Today I went to the first Starbucks in Portugal. I have to admit that although the concept of the store is interesting (you can choose every little detail for your coffee based drink, muffins, cookies, etc), this Starbucks is very disappointing. First, it’s in a shopping mall (Alegro in Alfragide). That’s already bad enough to make someone skip it. But even worst, the place is small, very small. There are 10 tables maximum and I thought that it would have wireless, like many other Starbucks. No signs of it.

So besides being something new to try, I don’t see any reason to come back to this Starbucks. I’ll wait for the one in Belém or a better place like Chiado. And wireless would be great, actually it would make the difference, because the coffee is no big deal.

So after a my accidental leak of the “not-supposed-to-be-public” episode #0 of the Prt.sc videocast, Vitor and Armando are back with the real first episode of the videocast, now named “alt.prt.sc“.

There are some notorious production improvements. But an iPod version is still missing. Check it out here!

From Mozilla Labs:

Today we’re announcing the formation of a new group that will focus on the research and development of developer tools for the open Web.

We believe that there’s tremendous opportunity for innovation in tools that increase developer productivity, enable compelling user experiences, and promote the use of open standards.

Read the full post here!

Prt.Sc has released the first episode of a diggnation like videocast. I’ve watched it today, and besides the home made feeling in the production, I liked the content and predict some very interesting content in the future.

I’m very pleased to see such initiatives growing in the portuguese web. A great cheers to Vitor Domingos and Armando Alves for this.

This videocast is only available in portuguese. Watch it here!

I’ve been away from the blog from sometime, thanks to some freelance projects and university projects, so this is almost old news.

Clickjacking is the new buzzword on the web. What is it? It’s supposed to be a new vulnerability that mainly affects websites. It hasn’t been completely disclosed since vendors (Microsoft, Mozilla, Adobe, etc.) have asked for some time before disclosure. Patching every website on the web is definitely an impossible mission, so, browsers will be patched in order to solve this possible threat.

You can check here and here for details about clickjacking from RSnake’s blog, one of the two researchers that found this.

Update: Here’s the proof of concept video of clickjacking and webcam hijacking in Adobe Flash.

Update 2: A nice post from gnucitizen about this.

Everyone knows that almost every login form on a website has a “remember me” option, that stores a cookie on your browser that allows you to access the site without entering the username and password. Although this might be very convenient, it helps a common threat on the web to become easily successful. I’m talking about CSRF (Cross Site Request Forgery).

I write this post under the inspiration of Jeff Atwoods article about CSRF. I highly recommend it’s reading as an introduction to my post, and also every other article by Jeff.

So, many people use the “remember me” option in sites like Gmail, etc. Let’s imagine a simple case. You are using a forum, and you *don’t* check the “remember me” option. You leave the forum open in a tab, while browsing other sites in other tabs. In this case, you are temporarily vulnerable to CRSF, as long as the session in the forum remains active, and if the forum doesn’t have any anti-CSRF measures. Now, if you check the “remember me” option, you will be vulnerable even with the forum tab closed, because your authentication cookie remains in the browser, valid and… forever (at least until you clear the cookies or logout). That means if you visit a website that has a form or a link that executes some sort of a POST or some other action in the forum, it will be executed as your user.

In my example, maybe a forum isn’t really something worth to be paranoid about CSRF or other type of attacks, or maybe it is, it’s up to you to judge that. But definitely a web based email, or online shopping website is.

So it’s really important for web-developers to take this issue in consideration when developing web applications, even knowing that it will only fix a hole in a net (http protocol wasn’t designed for this). You can find some measures to protect your website against CSRF in Jeff’s article. Users should also be aware of this threats when using sensible and personal content web sites or applications, because relying on every web-developer’s security expertise, is putting themselves at risk.

I’ve released the second version of hashr extension for Firefox. This version is a major code fix, since the previous version, 0.1, had global variables and functions declared in a way that could cause conflict with other extensions or sites.

This problem in the code was detected by a sandbox reviewer at the addons mozilla site. Because of this problem, the extension is still retained in the sandbox. Now it’s fixed, the functions and variables are in their own namespace, avoiding conflict. So, probably soon it will be out of the sandbox :)

Users of hashr should update quickly. You can update from hashr homepage, or from the mozilla addons site (requires login while in sandbox).

I’ve also received by mail some suggestions to implement/change things in hashr. They aren’t forgotten, it’s just too soon to release them.

Usually I don’t like to waste time tweaking the looks of Ubuntu. But this time I found a theme from Intrepid Ibex that was being tested and planned to be the default theme in 8.10 (not anymore).

I have always looked for a dark theme for Ubuntu, but the ones I found, always had a little detail that would look ugly in some application. This one seems to be perfect. Here’s a screenshot:

To have this theme you just need to add the following line to your /etc/apt/sources.lst file:

deb http://ppa.launchpad.net/kwwii/ubuntu hardy main

Now update aptitude and you will have new packages to update. After installation of those packages just go to the theme selector and select the new installed theme. The theme also include some Vista like sounds.

If you are developing a Linux GUI application that requires root privileges, and you want it to be runnable in both KDE and Gnome desktop managers, this script solves the problem by trying to detect which of the commands are installed in the system and then runs your application with the available command:

#!/bin/bash

# searches for the presence of a given command
findCmd () {
     temp=1
     auxIFS="$IFS"
     IFS=:
     for d in $PATH; do
          case $d in '') d=. ;; esac
          if [ -f "$d/$1" ] && [ -x "$d/$1" ]; then
               temp=1
               break
          fi
     done
     IFS="$auxIFS"

     return $temp
}

# now let's run the found command
_sudo =
if findCmd gksudo; then
     _sudo=gksudo
elif findCmd kdesudo; then
    _sudo=kdesudo
else
     _sudo=sudo
fi

$_sudo yourApp   # change "yourApp" to you app's command

This way you can provide support for both desktop managers running privileged applications. There are other ways to do this, but this is a quick and dirty way.

Update: As João Craveiro mentioned in a comment, this might not work when both desktop managers are installed.

Anyone that has an SSH server running on default port (22) knows that every day, hundreds or sometimes thousands of breaking attempts are written in the logs. Some are from fully automated bots, others from possible human attackers, scanning a target at a time.

How this is done? It’s pretty simple. It’s just a program that tries the user root, or a dictionary of possible usernames, and a dictionary of possible passwords. If your password is in that dictionary, it’s game over for you.

There are many ways to protect against this, like blacklisting an IP address after a defined number of attempts. But you can always try to have some fun with it. This article is kind of old, but it’s worth taking a look.

By changing the source code of the openSSH server, adding a sleep(10) instruction in the authentication code, you can make anyone desperate trying to brake into your box.

Check it here.