Older blog entries for Stevey (starting at number 94)

15 Mar 2003 (updated 15 Mar 2003 at 21:08 UTC) »

 My patched version of Advogato's code, mod_virgule, should be hitting Debian unstable shortly.

 Now I've got to finish the two articles I've been working on for the past week. One was on the type of articles that people would like to see posted here - but after reading this I think that's doomed.

 The more topical article is about website security. Over the past week or two I've been involved with diagnosing and reporting scripting vulnerabilities with several large sites, including Livejournal.

 Some of these sites have acknowledged the problem(s) and fixed them, others have been silent, or offered replies saying "yes we'll fix this soon. honest. But if we don't can you keep quiet anyway?"

 I don't think the piece will reveal anything shockingly new to CGI programmers, and the intended article will probably not be read by the appropriate audience anyway .. but I'd still feel good if I wrote it.

 The summery is probably "Javascript + cookies = bad"

 Oh and after reading the source to the site, here's a fun link:



 I've spent more time testing my Debian package of the Advogato code. So far it's looking good, barring bugs I'll upload it upon Monday.

 I've been thinking about posting another article, but I haven't quite got the courage. My last one appeared to get more criticism than anything - making me think that a lot of people had missed the point.

 I found it interesting that I got more email comments than posted comments - I wonder how common that is?

 (Essentially my article would be "What kind of articles would we like to see here?" explored. Comment in advance?)


 I've been hacking upon the LiveJournal code, and having a great time.

 One thing I dislike about this site is that if you're away for a week or more you lose track of whats happening with people - recentlog doesn't allow you to go backwards, and commenting upon journals directly isn't possible.

 Ideally you should be able to be told/mailed when your name is mentioned in the recentlog, that way you wouldn't miss "conversations" which occur....


 I have been an ex-smoker for 23 hours and 24 minutes.

 Wish me luck...


 After posting the recent patch for reminding users of their passwords I've been looking over the code a bit more.

 Generally I'm quite impressed by it, but I can't help thinking that the account creation for the site is wrong somehow.

  • Email addresses are never validated.
  • Plaintext passwords are stored in the database.

 These aren't huge concerns, but it's still troubling to see a prominent site using non-validated logins.

 In other news I've submitted an "intent to package" bug against Debian to package the code behind this site, and add it to Debian.

 Basic packages are available now, but the require testing and hammering before I upload..

Advogato Password Remailor

 OK so after a weeks holiday I'm bored, I wanted to spend a few hours hacking something interesting.

 Browsing through the Advogato site it suddenly struck me, I could download the code to the site, and implement the password reminder functionality that a lot of people would like.

 So I grabbed the latest CVS sources to mod_virgule, and started prodding.

 Installation was very straightforward, and understanding the code was fairly simple too - the only area I had confusion in was the XML stuff.

 Anyway.. it is done.

 I've added a new checkbox to the 'login' page, "I've forgotten my password", and code to lookup your email address, and mail you your password.

 How it works:

  1. Add an 'I forgot my password' checkbox to the login page.
  2. At login time look for this being set, if it is :
    • Make sure the account exists - or error.
    • Find the email address for the account - or error.
    • Find the password for the account - or erro.
    • Mail it to the user - or error.
    • Inform the user the mail has been sent.

 Comments are welcome, as is pointers to better ways to make the changes, and etc.

 I hope this atones for my past sins ;)

 Code is available:

Philips Webcam

 After the success at using the pwc drivers for my existing webcam I decided to base my next webcam purchase upon the list of models it supported.

 Looking through amazon to add a model to my wishlist I found the PCVC720 model which is supported either by the PWC drivers or the OV511 drivers. (Apparently there are two flavours of this model).

 So I added it to the list, and waited for my lovely friend to pay for it :)

 When it turned up I was pleased to see that it's the newer model, as supported by PWC.

 Unfortunately when I tried to use it I soon discovered that it was not supported. Oops.

 Not wanting to disapoint my lady friend who was expecting to see me up close and personal .. I looked over the source, and came up with the following patch to make it run.

 Minor change I know .. but I was pleased - I only got one kernel panic whilst making changes!

The things people say:

 I just received the following email:

From: "Claire "
To: Me
Subject: Serious GNUMP3d security vulnerability

Ha ha ha! Just kidding!

I crack me up.

 For a second reading the title I was worried, then I saw the message and I just about killed myself laughing.

 I guess I shouldn't but.. please

 I wonder if anybody else had received something like this before?

Brain Wave!

 I've just had one of those brainwave moments where you realise the solution to a problem - then kick yourself for not seeing it before.

 It's at moments like these where I feel a combination of pride and humbleness. Life is good.

The Problem

 For those that are interested - the problem and my cunning solution.

 I've been working on an MP3 server, which has been almost discussed to death here.

 Anyway there server presents an interface to the music assessible through a web browser, along with a preferences page.

 Many users want to be able to choose the bitrate of the songs they listen to via the preferences page - but I've always said "No that can't work".

 Essentially the problem is that the user may set preferences which will be stored as cookies, but when a playlist is generated the users MP3 player will make the requests for the songs, and not send cookie information - meaning that bitrates cannot be set.

 I just realised that I can do better than this; when the server is asked for a playlist it can alter what is sent to the user, such as:


 The MP3 player will request 'file.mp3-low' and at this point the server knows that "file.mp3" exists, so it can do the downsampling in "low" mode and send it to the player.

 Problem solved.


 Well my LiveJournal Valentine System has finished now.

 The stats are quite impressive - from Monday's start of one user I'd got 3742 at 12:01PM on Friday.

 Watching the users and matches grow was very rewarding, and I'm happy the that machine and network handled the load - despite my suboptimal code.

 I've now become much more interested in the spread of memes - after watching the site get named-checked in an ever-expanding circle of communities.

 I'm working on plotting a graph showing the spread of referrers back to the single start point - it's a little tricky to represent well, but I figure an unbalanced tree would be a good aproximation..


 I've had a LiveJournal account for the past few months, ever since I received an invite code from ciphergoth.

 After recently spotting a community dedicated to the posting of anonymous Valentine accouncements I was inspired to create a more automatic system.

 What I created is essentially a database based double-blind system.

 You nominate (up to) three LiveJournal users, and if any of those nominate you back you're both sent a nice "You have a Valentine match" email.

 This is the first time I've used the Perl DBI to interface with MySQL, previously I've used PHP.

 I have to say, though that it rocks - very simple to understand, and very easy to work with. Kudos to the Perl DBI people.

LiveJournal Valentine System

 So .. if you're a LiveJournal user give it a go:


 Things have been progressing nicely with the project, it's been recoded entirely in perl now, which has resulted in some speedups, and some slowdowns.

 Given than the server is usually Network/IO bound it's not had a massive effect, so I feel the decision to change was justified. (It runs under windows too now!)

 I discovered via a random email that the program/project had recieved a namecheck in the German Linux User magazine. Unfortunately I cannot find any mention of this upon the website, and I don't know anybody in Germany who could provide a synopsis of it's mention.

 It's almost time for a new release.. :)


 I love the 'apt-listchanges' package, and spent a while trying to see if there was a simple way to code something similar 'apt-warn-setuid'.

 The idea is that after a package is installed it would warn you if any setgid/setuid binaries had been installed.

 To be honest I'm not sure of the value, but it did strike me as an interesting thing to have for a day or two. I was too busy at work to do anything with the idea though..


 I setup Netsaint at work - to monitor all of our servers. (Yes I realise it's called Nagious now; but the Debian package is still named Netsaint).

 It's a lovely piece of software, but it can be a little bit intimidating to setup for the first time.

 One thing I'm having problems with is false warnings - especially with the ping test.

 Quite often I've received emails of the form:

Machine FOO is WARNING: Ping package loss 0.0% Time 17.0ms

 So .. no packet loss, and an acceptible ping time - why's that a warning? I'm confused by this at the moment; I'll have to read more of the, comprehensive, documentation I guess.

85 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!