I’m immensely proud to announce that Bigmomma has just hit her 200th day of local uptime. This is a huge milestone for me because I’m starting to feel like I’m getting a handle on server administration now, and keeping her up for this long shows that I’ve got her at a state where I think she is at a very reasonble level of stability and security. She’s been running kernel 2.6.14 on Fedora Core 4 for all this time, and so far the issues I’ve had have been either human error or really minor bugs.

This also means that the power service is fairly stable where I live. I don’t have the spare funds for a UPS at the moment (had to spend all my spare change on new speakers - more on that in a minute), so all I’ve got in terms of power protection is a $40 surge protector. I wouldn’t be surprised if a thunderstorm knocks her out sometime in the near future, but that’s OK because 200 days was Neal Gompa’s record, and we’ve been in neck-and-neck who’s-the-better-sysadmin competition for quite a while now.

So is it really healthy to have a system up for 200 days like this? The answer to that is I don’t know. I think that powering up a server can be intense on the components, specifically the disks, but I also have to wonder if it’s good to let a server take a breather once every few months. Right now I’ve got her load (both CPU and I/O) pretty low since she’s just serving a few web pages. The RAID array, nearly a year old by now, is holding up great and seems to actually be faster than the SCSI disk.

Oh yeah, my speakers gave out on me today. All of ‘em. The 2.1 set I had in the front has been dying for years and they’re finally just not consistently working, plus now my right rear speaker started to sound insanely distorted. Serves me right for being a cheapskate about it, I picked both rear speakers and the deck up for $5 at a garage sale. Someone gave me a Pioneer VSX-5000 amp (mfg. 1986), which I doubt will be compatible with the system I just ordered based on advice from Neal. It’s not the best solution I know, but it was all that would fit within my budget. (And no, I didn’t use money donated to Enano on the speakers. Planning to put that towards a HotScripts sponsored listing when the time is right.) Those will be arriving sometime next week I suppose, so until then I’m stuck on a pair of old computer speakers I pulled out, hackishly hooked into the amp with the bass turned up insanely high. The one thing I can’t figure out is surround on this amp. I can’t seem to figure out how to get a genuine 4-channel input working, something that I’m sure is there but hidden deep within the users’ manual, something that I didn’t get a copy of. Any ideas on how that could be done guys?

I recently tried testing my Diffie-Hellman demonstration script on Lil’ Beastie and only now have I become aware to how awful the Javascript engine on there really is.

Mozilla was wrong. The Javascript engine is not 10 times slower - it’s about 50x slower. It took my iPod Touch 88.9 seconds to calculate the Diffie-Hellman public key and shared secret, while Pelswick did it in 1.8. And Safari… returned the wrong MD5 checksum. So it’s like me in 1st grade: slow, and when you finally do get it to cooperate, it gets the wrong answer.

Apple, listen to me. Get this right. If you’re wondering I’m using Leemon Baird’s BigInt library for the complicated math stuff and my own home-baked code that’s basically a wrapper for BigInt that makes doing Diffie-Hellman math easier. It’s worked on every other platform I’ve tested it, even IE 5.5. (The rest of Enano’s JS code fires a kill switch on IE <6.) And I’m appalled that you broke it that badly while porting WebKit, which of course is the core of Konqueror, a platform I thoroughly tested on. Since Javascript is an interpreted language I think it’s fair to say that it needs to work exactly the same on the AppleMobile platform as well as on the desktop. Any takers?

Enano was designed from the ground up for security from forged requests, XSS, and hacking attempts. CSRF, or Cross-Site Request Forgery, is a type of attack that involves tricking a user into submitting a form on a remote site and performing an action that could be considered dangerous - for example, changing a password - without confirmation. This brings up a few questions and I wanted to go through how Enano protects against such requests.

Enano has no specific specialized CSRF-foiling system like PunBB does. In fact, the string “CSRF” never even appears in the Enano source code. So how does it protect against this type of attack? That’s something that I’ve been considering for a long time. Remember that the high-privilege session key that is used when a password is changed or the administration panel is accessed is strictly enforced - because all administration pages use the same API, that API can check for the session key, which is *always* required to be on $_GET or $_POST - never in a cookie. Since the keys are only valid for 15 minutes (but with renewal and keep-alive), and an attacker would need a session key in order to POST DATA at all to the Admin namespace, I believe that this part of Enano is fairly secure against CSRF attacks.

The potential issue comes when you get into everyday actions like saving a page and logging in or out. It is true that one could save a page with only a valid login cookie and a properly constructed JSON request. So there is a small amount of risk here. But remember that Enano logs all changes that are made to pages. If a page is deleted or otherwise changed through CSRF, the person that accidentally changed the page can restore it.

So what are the ups and downs of this? The advantage is that CSRF is almost always either reversible or results in the action being cancelled from a very low-level part of the Enano API. The carefully planned implementation saved Enano from this type of attack even though I didn’t even fully understand it when I implemented the current session management code. The downside, of course, is the ~300-byte encrypted session key you have to send on top of the URL. Can’t have everything, I guess.

You should be able to tell by the title and my previous post that my iPod Touch, affectionately known as Lil’ Beastie, has arrived. That actually happened on Thursday - I’ve been pretty busy since, with Easter and all.

The iPod arrived with firmware version 1.1.2, something I didn’t expect but was willing to cope with. I had the unit for about an hour before I downgraded to 1.1.1, jailbroke it, and nearly bricked it three times before 1.1.3 finally installed. I think Black ‘n Blue’s warranty was voided quicker than that when I loaded DD-WRT, but it’s a close call.

I’m already starting to see the potential that decent mobile Internet browsing has. My latest FOSS project, which will undergo some more work before being submitted to the relevant script repository, is called Greyhound. It’s a remix of the WebControl script for AmaroK. Like the old one, it has a built-in web server, playlist browser, and basic playback and volume controls. However, my version is written in PHP (including the webserver itself!) and sports a clean and iPhone-friendly AJAX-based interface. It also has features like a seek slider and Smarty-based templates so it should be pretty expandable. Yes, the webserver is fully documented, emulates $_SERVER/$_GET/$_POST, and supports HTTP 1.1. It’s single-threaded meaning lots of images/JS/CSS will slow it down but for a simple web control interface it should be fine, and it performs only minimal processing on requests so as to be decently fast.

Jailbreaking the Touch is an essential step if you want to really take hold of its potential. Thanks to the huge gallery of applications available, I’ve turned my Touch into a piano, a wireless trackpad for any computer with a VNC server, and a whole host of other things. It’s a tremendous advantage because I have to give OpenOffice presentations a lot for work, and having the Touch as a remote far surpasses both the convential USB remotes and specialized tools like the PoewrPresenter RF, thanks to the WiFi support.

Above all that I’ve found that the iPod Touch really is good at what it does and that the normal activity of listening to music is streamlined enough, though volume buttons on the side of the unit are an improvement I’d like to see in the next revision. And I still can’t figure out what the little black patch on the upper left of the unit (when looking at it from the back) is for - Wi-Fi antenna maybe? Keeping the unit clean is also a challenge especially for me because my hands are almost always sweaty. It comes with a polishing cloth but I tried using a dry Kleenex to clean the thing and it did a better job than the included cloth. All in all though, it promises to be a decent media player and mobile companion device.

Thanks to an installer development job I just finished, I’ve been able to come up with the spare funds to order an iPod Touch. I know the anti-DRM people will slam me immediately for this decision, but I think that in the long run this was a good choice. For the record, I am a member of the Defective By Design campaign and have never purchased DRMed music, nor do I have any intention of doing so.

As a web developer I see huge potential in the Touch and its big sister, the iPhone. Creating a slick , finger-friendly interface using Javascript and XHR (call it AJAX if you want) sounds like a lot of fun to me, and I see how much potential could be offered in this area if some of the iPhone’s graphics API were available to Javascript - or if the “world’s fastest web browser” (which is a claim made by at least three of them now) can handle completely Javascript-based animations, something I’ve also done quite a bit of research and tinkering with. Either way, I do have plans to port much of Enano’s client-side code to iPhone/iPod Touch-friendly variants if the Touch doesn’t already do a passable job at rendering. I have an honest feeling that the relatively tiny “edit this page” button and Oxygen’s horizontally-biased layout will need some work before they are iPhone-ready.

Of course I need to continue my tradition of oddball names for computers and gadgets, and this puppy’s gonna be no exception. I plan to name the Touch “Lil’ Beastie” after BSD, the kernel that Darwin (and thus Mac OS X) is based on. The hostname will be lilbeastie.fuhry.local and if I can get Apache and (even less likely) MySQL to run, lilbeastie.enanocms.org.

I’ll make it clear, Apple, that I bought the Touch specifically for the purpose of jailbreaking it. I would not have bought it unless it were possible to jailbreak the thing and hack up/run my own apps for free. Yes I plan to play music on it. Yes I will probably use your crappy jukebox software to sync my photos and slides to it. Yes I will even load some movies onto it provided that VLC can rip them. (And to the MPAA, this is legal, as the DMCA permits circumvention of copy protection for the purpose of compatibility between dissimilar systems; and since I own the movies and DVD playing software/hardware isn’t available for my Touch, the system is considered dissimilar in a legal sense.)

One thing I’m hoping especially for is the ability to hook it up to a TV using the S-Video output on the Apple Universal Dock I got about a year ago for my second-gen Nano. It would be really awesome to replace my DVD player with a 4.2oz flash-based player even accounting for the obligatory drop in picture quality. Has anybody tried using the S-Video port with the Touch this way?

So one of the people on my buddy list decided to hotlink to an image on my server. Now I honestly understand the urge to do that and in the past I would do it quite a lot. But this image was on Nighthawk which means behind my crappy DSL line. No wonder my Internet browsing slowed to a crawl! So here’s how I did it for those of you that have a similar problem.

This trick requires Apache and mod_rewrite. This is the code I used to do it, place it in a .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?\.enanocms\.org [NC]
RewriteCond %{REQUEST_FILENAME} !hotlink\.jpg$
RewriteRule \.(png|jpe?g|gif)$ /hotlink.jpg [R=301,NC]

(replace “enanocms\.org” with your own domain)

Of course you need an image to substitute when hotlinking is detected. Preferably you should upload this to a service like ImageShack so as to decrease your bandwidth usage as much as possible. Here’s the image I went with:

Thank God for Seth MacFarlane and maybe George Lucas as well. (As far as licensing goes this is a parody as far as I’m concerned and it is low resolution so it falls under Fair Use.)