Prt.Sc has released the first episode of a diggnation like videocast. I’ve watched it today, and besides the home made feeling in the production, I liked the content and predict some very interesting content in the future.

I’m very pleased to see such initiatives growing in the portuguese web. A great cheers to Vitor Domingos and Armando Alves for this.

This videocast is only available in portuguese. Watch it here!

I’ve been away from the blog from sometime, thanks to some freelance projects and university projects, so this is almost old news.

Clickjacking is the new buzzword on the web. What is it? It’s supposed to be a new vulnerability that mainly affects websites. It hasn’t been completely disclosed since vendors (Microsoft, Mozilla, Adobe, etc.) have asked for some time before disclosure. Patching every website on the web is definitely an impossible mission, so, browsers will be patched in order to solve this possible threat.

You can check here and here for details about clickjacking from RSnake’s blog, one of the two researchers that found this.

Update: Here’s the proof of concept video of clickjacking and webcam hijacking in Adobe Flash.

Update 2: A nice post from gnucitizen about this.

Everyone knows that almost every login form on a website has a “remember me” option, that stores a cookie on your browser that allows you to access the site without entering the username and password. Although this might be very convenient, it helps a common threat on the web to become easily successful. I’m talking about CSRF (Cross Site Request Forgery).

I write this post under the inspiration of Jeff Atwoods article about CSRF. I highly recommend it’s reading as an introduction to my post, and also every other article by Jeff.

So, many people use the “remember me” option in sites like Gmail, etc. Let’s imagine a simple case. You are using a forum, and you *don’t* check the “remember me” option. You leave the forum open in a tab, while browsing other sites in other tabs. In this case, you are temporarily vulnerable to CRSF, as long as the session in the forum remains active, and if the forum doesn’t have any anti-CSRF measures. Now, if you check the “remember me” option, you will be vulnerable even with the forum tab closed, because your authentication cookie remains in the browser, valid and… forever (at least until you clear the cookies or logout). That means if you visit a website that has a form or a link that executes some sort of a POST or some other action in the forum, it will be executed as your user.

In my example, maybe a forum isn’t really something worth to be paranoid about CSRF or other type of attacks, or maybe it is, it’s up to you to judge that. But definitely a web based email, or online shopping website is.

So it’s really important for web-developers to take this issue in consideration when developing web applications, even knowing that it will only fix a hole in a net (http protocol wasn’t designed for this). You can find some measures to protect your website against CSRF in Jeff’s article. Users should also be aware of this threats when using sensible and personal content web sites or applications, because relying on every web-developer’s security expertise, is putting themselves at risk.

I’ve released the second version of hashr extension for Firefox. This version is a major code fix, since the previous version, 0.1, had global variables and functions declared in a way that could cause conflict with other extensions or sites.

This problem in the code was detected by a sandbox reviewer at the addons mozilla site. Because of this problem, the extension is still retained in the sandbox. Now it’s fixed, the functions and variables are in their own namespace, avoiding conflict. So, probably soon it will be out of the sandbox :)

Users of hashr should update quickly. You can update from hashr homepage, or from the mozilla addons site (requires login while in sandbox).

I’ve also received by mail some suggestions to implement/change things in hashr. They aren’t forgotten, it’s just too soon to release them.

Usually I don’t like to waste time tweaking the looks of Ubuntu. But this time I found a theme from Intrepid Ibex that was being tested and planned to be the default theme in 8.10 (not anymore).

I have always looked for a dark theme for Ubuntu, but the ones I found, always had a little detail that would look ugly in some application. This one seems to be perfect. Here’s a screenshot:

To have this theme you just need to add the following line to your /etc/apt/sources.lst file:

deb http://ppa.launchpad.net/kwwii/ubuntu hardy main

Now update aptitude and you will have new packages to update. After installation of those packages just go to the theme selector and select the new installed theme. The theme also include some Vista like sounds.

If you are developing a Linux GUI application that requires root privileges, and you want it to be runnable in both KDE and Gnome desktop managers, this script solves the problem by trying to detect which of the commands are installed in the system and then runs your application with the available command:

#!/bin/bash

# searches for the presence of a given command
findCmd () {
     temp=1
     auxIFS="$IFS"
     IFS=:
     for d in $PATH; do
          case $d in '') d=. ;; esac
          if [ -f "$d/$1" ] && [ -x "$d/$1" ]; then
               temp=1
               break
          fi
     done
     IFS="$auxIFS"

     return $temp
}

# now let's run the found command
_sudo =
if findCmd gksudo; then
     _sudo=gksudo
elif findCmd kdesudo; then
    _sudo=kdesudo
else
     _sudo=sudo
fi

$_sudo yourApp   # change "yourApp" to you app's command

This way you can provide support for both desktop managers running privileged applications. There are other ways to do this, but this is a quick and dirty way.

Update: As João Craveiro mentioned in a comment, this might not work when both desktop managers are installed.

Anyone that has an SSH server running on default port (22) knows that every day, hundreds or sometimes thousands of breaking attempts are written in the logs. Some are from fully automated bots, others from possible human attackers, scanning a target at a time.

How this is done? It’s pretty simple. It’s just a program that tries the user root, or a dictionary of possible usernames, and a dictionary of possible passwords. If your password is in that dictionary, it’s game over for you.

There are many ways to protect against this, like blacklisting an IP address after a defined number of attempts. But you can always try to have some fun with it. This article is kind of old, but it’s worth taking a look.

By changing the source code of the openSSH server, adding a sleep(10) instruction in the authentication code, you can make anyone desperate trying to brake into your box.

Check it here.

I just came from the train to work, and I saw something very unusual. In one of the train stations (Queluz/Belas), one of the information screens had a Mac blue screen of death (I don’t really now the official name of the error screen in OS X, if you now, feel free to leave a comment).

Unfortunately I don’t have pictures of it because the light wasn’t enough to get a clear shot.

Update: I forgot to mention that the thing that’s supposed to be unusual it’s not the kernel panic itself, but the fact that portuguese train stations are using Mac.

Since the day that the DNS security flaw was disclosed, and my ISP (Sapo ADSL) applied the patches, I started to notice that DNS resolving got very slow. I checked the support page from Sapo, and no changes were made. Same two DNS servers were being used, and ironically, after pinging the second, I realized that it was “dead”. I also tried to call for support to ask them wtf was going on with their DNS servers, but the operator didn’t seem to be very comfortable with the term DNS, so I just gave up. Time to change.

I’ve heard about OpenDNS, some free worldwide DNS service, fast, reliable and secure. I had to check it out. Just configured my router to use the new DNS IP addresses, rebooted it and voilá. Browsing speed was back, better than ever.

So now, after about 2 months of use, I can only recommend it. You can even register to access some more detailed options, like content filtering and stuff like that. And when you surf to a URL that doesn’t exist, instead of having the normal browser message that website is down, you are redirected to a suggestions page by OpenDNS.

Here’s everything you need, these two IP addresses in your router / internet connection:

Primary server: 208.67.222.222
Alternative server: 208.67.220.220

Just when things were starting to get exciting in Mozilla Firefox, Google shows up with a internet browser that seems to be a great improvement over current browsers.

So here it is, Chrome running on my computer, I booted up Vista on purpose just to try Chrome out. And I don’t regret it. I just can’t wait for the Mac and Linux versions!

The best thing about this new browser it’s the interface, pure simplicity the Google way. And this is nothing compared to the way that the browser deals with tabs. Each tab, one process, with it’s own memory space address. Which theoretically leads to great stability and no memory leaks (Firefox biggest problem, now improved in version 3).

And to leave you drooling all over you keyboard, Google released a 39 page comic book, explaining every aspect behind Chrome. Check it here.

So this browser seems to be the better of two worlds. It’s based in Webkit, just like Safari, and I liked Safari because of it’s fast rendering. And it’s open-source, just like Firefox. The one thing that’s missing for now it’s support for extended functionality (extensions / plugins) and a Linux and Mac version (coming soon). Well… they could also change the icon, because it’s ugly in my opinion.

Enough talk. Try it here!