Finally I just got some time to update the hashr website.

I decided to give it some color and some usability improvements. The resulting hash now shows up in a readonly text box so that when you choose long hash algorithms like whirlpool the hash doesn’t break the website design.

Also related with this change it’s the copy button. I know, I hate flash too, but unfortunately due to security issues like clipboard-jacking, there’s no cross-browser compatible way to place text in user’s clipboard unless you use flash and the user clicks that.

Anyway, the button is there to make it easy to copy the hash. But you can still do it the usual way.

Apart from the interface changes, hashr now also has a stats page. This page for now only shows a chart of the top 10 most used hashing algorithms in the website and api and the total generated hashes. But it will have more charts in the future.

And finally I rewrote the api and made it public with some documentation. It now supports xml, json and text responses.

The Firefox extension is still using the old api, but soon I’ll upload to Mozilla Addons a new version using the new one.

In the last 3 days I’ve been at Sapo Codebits. It was the first time I attended the event and I can only say that I’ll do my best to be at the next one. Three days of absolute awesomeness.

The programming contest was sort of an endurance test. Thirty two hours awake, most of them coding like mad (with some PES2009, lots of pizza and redbull in between).

And the final output of the contest was an iPhone app called Got Giggs?. The project consists of not only an iPhone app, but also a web app that fetches concerts from a given country/city from the Last.fm api and a public api that serves them from our database in various formats including JSON, XML etc.

The iPhone app was built using PhoneGap. This open source tool let’s you build apps for mobile devices like iPhone, Blackberry, Android, etc. using HTML and Javascript. The concept is nice, but the lack of decent documentation and examples makes it a harder challenge than it seems at first hand. But with some persistence and lack of sleep we came up with the app almost complete:

Featured | Soon | All Concerts | My Bands | Settings

The presentation didn’t ran quite well. First I got nervous when I opened the macbook pro on stage and found out that I only had less than 20 minutes of battery. This laptop normally shuts down to sleep on the 10 minute mark.

I had 90 seconds to present the project, but it seemed more like 10 seconds to me. I didn’t even had the chance to explain half of the app’s features. That’s for being a noob presenting projects in public. But well, lesson learned.

Anyway, this project won’t stop here. We will continue developing it to reach a final product. The name will be different and will target only musical events in Portugal. So if you’re interested in this web app/ iPhone app, check this blog for more updates.

Overall this experience was very enlightening and definitely worth repeating. Next year will be better ;)

This is just another way to give some use to your dropbox account. Although I use git in this article, you can pretty much do it with any other SCM tool.

First of all you obviously need a dropbox account. If you don’t have one already, go register for one and get 2Gb of free online storage.

Now that you have an account, create a folder on your dropbox and on the web interface and share the folder with some friends if you wish to do so.

All is ready now to start creating the repo. For this post I’m assuming you already have a local git repository of a project called my_killer_app and that you are working on a unix based operating system like OS X or Linux.

Open up a terminal, and change directory to your project folder:

cd ~/Sites/my_killer_app

The next step is to clone your existing local repo into the shared dropbox folder:

git clone --bare . ~/Dropbox/shared_folder/my_killer_app.git

The --bare option tells git to not include the project files. Only those files needed to track the versioning are cloned (mainly those present in the .git/ folder).

Now you have sort of a remote repository. Although it’s on your machine, it’s remote to everyone else sharing the folder. But to make things work we need to add this “remote” location and give it an alias:

git remote add my_killer_app ~/Dropbox/shared_folder/my_killer_app.git

There! It’s done. Now you can push your changes to the repository. And pull the changes on another machine with your dropbox account. Also people sharing the folder will be able to do the same.

Just for the sake of completeness, here’s how you would make changes and commit them to the “remote” server:

You made changes to the code, now it’s time to add and commit:

git commit -a -m "another commit example"

Nice! Now let push them to the “remote” server:

git push my_killer_app master

Piece of cake.

And here’s how a different user sharing the folder would do to collaborate on your project:

Clone the repository:

git clone ~/Dropbox/shared_folder/my_killer_app.git

Add the alias to remote repository:

git remote add my_killer_app ~/Dropbox/shared_folder/my_killer_app.git

And that’s it! Now it’s pull, commit, push. If you need more info on git usage you can check this manual.

There’s a new Twitter API in town: The Twitter Stream API. But before you get all excited building a new twitter stream client, it’s important for you to know that this is in alpha version for now.

Since I wanted to test this new API and didn’t knew how to test it, I decided to do something silly. I wandered how it would be like to have someone read me in realtime all the tweets about a given keyword. This is the part where the Mac OS X built-in text-to-speech comes in.

The result was a PHP script that called the OS X "say" command to read the realtime Twitter stream.

The code is very simple:

<?php
$username = 'TWITTER_USER';
$password = 'TWITTER_PASSWORD';
$keyword = 'twitter';

$fp = fopen("http://$username:$password@stream.twitter.com/1/statuses/filter.json?track=$keyword", 'r');

while($data = fgets($fp))
{
	$res = json_decode($data, true);

	$user = $res['user']['screen_name'];
	$tweet = $res['text'];

	echo ("$user says: $tweet");
	exec (escapeshellcmd("say $user says: $tweet"));
}

fclose($fp);
?>

Note the escapeshellcmd function that saves you from being owned in case someone “accidently” tweets something like ";rm -rf ~/".

You can just run this script in terminal, but first change the username and password to match your twitter account, and keyword to something you want to search.

Now you can annoy everyone at your workplace, with a voice reading out loud all your (not so) interesting tweets.

I’ve currently noticed that after updating to PHP 5.3 on macports, the php-cli (command line executable) was giving me some warnings with no sense because I had all the mentioned libraries installed:

PHP Warning:  Directive 'register_long_arrays' is deprecated in PHP 5.3 and greater in Unknown on line 0
PHP Warning:  Directive 'magic_quotes_gpc' is deprecated in PHP 5.3 and greater in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './gd.so' - dlopen(./gd.so, 9): image not found in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './mbstring.so' - dlopen(./mbstring.so, 9): image not found in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './mcrypt.so' - dlopen(./mcrypt.so, 9): image not found in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './mysql.so' - dlopen(./mysql.so, 9): image not found in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './mysqli.so' - dlopen(./mysqli.so, 9): image not found in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './pdo_mysql.so' - dlopen(./pdo_mysql.so, 9): image not found in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './zip.so' - dlopen(./zip.so, 9): image not found in Unknown on line 0

This seems to be a very common problem after the update. It occurs because most of the configurations in /opt/local/etc/php.ini are now obsolete with PHP 5.3.

So if your update went well, you should have two samples of php.ini in the mentioned folder. One for production and the other for development. To fix this problem just rename you current php.ini file to something else, and then rename one of the samples to php.ini. Restart apache and voilá. PHP cli is back with no warnings and all the installed libraries available.

I got an email today from a hashr user complaining that the add-on was not working on Firefox 3.5. I had noticed it a few days ago, but completely forgot about it.

I’m currently updating the add-on to 3.5, improving the user interface and maybe add some new feature. But for now if you wish to use the extension with Firefox 3.5 you can use a little hack that works with no problems.

Just locate your Firefox profile folder, and then open the extensions folder inside it. There will be one folder with the word “hashr” in the name. Open it an edit the file install.rdf.

Inside the file locate the following lines:

<em:minVersion>1.5</em:minVersion>
<em:maxVersion>3.0.*</em:maxVersion>

And change it to:

<em:minVersion>1.5</em:minVersion>
<em:maxVersion>3.5.*</em:maxVersion>

Save the file and restart Firefox. It should now be working perfectly. If not, check the add-ons manager to see if it’s disabled.

Edit: Mozilla has finally approved the new version of hashr, so this hack is no longer needed. You can find the addon here: https://addons.mozilla.org/en-US/firefox/addon/8539.

If you use the terminal in OS X allot, you have probably noticed that the ls command has no colors. You can activate the colors by adding the following to your ~/.profile:

alias ls='ls -G'

Or you can even choose a better way. Adding the following to your ~/.profile:

export CLICOLOR=1

Now you just need to restart your terminal, and you have a all nice and shiny ls output.

The problem is… if you use a dark background, like any other sane person. The dark blue coloring the directories names is simply impossible to read.

To change that color you just need to add another line in your ~/.profile file:

export LSCOLORS=gxfxcxdxbxegedabagacad

What’s with the DNA chain? Well, it’s just some crazy way to configure the ls output color. You can find the corresponding color to every character on the ls man pages. Just to keep it simple, that combo turns the directory names to cyan, so that they become readable on top of dark backgrounds.

After of some weeks flirting with the Apple keyboard, today I finally bought it. I’m writing this post with it. And I can only say that this is the best keyboard one can have. It’s very slim and the typing is smooth, actually is pretty much the same as the new macbook keyboard.

I bought it to use at work, mainly because working endless hours in a laptop can injure your back and an external keyboard allows me to vary my posture when sitting in front of the macbook. Another reason, is that in summer time, having my hands resting in a macbook pro, turns out to be a hot and sweaty experience.

I opted for the USB version because I don’t really like batteries at all, and I wouldn’t be very tolerant with random bluetooth disconnects. Although the keyboard USB cable is short, Apple was king enough to include an extension for those who need a longer cable.

Here’s the Apple keyboard side by side with my old Revoltec Lightboard, so you can get an ideia about the size of this thing:

Just to end this post, as you can see on the first picture, I bought this keyboard at TB Store in Colombo. I definitely recommend this store to buy Apple stuff. Great customer service, nice and unusual bags for the shopped products and bonus key chain lanyards.

Almost everybody nowadays has a Gmail/Google account. We use it for our email service, to read our feeds, store our bookmarks, edit our documents, and what not. This demands that we constantly log in to these services with our google account user and password. The most “paranoid” users, never check the “keep me logged in” checkbox, while the majority just checks it and doesn’t even bother anymore.

If you “worship” your google account, and the idea of losing it sounds catastrophic to you, because all your life is in it. You might just keep on reading this post.

What’s the problem?

The web is mostly an unsafe place, and having your google account logged while browsing “random” web sites, might be a russian roulette experience. Because with some recent techniques like clickjacking, an attacker might set up a web page with malicious code that uses your logged in google account session to perform actions on your behalf. And if you don’t believe this, you can try for your self in the following example.

You can try this using a dummy Gmail account if you feel insecure about it.

Log in to your dummy Gmail account, open a new tab and go to this website. Now click the “send” button on the page, and go check your dummy Gmail sent messages folder. You will see that you have just sent an email, without even noticing (well you did notice actually if you checked the status bar, but it was too late anyway).

The way to achieve a hack like this is not very complex. Quoting the author:

You get a copy of the generated HTML code of the target webpage, then you simply hide everything, except for the button you want to overlay.. you could draw other things using absolute positioning, but this is enough for most scenarios.

You can checkout the “ghost page” here: http://www.sirdarckcat.net/dad.html

This attack has it’s pros and it’s cons.. the most important pro is that it’s the best way of doing cross-browser exploits.. since you don’t depend on the sizes, margins, overflow rules etc.. that different browsers use.

Possible solutions?

The best way to prevent against these attacks, while it may not be the ideal solution, is by simply reducing the time you spend logged in on the browser. Actually, you can even use these services with no logged session on the browser.

The answer is simple: don’t use these services web interface on your personal computer. For Gmail, use a POP or IMAP client of your choice, for every other, use Prism. Prism lets you run web applications in a desktop/standalone mode. This way you have all your sessions encapsulated, in a kind of sandbox way. Leaving you free to use the browser in a more relaxed manner.

Why do I say “on personal computer” ? Because it’s in your daily use machine that you are more tempted to save login forms and such, leaving you vulnerable to the type of attacks I described. On other machines you are less tempted to do that, because it’s not your machine, or it’s a public computer, and you spend much less time on it.

While I’ve been talking about Google accounts and Gmail along this post, actually, every other service may be vulnerable to this type of attack, but generally Google services are usually more secured than the rest.

What can web developers do?

Not much really. For web developers, the way to prevent that your site gets opened in a iframe is the piece of code known as “the Framekiller“. This is a javascript code snippet to include in your HTML pages:

<script type="text/javascript">
if (top !== self) top.location.replace(self.location.href);
</script>

This works with the obvious javascript/client side limitations, so it shouldn’t be regarded as a reliable approach, but it definitely helps.

More on the subject

If you wish to know more about other similar techniques, you can check these links below:

CSS Attacks

Clickjacking

I’ve released this Friday a new version of the TwitterPHP library. In this version I’ve done some code optimization, removed some files and changed to Doxygen for class documentation.

First, all methods were returning a SimpleXML object, which is a mistake in terms of flexibility. I’ve changed them all to just return a XML string. Now its up to the user (programmer) to choose the way to access/parse the XML.

Second, TwitterPHP is a class, you can instantiate it several times, for let’s say, accessing multiple accounts. At least you should be able to do that, but since I was reading the Twitter username and password from a configuration file (naive, I know), multiple instances could only use the same account. Now the problem is solved by simply adding the username and password as arguments of the constructor method and removing the configuration file.

Third and last, I switched from PHPDocumentor to Doxygen. This was mainly because I found out that Doxygen is much more flexible, I can use it with any other project with any other language. And the resulting documentation is more fast and clean than PHPDocumentor.

So you can take a look at the new version of TwitterPHP here and the documentation generated by Doxygen here.

In future releases I’m planning to add OAuth support and implement more Twitter API actions.