 04:27

Getting a networked printer hanging off an Ubuntu server to print

Notes to self:

In this case, a new PPD had to be used (on the client machine), since the old one magically and suddenly stopped working. Very non obvious and a reminder that Linux is still the land where you sometimes are faced with complexity that makes it similar to IT consultancy work just to print something.

The printer is a HP LaserJet M1522n MFP hooked up to an old laptop that functions as a printer server, with the printer shared on the network; I changed (on the client machine not the Linux server since that one printed fine) to a driver with a different suffix somewhere at the end of it all (the full name that is).

Sep 12, 2014 03:10

Styling CSS with attributes instead of classes

Seems to make a lot of sense. It introduces a level of indirection where you can target styling changes to an attribute in a specific context. You can't do that with a CSS class. That is, you can't say that a class should be styled differently in a specific context, but you can say that an element having a certain attribute should be styled differently in a specific context.

It seems to clean up CSS quite a bit.


 

By creating a new Attribute Module am-Button, we can separate out the styles that are common to all buttons, to those that make a button large, to those that round a button's corners. Not only can we then freely combine these variations (e.g. am-Button='large rounded'), we can also target the attribute itself for any contextual overrides:


Read more: Link - Introducing AM - Attribute Modules for CSS - Glen Maddern: Internet Pro

Sep 05, 2014 03:50

"Send trough gmail" is gone for new e-mail aliases

Having aliases handled through gmail is very convenient, but there is a change now, where you need to supply an SMTP server for each alias you register. This complicates things quite a bit. I now have to get hold of an SMTP server for a mail alias ASAP.

If you try to specify Gmail's own SMTP server, Gmail will check that server as a part of the form validation process, and Google will classify its own check as a hacking attempt targeting your account. At least that's what's happened when I tried, so it's probably better to use another SMTP server.

It seems like previously registered aliases still work and do not suffer from this. Be careful if you edit them though....

 

Now, Google has removed the option to send through their servers and we must specify the SMTP settings for our hosting provider’s server in order to send email as this address. Google has helpfully entered a best-guess of what the servername might be, but you’ll still have to check with your regular hosting provider to get the proper setup information.


Read more: Link - Gmail “Send As” Setup has Changed – BSD Systems

Sep 04, 2014 08:35

Interesting take on philosophy as a history of cognitive science

This book, as far I remember since it was a long time since i read it, can be read as a history of philosophy, if you treat philosophy as theories on cognition. Which you often can.

 

The Mind's New Science: A History of the Cognitive Revolution


Read more: Link - Amazon.com: The Mind's New Science: A History of the Cognitive Revolution (9780465046355): Howard E. Gardner: Books

Aug 28, 2014 06:29

Picture in picture (pip) video with ffmpeg

The following command line worked on Ubuntu 13.10. However it does not work with the avconv/ffmpeg shipped with Ubuntu. Instead a static build was used from this site:

http://ffmpeg.gusari.org/static/

 ~/bin/ffmpeg -i inlay.mkv -i background.mp4 -filter_complex "[0]scale=iw/5:ih/5 [pip]; [1][pip] overlay=main_w-overlay_w-10:main_h-overlay_h-10" PIP_video.mp4

This part:

[0]scale=iw/5:ih/5

...seems to control the size of the inlay, so a bigger divisor yields a smaller inlay. It may be that the [pip] follwing the part, tags file 0 as a pip thingy.

 

This part:

overlay=main_w-overlay_w-10:main_h-overlay_h-10

...seems to control where the inlay is placed, with coordinates being x,y with origo in the top left of the background (main) video. "main_w", "main_h", "overlay_w" and "overlay_h" seems to be variables available denoting the width and height of each video.

It may be that the "[1][pip]" preceding it first refers to the background video (being indexed as 1, that is the second video in a 0-based system), and the the "[pip]" somehow carries over from the preceding part and then references the video there. "pip" may have some pippy meaning or it is just a tag.

 

 

 
 
In a recent time I had a task to make a picture in picture effect of two videos using ffmpeg.In this blog I am going to share the details of how to make a PIP effect using ffmpeg and also configuring some of its factors.


Read more: Link - PICTURE IN PICTURE effect using FFMPEG

Aug 21, 2014 08:20

How could one automatically sync two audio recordings?

Let's say I want to do a video presentation, where I want to record the audio that I want to use, onto a separate device, separated from the video camera.

I have now tested Allison Deal's Video sync (also linked under "Update II" in the question) and it seems to do the job.

In the root of its git directory there is a file called "alignment_by_row_channels.py". If you comment out the test code at the end of that file, it can take two mp4 videos and print the time offset between the audio in the two videos.

I tested it with a Canon HF200 video camera and an LG G2 android phone, with talk and finger snaps and very low volume on the video camera. I then manually analyzed the sound tracks with audacity.

The alignment_by_row_channels.py script indicated an offset between the two track of 15.1893 seconds. My manual analysis by looking at waveforms gave 15.181 seconds (audacity does not output less than millisecond resolution, at least not by default).

The difference is only 8.3 milliseconds or thereabouts which seems to indicate that "alignment_by_row_channels.py" does the job.

(Beware that the git repo is hefty, probably due to deleted big objects)

One way of doing that is to record the audio also with the camera, and then use your eyes and ears to sync the audio up using Audacity. How do that is described here:

How to Sync Video and Separately Recorded Audio, Using Only Open-Source Software

Update: I have found this python application with matching Android clapboard that could do the trick. It seems to work by syncing to a special sound recorded both in the video file and in the external audio file.

Update II: And here is another one in python, that is meant to be used to sync up Yotube videos recorded at the same concert.

Aug 19, 2014 08:05

A protected address book for Android - how to make one

Many apps that get installed on an Android tablet or phone take a keen interest in the system address book. It is a place where Google can check your Facebook contacts and vice versa, and where Microsoft (in the shape of Skype) and many smaller companies also can take a stab at analyzing your social network.

There have been attempts at protecting the system address book from prying eyes, but as far as I know there are no simple up-to-date solutions.

So the obvious solution ought to be instead to create an app that is your address book, your real address book with its own database and hence with your contacts stored away from the system address book.

Someone ought to make such an app, and it cannot be that hard to do. Let's call it the Protected Address Book. It should be open source of course or we are back in the morass.

Initiating communication from the Protected Address Book

Many communication apps surely rely on the system address book for pulling contact information out, but it ought to be possible to initiate communication from the Protected Address Book, similar to a share button (or indeed use that one). In order to get around idiosyncracies of different apps, a plug-in system could be in place to get the right behavior from Gmail, Telegram, WhatsApp, Facebook, Skype and other apps.

Anyone up for getting the Protected Address Book rolling?

Aug 19, 2014 07:10