00:00.56 | optikal | bbiab.. heading home |
00:01.03 | beandog | Do you work at Linux Networx? |
00:01.20 | macnewbold | oh, were you talking to me? no, I don't work there |
00:02.15 | macnewbold | we do have some members who work there though, which is how we got to use the building |
00:02.23 | wps | _had_ |
00:02.41 | wps | he moved |
00:02.44 | macnewbold | doh |
00:02.49 | macnewbold | so how are we still doing it there? |
00:03.03 | wps | two other employees like us though and were willing to support us |
00:03.10 | macnewbold | oh, good :) |
00:04.59 | tierra|w | I better head out from Bountiful... not sure what traffic is going to be like... |
00:06.39 | beandog | so where do we go once we reach the building anyway |
00:06.42 | beandog | are there gonna be signs? |
00:06.46 | beandog | "donuts this way" |
00:07.16 | wps | the room is right on the outside wall of the building and has large windows |
00:07.24 | wps | you can see everyone when you pull up |
00:07.55 | beandog | ok coo |
00:16.28 | macnewbold | okay, last chance for a quick vote: all in favor of donuts, say "aye" |
00:17.27 | dataw0lf | aye. |
00:17.45 | wps | aye |
00:18.15 | fungus | aye |
00:18.44 | macnewbold | looks like they aye's have it |
00:18.54 | macnewbold | how many do we need, wps? |
00:19.09 | wps | it's a really hard call, as we never know how many are coming |
00:19.10 | macnewbold | two dozen enough, you think? |
00:19.22 | wps | yes |
00:19.25 | macnewbold | k |
00:19.46 | macnewbold | hopefully the five of us in my car won't make too many disappear before we arrive :) |
00:20.59 | macnewbold | k, dataw0lf rides in the back, and the donuts ride in the front |
00:20.59 | macnewbold | hehe |
00:20.59 | dataw0lf | hehe |
00:25.04 | *** part/#uphpu fungus (~fungus@firebat.aros.net) |
00:27.08 | beandog | aye |
00:27.25 | beandog | If I had more than $2 in my bank acct, Id bring some myself. |
01:06.13 | *** join/#uphpu optikal (~optikal@c-24-10-198-60.client.comcast.net) |
02:00.23 | *** join/#uphpu usynic (~synic@c-67-172-242-219.client.comcast.net) [NETSPLIT VICTIM] |
02:04.48 | *** join/#uphpu wps (~wps@66.239.25.55.ptr.us.xo.net) |
02:04.51 | *** mode/#uphpu [+o wps] by ChanServ |
02:17.16 | *** topic/#uphpu by wps -> Meeting underway... you're missing the donuts |
04:26.12 | *** join/#uphpu tierra|h (tierra@c-67-166-119-150.client.comcast.net) |
04:49.20 | dataw0lf | Nice meeting gentlemen. |
04:49.28 | dataw0lf | Excellent presentation macnewbold. |
04:49.33 | dataw0lf | Now, time to watch the Shining. |
04:53.07 | *** join/#uphpu spiderbiter (~spiderbit@38.119.177.194) |
04:54.23 | tierra|h | that was a good presentation |
04:55.55 | spiderbiter | yeah |
05:00.04 | *** join/#uphpu wps (~wps@208.186.134.102) |
05:00.14 | *** mode/#uphpu [+o wps] by ChanServ |
05:00.46 | *** topic/#uphpu by wps -> Utah PHP Users Group | uphpu.org |
05:04.21 | spiderbiter | wps, warm up to regexp any tonight? |
05:04.32 | wps | actually yes, a little |
05:05.06 | tierra|h | *eat |
05:05.29 | spiderbiter | I've always been impressed by them, but a perpetual beginner none the less |
05:06.48 | spiderbiter | they get kinda fun when you get the hang |
05:22.59 | usynic | I guess macnewbold is still gone? |
05:23.07 | usynic | anyone know what he found out about the md5 stuff? |
05:26.34 | wps | I am not sure what the gentleman was trying to describe or what he had read/heard/used, but... |
05:26.55 | wps | there is no way that you decrypt an MD5 like he was trying to describe |
05:27.04 | wps | if there was, we would know about it |
05:27.26 | wps | I am not saying that it is impossible, but simply that it isn't right now |
05:27.35 | dataw0lf | I assure you that there isn't one right now. |
05:27.48 | dataw0lf | not public nor on.. the other side... *duh duh duuuh* |
05:28.07 | wps | MD5 is used everywhere and would be dropped in a heartbeat if it was no secure |
05:28.20 | usynic | I'd still be interested to read/hear what he thinks he saw |
05:28.30 | wps | I would as well, usynic |
05:28.46 | usynic | *shrug* |
05:28.51 | wps | I am willing to bet that he was either misinformed or was not expressing himself clearly |
05:28.55 | dataw0lf | I'm sure he read something. |
05:29.02 | dataw0lf | but I don't think he was describing it correctly. |
05:29.23 | wps | yeah |
05:30.04 | wps | sounds like both of you were there... who is who? |
05:30.26 | usynic | I was sitting in the back row with the camo shirt. |
05:32.05 | wps | cool |
05:32.10 | wps | glad you were able to make it to the meeting |
05:32.35 | spiderbiter | It was a good meeting |
05:32.47 | wps | indeed |
05:32.47 | spiderbiter | even the basics are good to review sometimes |
05:32.56 | wps | yeah |
05:33.38 | usynic | who are you spiderbiter ? |
05:34.22 | spiderbiter | I was the punk making most of the comments |
05:34.55 | usynic | heh, not sure which punk that was |
05:34.59 | spiderbiter | about regexp and windows not being posix |
05:35.16 | usynic | ah |
05:35.24 | spiderbiter | (Although I admit I don't know what the real def of POSIX is) |
05:35.38 | wps | he was in the middle... on the right side of the aisle... on the same row as me (I think) |
05:35.46 | spiderbiter | yeah |
05:37.58 | dataw0lf | hm. |
05:38.03 | dataw0lf | the only one I met was macnewbold. |
05:39.18 | usynic | night. |
05:39.23 | spiderbiter | later |
05:39.32 | dataw0lf | g'night |
05:41.02 | dataw0lf | wps: oh, sorry, I was the guy with the tan hat. |
05:41.13 | dataw0lf | you know, the sexy guy sitting in the back. |
05:42.12 | spiderbiter | I don't know about anyone else, but that don't help me any ;-) |
05:43.24 | dataw0lf | oh, sorry. |
05:43.29 | dataw0lf | the really, really sexy guy in the back. |
05:44.35 | dataw0lf | http://www.linuxsecurity.com/content/view/117941/65/ |
05:46.45 | spiderbiter | is this the alternative to locking down your wireless network? |
05:47.06 | spiderbiter | or is wireless that unsecure? |
05:47.18 | dataw0lf | yeah, wireless is pretty insecure. |
05:47.23 | dataw0lf | even with precautionary measures. |
05:48.35 | dataw0lf | with almost any type of new / semi new technology, exploits > security for some while. |
05:48.42 | dataw0lf | and that's certainly the case with wireless. |
05:48.55 | spiderbiter | paint seems to be a pretty silly solution |
05:49.07 | dataw0lf | Yeah, that's pretty funny. |
05:50.05 | spiderbiter | I don't worry about my wifi too much |
05:50.13 | spiderbiter | just mac filters, I think |
05:50.36 | dataw0lf | yeah, most people don't. |
05:51.08 | dataw0lf | basic security measures will keep wardrivers at bay for personal wifi. |
05:51.24 | spiderbiter | I tried WEP, but it exposed incompatibilities in my hardware |
05:51.54 | dataw0lf | huh. |
05:51.57 | dataw0lf | what wifi card you got? |
05:52.20 | spiderbiter | a cheap dlink from long ago |
05:52.26 | dataw0lf | ah. |
05:52.34 | dataw0lf | I hate linksys. |
05:52.36 | dataw0lf | wmp54g etc |
05:52.46 | spiderbiter | then I got an Orinoco, but I think I broke it |
05:53.04 | dataw0lf | I have an orinoco on my laptop but I'm having major issues getting it working right now. |
05:53.53 | *** join/#uphpu xilch|h (~xilch@c-67-166-119-0.client.comcast.net) |
05:54.20 | dataw0lf | howdy ho xilch. |
05:54.42 | spiderbiter | does anyone make any good "I play well with others" WIFI hardware? |
05:55.08 | spiderbiter | at consumer grade prices |
05:55.58 | spiderbiter | I have DLink and LinkSys routers |
05:56.25 | dataw0lf | I've heard good things about NetWaves. |
05:56.28 | tierra|h | this was the recent news with MD5, but it had nothing to do with what that guy was mentioning |
05:56.29 | tierra|h | http://developers.slashdot.org/article.pl?sid=04/12/07/2019244&tid=93&tid=172&tid=8 |
05:57.03 | dataw0lf | yeah, I've read that. |
05:57.39 | tierra|h | he might of been talking about this: http://passcracking.com/ |
05:58.32 | tierra|h | ~28.3 Gb (rar compressed) |
05:58.34 | tierra|h | .... |
05:59.16 | dataw0lf | that isn't news though, that was on Slashdot like a year ago or something. |
06:00.01 | tierra|h | yeah |
06:00.28 | tierra|h | and it's _very_ limited |
06:01.19 | dataw0lf | I bet zero_0 downloaded it. |
06:03.30 | xilch|h | dataw0lf: I downloaded it |
06:03.43 | xilch|h | dataw0lf: and I'm hacking you with it right now |
06:04.19 | xilch|h | dataw0lf: did you notice that screen I put up on your box that looks like your desktop? |
06:04.43 | xilch|h | I'm mad l337 - not anyone could do that |
06:04.47 | dataw0lf | hey, I'll give you the first three characters of my encrypted root password, just to help you out. |
06:04.49 | dataw0lf | you ready? |
06:04.51 | dataw0lf | $ |
06:04.52 | dataw0lf | 1 |
06:04.54 | dataw0lf | $ |
06:04.57 | dataw0lf | oOo |
06:05.04 | dataw0lf | bet you couldn't have guessed that |
06:05.17 | xilch|h | I thought it was |
06:05.18 | xilch|h | G |
06:05.19 | xilch|h | O |
06:05.20 | xilch|h | D |
06:05.57 | dataw0lf | no, that's my middle name. |
06:06.01 | xilch|h | lol |
06:08.03 | dataw0lf | damn, the Shining is scary. |
06:08.33 | xilch|h | dataw0lf is a dull boy |
06:08.50 | dataw0lf | yeah, until Sunday when Roxie gets back from Oregon. |
06:09.08 | xilch|h | all jerk and no lay makes xilch a dull boy |
06:09.53 | xilch|h | for some reason, one of my favorite parts is when he is bouncing the tennis ball |
06:10.00 | dataw0lf | just got past it |
06:10.35 | dataw0lf | I wish Kubrick could've stuck to the book a bit more though. |
14:24.04 | *** join/#uphpu wps (~wps@208.186.134.102) |
14:24.14 | *** mode/#uphpu [+o wps] by ChanServ |
15:05.24 | *** join/#uphpu optikal_ (~optikal@67-40-118-81.slkc.uswest.net) |
15:16.41 | *** join/#uphpu drewbono (~andrew@67.137.25.66) |
15:20.21 | *** join/#uphpu wps (~wade@166.70.209.92) |
15:20.25 | *** mode/#uphpu [+o wps] by ChanServ |
15:23.17 | optikal_ | morning |
15:23.29 | optikal_ | doh, looks like i left myself online at home last night -- heh |
15:37.32 | *** join/#uphpu bigdog_ut (~bigdog_ut@166.70.34.182) |
15:37.32 | *** mode/#uphpu [+o bigdog_ut] by ChanServ |
15:38.55 | bigdog_ut | mornin' all |
15:40.57 | macnewbold | mornin |
15:41.30 | wps | Zzzzzz... Zzzzzz... |
15:47.23 | optikal_ | morning |
15:49.22 | macnewbold | So is everyone still here who was wondering about the md5 thing? |
15:49.42 | macnewbold | You were right, it is www.passcracking.com |
15:49.49 | optikal_ | aaah |
15:49.52 | wps | we had a little discussion about it last night after the meeting |
15:49.54 | optikal_ | I was wondering about that |
15:50.06 | optikal_ | Never heard the after-discussion, I had to take off right after we ended. |
15:50.40 | macnewbold | they've got 64GB of data in order to crack passwords up to 14 chars in length in just a few minutes |
15:50.46 | macnewbold | _however_, here's the catch: |
15:50.53 | macnewbold | it only works on _unsalted_ passwords |
15:51.06 | macnewbold | which means windows only, cause windows made a very poor security decision |
15:51.35 | macnewbold | all unix boxen AFAIK use salt on their passwords |
15:51.42 | optikal_ | yeah |
15:51.46 | optikal_ | heh |
15:52.00 | optikal_ | I knew 1) Was a heck of a catch or 2) The homeboy was mis-informed |
15:52.09 | macnewbold | basically, salt is a random char or two, so that the same password may have one of 256 or 65,000 different hashes |
15:52.12 | macnewbold | depending on the salt |
15:52.59 | macnewbold | In order to do salted passwords with 1 byte of salt, they'd need 64GB*256 = 16,000GB = 16TB |
15:53.02 | macnewbold | all on one box |
15:53.17 | macnewbold | and it would spend so much time reading from disk that it would probably get impractical |
15:53.31 | optikal_ | yeah |
15:53.40 | optikal_ | crazy |
15:53.49 | optikal_ | good infos tho, thanks for the initiative |
15:53.54 | macnewbold | if you've got 2 bytes of salt, it's not 16TB, its 4096TB |
15:54.26 | macnewbold | The only type of password file they talk about cracking is LanManager files |
15:54.31 | wps | so you were right, mac? the way that they are doing it is just by having a massive database of options and running through looking for a match? |
15:55.03 | macnewbold | more or less... the precompute part of the results of the cracking |
15:55.16 | macnewbold | if there's no salt in the hash, then you can do that and be successfull |
15:55.25 | macnewbold | that was already well known, which is why they add salt |
15:56.01 | optikal_ | yah. salt adds flavah. |
15:56.06 | macnewbold | s'right |
15:56.32 | wps | because the gentleman last night was saying that there was no comparing done... no database or records... that it "just did it" |
15:56.34 | macnewbold | the huge limitation is that anybody with a brain won't be storing passwords without salt. Apparently LanManager doesn't have a brain. |
15:56.46 | wps | what is LanManager? |
15:57.06 | macnewbold | yeah, he didn't read the whole page. Even the abstract of the paper they published on the algorithm gave away all the details. |
15:57.21 | macnewbold | LanManager is or was an old networking protocol, IIRC |
15:57.21 | bigdog_ut | but are we still talking md5 hashes or passwords? |
15:57.23 | macnewbold | ~lanmanager |
15:57.37 | *** join/#uphpu mindjuju (~mindjuju@63.226.104.67) |
15:57.49 | bigdog_ut | dataw0lf, you around? |
15:57.55 | macnewbold | bigdog_ut: you give them an md5 hash (unsalted) and they'll give you back a password in a few seconds or minutes, with a really high (over 99%) success rate for passwords up to 14 chars |
15:58.17 | macnewbold | but here's the catch: nobody uses unsalted passwords |
15:58.17 | macnewbold | so it's practically useless |
15:58.24 | bigdog_ut | or unsalted md5 sums? |
15:58.50 | wps | so if it is practically useless... why do you think these people have spent so much time on it? |
15:59.24 | mindjuju | sorry, joining the conversation late, what is the difference between salted and unsalted md5 hash? and when you md5(str); is that generating a salted or unsalted hash? |
15:59.27 | macnewbold | md5 sum, md5 hash, I use them interchangably. What's the difference you're tlaking about? |
15:59.40 | macnewbold | mindjuju: every md5() I know of uses salt |
16:00.09 | macnewbold | they add one or two random bytes at the beginning, so that same pass with different salt gets different hash |
16:00.23 | macnewbold | so you can't do what they're doing: precompute hashes, and just look up the hash they give you :) |
16:01.04 | macnewbold | without salt, if I use the same password on two accounts, they'll get the same hash, and you'd immediately be able to tell that they use the same password |
16:01.22 | wps | so what do you think the goal of that project is then, Mac? |
16:01.41 | macnewbold | If they wanted to redo all their precomputation for a particular salt value, they'd be able to do the same thing for any hash that used that salt. |
16:01.48 | wps | are they just dumb enough that they don't realize that it doesn't work? or do they have some other goal in mind? |
16:02.54 | bigdog_ut | i think it is the math behind they are interested in |
16:03.04 | bigdog_ut | if they have the money for that type of system |
16:03.04 | optikal_ | Assuming from the name of the domain... hehe |
16:03.21 | wps | so... if I run MD5() on a Microsoft Windows server, it is not salted? but if I run it on any other system, it is salted? |
16:03.52 | macnewbold | wps: it works on dumb password files only |
16:04.02 | macnewbold | but there still are a few things that use such files |
16:04.07 | macnewbold | like LanManager, apparently |
16:04.07 | optikal_ | yeah. any new day language that does md5, salts |
16:04.26 | macnewbold | salt is a principle that's been around for decades |
16:04.35 | macnewbold | why lanmanager didn't use any is beyond me... |
16:05.01 | optikal_ | yah. that site isnt even worth remembering, it'll never come to use in my upcoming days. |
16:05.01 | bigdog_ut | i dont salt...i just pepper |
16:05.03 | macnewbold | this is an attack that they knew would be possible even before they invented MD5 |
16:05.08 | optikal_ | mm.. pepper. |
16:05.14 | macnewbold | they're not worried about it because it's so impractical |
16:06.02 | macnewbold | if you assume a character set of 90 chars (alphanumeric=62, plus various punctuation marks) |
16:06.03 | optikal_ | Thanks again for lastnight.. sharpened up my RE and Regex a bit. =) |
16:06.51 | macnewbold | there are 531 Billion possible passwords |
16:07.35 | mindjuju | yeah, mac, good lesson last night, learned a lot about strings |
16:08.10 | macnewbold | but with 2 bytes of salt, those 531 billion passwords have 34,800 Trillion (24 quadrillion?) possible hashes |
16:08.37 | macnewbold | that's just a 6-char password. not even _up_ to 6 chars |
16:08.53 | macnewbold | and the 7 char passwords date have 90 times as many options |
16:09.48 | macnewbold | even 1 char passwords with 2 bytes of salt have 6 million possible hashes |
16:10.11 | wps | here's a question: how would one obtain the hash of someone's password? |
16:10.12 | macnewbold | 2 char password: 530 million hashes |
16:10.39 | macnewbold | wps: in unix/linux, they usually keep the hashes in a password file only accessible to root |
16:10.39 | optikal_ | access to the database |
16:10.39 | optikal_ | or the pwd file |
16:10.48 | wps | right, so how would a hacker get it? |
16:10.51 | macnewbold | so in practice, it means you hack the database or the password file, by getting root access |
16:11.07 | macnewbold | or for a database, less than root may be sufficient, like the www user |
16:11.26 | optikal_ | wps: find a security hole/leak to overflow as root.. but there are hundreds of other possibilities |
16:11.28 | macnewbold | but if you broke into the box, you don't need passwords anymore :) |
16:11.43 | wps | thanks kind of what I was thinking :) |
16:11.46 | optikal_ | most "hackers" dont mess around with cracking passwords |
16:12.19 | optikal_ | Any real admin has atleast a 10+ character alphanumeric, case sensitive password... and that can get pretty interesting. |
16:12.24 | macnewbold | yeah, about all you can get with a cracked password is to log in to their account somewhere else that uses the same password |
16:12.32 | macnewbold | which is pretty common |
16:12.44 | macnewbold | and with log files on the box you hack, you can see where they log in from |
16:13.05 | macnewbold | once you've got user access, you just need to know about some exploit in the OS or software they run, and you'll get root |
16:13.12 | macnewbold | then you've got more password hashes :) |
16:14.30 | macnewbold | btw, wps, I've got my slides updated with the stuff I forgot to put in for last night, and added a couple of slides (one on the modifiers for parens, for non-capturing and lookaheads, and one at the end going over the examples we finished with) |
16:14.37 | macnewbold | how should I post them on the site? |
16:14.59 | macnewbold | later today I'll have a text and/or html version(s) of the slides too |
16:15.17 | macnewbold | has dave sent the audio recording over yet? |
16:15.18 | wps | there currently is not a way for anyone to upload to the site (no FTP server running, for security reasons) |
16:15.31 | wps | he said he'd have it to me in a couple of days |
16:16.14 | macnewbold | cool |
16:16.24 | wps | so, the easiest thing would be for you to either toss it on a server for me to download from or to email it (preferring the preferring as I don't like attachments) |
16:17.35 | wps | man, that didn't make sense |
16:17.42 | macnewbold | I got what you mean |
16:17.46 | macnewbold | and I wasn't even going to tease you about it |
16:17.50 | wps | so, the easiest thing would be for you to either toss it on a server for me to download from or to email it (preferring the former as I don't like attachments) |
16:18.37 | macnewbold | yeah |
16:18.40 | macnewbold | I can do that |
16:20.59 | optikal_ | Why run through unsecure FTP anyways? SCP is the ticket |
16:20.59 | macnewbold | amen |
16:20.59 | macnewbold | even sftp is nice though |
16:20.59 | optikal_ | yeah of course |
16:21.11 | wps | that's what I said... that I don't even have FTP installed on the server (for security) |
16:21.18 | macnewbold | yeah, keep it that way :) |
16:21.23 | wps | SSH or SCP is the only way to access the box |
16:21.24 | wps | yup |
16:21.31 | wps | FTP is junk |
16:21.48 | wps | well... not necessarily junk... it is fast |
16:21.53 | macnewbold | so's scp |
16:22.00 | optikal_ | aah. I thought you were saying FTP is not installed, and that it arises a problem getting files on the server.. Im thinkin "hmm.. okay" |
16:22.01 | optikal_ | heh |
16:22.20 | wps | scp is my best friend |
16:22.34 | wps | well, second best friend (my wife is first) |
16:23.00 | wps | scp and an key on the remote server and you are in file transfer bliss |
16:23.38 | wps | I love being able to scp between two remote machines |
16:23.56 | optikal_ | yeah |
16:24.02 | macnewbold | doh... the ppt version I uploaded this morning ended up being the .ppt.lnk file on my desktop instead of the real .ppt, cause I was in such a hurry |
16:27.39 | wps | sorry I forgot to announce the bit about the publication coordinator at the meeting last night, mac |
16:28.07 | wps | Someone did finally contact me this morning expressing interest in however. |
16:28.17 | wps | he was looking for more information |
16:28.22 | wps | I forwarded my response to the group |
16:28.55 | mindjuju | yeah, that was me, I was really looking for info on the irc channel when i found that |
16:29.15 | wps | oh, hey mindjuju |
16:29.19 | wps | hadn't notice you in here, sorry |
16:29.37 | mindjuju | no worries, i just sorta sneaked in, then worked while i reviewed the comments |
16:29.44 | mindjuju | sorta jumping in and out of conversation |
16:31.12 | synic | macnewbold, morning, and good job last night. |
16:31.23 | mindjuju | well, i do have journalism experience and it would be a good opportunity to get to meet more people in the group. Were ya'll thinking PDF based or web based publication? |
16:31.36 | macnewbold | thanks, synic, and good morning to you too :) |
16:32.26 | macnewbold | I think we'd been thinking web based, but PDF sounds like a good idea too... generate some hardcopy now and then to spread around, etc. |
16:34.41 | mindjuju | web based would be cool; keep the decor of the website but give it a newspaper feel |
16:34.58 | mindjuju | we could then print that to PDF and go with it, or make small mods and issue PDF |
16:35.09 | synic | so, php5's md5 doesn't use a salt - unless you use the mcrypt functions |
16:35.38 | wps | yeah, the website is already all set up for the articles. We just need authors. |
16:35.50 | wps | PHP5's md5 doesn't use salt? |
16:36.02 | synic | nope |
16:36.53 | mindjuju | oh, i see |
16:43.27 | macnewbold | ah, here's the magic: |
16:43.33 | macnewbold | www.php.net/crypt |
16:43.58 | macnewbold | if you're doing a password, use crypt with the MD5 or 3DES option (since DES is weak) |
16:44.13 | macnewbold | to make the initial hash, let it choose random salt |
16:44.35 | macnewbold | (md5 uses 12 chars of salt by default!) |
16:45.24 | synic | ah, just like the C one |
16:46.08 | macnewbold | to check the password, you tell it the salt you're checking against and you can tell if they match |
16:46.30 | wps | because blowfishes are cute |
16:46.41 | synic | a little pointy, but yeah, cute :) |
16:46.48 | macnewbold | so who wants to write a short article for the web site on when to use md5, when to use crypt, and how to do secure passwords with crypt? |
16:47.09 | synic | I could do that |
16:47.18 | optikal_ | hehe |
16:47.34 | wps | excellent idea, mac |
16:48.21 | macnewbold | security wouldn't make a bad presentation, either |
16:48.35 | synic | any interest in the mcrypt or mhash functions as well? |
16:48.42 | synic | like encrypting files with blowfish or whatever |
16:48.46 | macnewbold | sure, why not |
16:48.58 | macnewbold | you could even do it in separate articles if you want |
16:49.17 | macnewbold | bigdog_ut: I was thinking about some possible stuff to present on, and was talking with fungus on the way home... |
16:49.47 | synic | so - bigdog_ut was there last night, even though he said he might not be, wasn't he? |
16:49.49 | wps | (mac's care is really humid) |
16:50.06 | wps | correction: (mac's car is really humid) |
16:50.52 | macnewbold | we could do something about all the cool things you can do if you set up a php script as an 404 error handling page with your apache |
16:51.02 | wps | (he passes the time on long trips by talking to the fungus) |
16:51.26 | macnewbold | for a minute I thought you were trying to suggest the windows in my car were steamed up or something... ewww |
16:51.38 | synic | macnewbold, hehe. I was wondering if that's how they do the php.net/str_replace type stuff. |
16:51.46 | macnewbold | yep |
16:51.51 | wps | nah... just laughing at how funny it sounded |
16:51.52 | macnewbold | the source is open if you want to check it out |
16:52.02 | wps | "I was talking to fungus on the way home" |
16:52.02 | macnewbold | there's a cvs repo on the web with all the stuff for the php.net site |
16:52.04 | wps | funny nick |
16:52.15 | wps | yeah, thanks for the tip last night macnewbold |
16:52.24 | macnewbold | ah, I get it... so humid my car grows fungus... |
16:52.27 | macnewbold | and I talk to it |
16:52.32 | wps | that "php.net/<function>" trick is awesome! |
16:52.38 | macnewbold | yes! It rocks |
16:52.50 | macnewbold | and you can do a ton with it on your own sites |
16:53.00 | wps | SO much quicker than waiting for the page to load and then typing in the search field |
16:53.18 | macnewbold | oh yeah... _way_ better |
16:54.40 | macnewbold | I've got some sites that use error scripts to generate and return (cacheable) GD images on the fly, filled with pretty antialiased TTF-rendered text that was the name of the file they were looking for |
16:55.51 | wps | we're doing it on our site |
16:55.59 | wps | example lookup: http://utahrealestate.com/2309423 |
16:56.21 | wps | and one that is successful: http://utahrealestate.com/463608 |
16:56.56 | *** join/#uphpu drewbono (~andrew@67.137.25.66) |
17:05.04 | *** join/#uphpu fungus (~fungus@firebat.aros.net) |
17:26.03 | *** join/#uphpu alphahawk (~alphahawk@70.56.105.158) |
17:31.26 | alphahawk | Question for you guys. Has anyone ever done a system that acts as a print server through the web. i.e. I upload a file to the server and then the server prints it. |
17:32.29 | synic | we do something similar... maybe not exactly what you need. |
17:33.42 | synic | our company is an online greeting card company. You pick a card online, fill out what you want it to say, upload a picture if you want, choose your font, and click go |
17:34.05 | synic | everything is stored on the webserver, and at about 6:00 AM our print machine downloads everything |
17:34.24 | synic | images are continually downloaded 24/7 |
17:34.58 | synic | we then have a guy run the print jobs. This could be automated, but being that they are greeting cards, he's there to make sure everything turns out ok |
17:35.25 | alphahawk | what I am trying to do is if customer at a hotel supports wants to print a document then he uploads the file to the server and the server prints iot |
17:36.02 | synic | hrmm, what type of file? |
17:36.21 | alphahawk | thats the issue is I want to support multiple file types. |
17:36.47 | synic | I wonder if there's a way to script openoffice to do it |
17:36.49 | alphahawk | but I have decided I am going to keep it to the major ones like .doc, .xls, .pdf, etc... |
17:37.16 | bigdog_ut | what type of print server os are you using? |
17:37.20 | alphahawk | that was what i was going to try. that or if someone has a script that creates a pdf file out of it |
17:37.56 | alphahawk | bigdog_ut: pretty flexable on that. My main choice right now is slackware linux but if need to use ms I will |
17:39.21 | alphahawk | probably the biggest requirment is to be able to do it as a automated script so that theoretically the hotel clerk never has to open the file. |
17:39.42 | synic | http://scripting.openoffice.org/ |
17:40.17 | bigdog_ut | alphahawk, look at tools for cups...there might be some scripts for accesing it that way |
17:40.34 | synic | yeah, but then there's still the problem of opening the different filetypes |
17:40.34 | bigdog_ut | i know they have a web admin interface that perhaps you could mimic |
17:41.03 | bigdog_ut | you need to convert the files after they are uploaded |
17:41.09 | alphahawk | I can mimic the interfaces and run commands problem is opening the files like synic said |
17:41.29 | alphahawk | that is the question is how to convert the files I have not found a good way to do the convrsions |
17:41.31 | bigdog_ut | openning for what? |
17:41.44 | bigdog_ut | you might have to shell out and send to printer |
17:42.03 | bigdog_ut | you still might need to shell out and do the conversions |
17:42.25 | bigdog_ut | imgs you might be able to do in php |
17:42.41 | bigdog_ut | but alot of the text ones you might have to shell out |
17:42.56 | bigdog_ut | that is how we did our fax server |
17:43.27 | bigdog_ut | but we went from any file type to pdf/tiff |
17:45.21 | alphahawk | bigdog_ut: going pdf/tiff would work fine. Question is how do you do the conversions |
17:45.36 | bigdog_ut | command line tools |
17:45.51 | alphahawk | sorry when I said opening I ment converting |
17:46.06 | alphahawk | command line tools built into linux or windows? |
17:48.06 | alphahawk | bigdog_ut: where the command line tools built into linux or windows? |
17:49.18 | bigdog_ut | linux |
17:49.25 | optikal_ | alphahawk: dataw0lf made as mall encapsulation class for the PDFLib library.. it may help, http://www.dataw0lf.org/code/snippets/cPDFlib.phps |
17:49.35 | optikal_ | err "a small" |
17:51.38 | alphahawk | thanks optikal_ |
17:51.49 | mindjuju | i just found this info about coverting docs in OO to pdf |
17:51.50 | mindjuju | http://www.oooforum.org/forum/viewtopic.php?t=3772 |
17:51.55 | optikal_ | np. not sure if it will help, i have yet to deal a lot with pdfs |
17:51.58 | mindjuju | hope it helps |
17:52.16 | alphahawk | bigdog_ut can you tell me what to google for to get more info on those command line tools? or where they custom tools |
17:54.57 | alphahawk | mindjuju: that helps alot actually |
17:55.19 | mindjuju | great! I just noticed though that it is for MS and not linux |
17:55.26 | mindjuju | but it is commandline |
17:55.35 | mindjuju | win some lose some! :) |
17:55.46 | alphahawk | no command line is exactly what I need |
17:56.07 | alphahawk | would be better if php built in but didn't expect to find anything for that |
18:15.25 | bigdog_ut | alphahawk, depends on which why you are going |
18:15.43 | bigdog_ut | s/why/way/ |
18:16.34 | bigdog_ut | there is the wvware that is for ms docs |
18:16.48 | bigdog_ut | check them out on sf |
18:17.02 | bigdog_ut | that does word docs to other formats |
18:17.16 | bigdog_ut | like wvPDF converts word docs to pdf files |
18:17.34 | bigdog_ut | images you want to convert to something like tiff images |
18:17.51 | bigdog_ut | but cups should handle most of the formats |
18:23.26 | alphahawk | ya I can do images fine that is a easy one actually its the word docs and stuff like that |
18:26.35 | *** join/#uphpu drewbono (~andrew@byu176783wks.rn.byu.edu) |
19:01.47 | *** join/#uphpu tierra|w (~tierra@dsl093-225-126.slc1.dsl.speakeasy.net) |
19:28.32 | *** join/#uphpu drewbono (~andrew@byu176783wks.rn.byu.edu) |
19:42.37 | dataw0lf | Ok... *sigh* I'm updating to PHP 5. |
19:43.29 | synic | what fer? |
19:44.34 | optikal_ | hehe |
19:45.13 | dataw0lf | cuz I found some good deb packages for PHP 5 and the newest Postgres |
19:45.19 | dataw0lf | ok, maybe not. |
19:50.34 | optikal_ | ? |
19:50.58 | dataw0lf | dependency issues and I'm not keen enough on installing PHP 5 to fix it. |
19:51.01 | dataw0lf | ie, too lazy. |
19:53.04 | dataw0lf | like father, step-father, the son is drowning in the flooooood. |
19:55.55 | alphahawk | hey dataw0lf question for you. I was given a link to a phpclass you had done. its cPDFlib.phps question is does it convert word documents to pdf? |
19:58.00 | optikal_ | hehe |
19:58.42 | dataw0lf | alphahawk: oh, no. It's primarily for pulling SQL records out and creating a pretty PDF from them. |
19:59.14 | dataw0lf | alphahawk: theoretically, you could use that class to convert sxw docs to PDF, but not word documents as far as I know. |
19:59.23 | wps | thanks for the article, synic! |
19:59.27 | synic | wps, np |
19:59.34 | synic | wps, hope it makes sense :) |
20:09.57 | alphahawk | dataw0lf: okay thanks thats what I needed to know |
20:10.12 | dataw0lf | np |
20:12.26 | *** join/#uphpu optikal- (~optikal@c-24-10-198-60.client.comcast.net) |
20:16.28 | bigdog_ut | alphahawk, you can use the wv cli tools to do conversions on word docs |
20:16.35 | bigdog_ut | synic, good article |
20:16.50 | synic | thanks |
20:19.08 | bigdog_ut | macnewbold, you around? |
20:19.23 | macnewbold | yeah |
20:21.06 | bigdog_ut | was it you that put a link up in irc a couple weeks back on why not to write your own security type functions? |
20:21.19 | bigdog_ut | it was a link to a security guy's blog on home grown security functions |
20:21.34 | bigdog_ut | it was a killer article, i would love to put it up on uphpu |
20:21.34 | macnewbold | hm... no, I don't think so. |
20:21.40 | bigdog_ut | anyone recall that? |
20:21.49 | macnewbold | but I've got IRC logs, so if you know a string I should grep for, I'll look for it |
20:22.05 | bigdog_ut | grab the urls and i will look |
20:22.12 | macnewbold | synic: I'm with bigdog_ut - nice article! you posted that really quick |
20:23.42 | optikal_ | Typo.. ."This articles provides" |
20:23.45 | macnewbold | here's one |
20:23.47 | macnewbold | http://www.linuxsecurity.com/content/view/117941/65/ |
20:23.47 | *** join/#uphpu beandog (~sdibb@403238C8.ptr.dia.nextlink.net) |
20:25.43 | macnewbold | lemme know if I should keep looking, bigdog_ut - I checked Jan and Dec., and that's the only one that sticks out, other than something about an apache vuln. |
20:26.17 | mindjuju | well that's a curious article about the anti-wardriving paint on that link you provided |
20:27.24 | dataw0lf | yeah, I posted it last night, that's not the one. |
20:28.09 | optikal_ | synic: yeah, great article man. ^5 |
20:32.49 | dataw0lf | synic: terrible article. |
20:33.16 | optikal_ | hah |
20:33.32 | bigdog_ut | macnewbold, no that is not the one |
20:33.40 | bigdog_ut | perhaps you where not on |
20:34.01 | macnewbold | maybe not |
20:34.08 | macnewbold | jbot has logs |
20:34.12 | bigdog_ut | but it was a personal blog i remember that |
20:34.25 | bigdog_ut | let me check it |
20:34.31 | beandog | anyone a mailing list guru? |
20:34.45 | bigdog_ut | wps is |
20:34.53 | beandog | wps? |
20:34.54 | bigdog_ut | what is the url to jbot |
20:35.00 | macnewbold | but I don't remember the url for the logs |
20:35.03 | wps | to the archives? |
20:35.06 | macnewbold | yeah |
20:35.07 | bigdog_ut | yeah |
20:35.09 | beandog | Nah, wade wouldnt like what Im planning to do. ;) |
20:35.11 | wps | ~uphpu archives |
20:35.12 | jbot | uphpu archives are http://ibot.rikers.org/uphpu/ |
20:35.26 | bigdog_ut | let me check |
20:35.34 | beandog | oh wow thats cool |
20:36.56 | *** join/#uphpu mindjuju_ (~mindjuju@63.226.104.67) |
20:40.10 | bigdog_ut | that archive did not go back that far |
20:40.37 | dataw0lf | Hrm, I guess I could post my logs on my site for you to look through if yah want. |
20:40.38 | bigdog_ut | i would love to have all the archives |
20:41.05 | macnewbold | bigdog_ut: the gzips below go clear back to last june |
20:41.41 | bigdog_ut | oh |
20:41.54 | bigdog_ut | that would be nice to have one the site that are search able |
20:41.56 | *** join/#uphpu xilch (~xilch@66.239.17.228.ptr.us.xo.net) |
20:42.24 | xilch | hey macnewbold - great presentation |
20:43.00 | macnewbold | thanks! |
20:43.08 | dataw0lf | I need to start following my New Year's resolutions |
20:43.13 | macnewbold | realname(xilch)==? |
20:43.19 | dataw0lf | macnewbold: yeah, excellent presentation |
20:43.28 | macnewbold | glad you enjoyed it |
20:44.07 | xilch | macnewbold: my name is Rick Davenport |
20:44.25 | macnewbold | where were you sitting? so I can put a face to the name/nick |
20:44.33 | dataw0lf | in the back with us. |
20:44.41 | dataw0lf | to the left of tierra. |
20:44.47 | xilch | I was in the back next to tiarra and adam/synic |
20:44.56 | xilch | er, tierra |
20:45.07 | dataw0lf | tiara is more appropriate. |
20:45.13 | xilch | lol yeah |
20:45.21 | xilch | we should get him one |
20:45.28 | dataw0lf | I'm sure he already has one. |
20:45.41 | xilch | another one then, that is pink |
20:46.01 | macnewbold | hehe |
20:46.01 | dataw0lf | We wouldn't be able to take it off if we gave him a pink tiara. |
20:46.15 | macnewbold | he'd look good in pink, I think :) |
20:46.34 | dataw0lf | here, I'll get his attention so he can see we're humiliating him. |
20:46.35 | dataw0lf | tierra|w: |
20:46.45 | dataw0lf | you're a flamer. |
20:47.40 | dataw0lf | this is ridiculous, what is Lil Jon doing in my music collection??? |
20:48.01 | beandog | Lil Jon? |
20:48.11 | dataw0lf | a rapper. |
20:48.17 | beandog | o |
20:48.34 | dataw0lf | 'Toooooo the windooooow, to the waaaaall' |
20:48.39 | tierra|w | ? |
20:48.55 | dataw0lf | tierra|w: read your backlog. |
20:49.22 | tierra|w | your lucky this is the UPHPU channel |
20:49.53 | dataw0lf | *you're |
20:50.23 | dataw0lf | here, I'll make fun of you on EFNet too. |
20:51.01 | optikal_ | heh |
20:59.44 | *** join/#uphpu drewbono (~andrew@byu176783wks.rn.byu.edu) |
21:07.14 | *** join/#uphpu Rajah (~mike@208.177.141.226.ptr.us.xo.net) |
21:15.24 | macnewbold | nice, 18 people now... we've gotten a lot more people to come join us in irc lately... |
21:15.38 | macnewbold | it wasn't long ago we only had 6 or 8 in here at a time, two of which were bots :) |
21:16.04 | optikal_ | haha |
21:17.45 | Rajah | wasn't there someone looking for php streaming software. |
21:17.55 | bigdog_ut | i think |
21:18.49 | Rajah | I had mentioned andromeda yesterday while reading Linux Journal I found this one... http://pancake.org/zina/ |
21:19.13 | Rajah | bascially an open source version of andromeda |
21:19.23 | Rajah | There is one more if I can remember it I will post it |
21:19.49 | optikal_ | aah |
21:19.51 | optikal_ | I was interesting |
21:19.59 | optikal_ | s/interesting/interested |
21:20.26 | Rajah | ok I will go find the other one then as well. |
21:27.09 | optikal_ | awesome |
21:29.22 | alphahawk | Rajah I was looking at streaming software |
21:30.28 | optikal_ | thats who it was. i forgot heh |
21:30.32 | Rajah | Thought I might have a copy of the magazine here, but it must be at home I will try and remember tomorrow. |
21:30.40 | optikal_ | no worries |
21:30.44 | optikal_ | thanks for the link thusfar. |
21:32.54 | *** join/#uphpu mindjuju (~mindjuju@63.226.104.67) |
21:38.26 | *** join/#uphpu mindjuju (~mindjuju@63.226.104.67) |
21:41.57 | alphahawk | optikal_ I am testing the icecast streaming software now |
21:42.06 | optikal_ | alphahawk: awesome, i' |
21:42.12 | optikal_ | i'd love to hear how it goes. |
21:43.29 | alphahawk | fyi the guys in the icecast channel are cranky |
21:46.58 | optikal_ | hehe |
22:15.32 | *** join/#uphpu xilch|w (~xilch@66.239.17.228.ptr.us.xo.net) |
22:32.26 | bigdog_ut | anyone outside uphpu is cranky |
22:34.45 | macnewbold | :) hehe... but never anyone inside |
22:34.48 | macnewbold | ~uphpu++ |
22:40.12 | *** join/#uphpu drewbono (~andrew@byu176783wks.rn.byu.edu) |
22:46.08 | bigdog_ut | common look @ how many we have now |
22:47.45 | *** join/#uphpu synic (~synic@66.239.17.228.ptr.us.xo.net) |
22:55.22 | macnewbold | synic: you should send out an email message to the list about your new article, to tell people that were at the meeting what we found out, etc. |
22:56.29 | synic | what exactly did we find out? I only read part of it. That the site has a large DB of words, which actually can crack an unsalted md5 hash up to 14 characters? |
23:00.12 | macnewbold | mostly I meant that we know md5 is still secure, as long as you use it right (i.e. crypt(), w/salt) if you're doing passwords, rather than using the md5() function |
23:00.56 | synic | you mean with password() ? |
23:00.59 | macnewbold | but basically, that passcracking.com site built a big db of precomputed stuff, and just have to go find the one that matches your password |
23:01.20 | macnewbold | no, I meant md5()... /me doesn't remember what password() does |
23:02.09 | synic | nope, it doesn't. |
23:03.06 | synic | mysql> select md5( 'bwent' ); |
23:03.06 | synic | +----------------------------------+ |
23:03.06 | synic | | md5( 'bwent' ) | |
23:03.06 | synic | +----------------------------------+ |
23:03.06 | synic | | 149911be96ebe2a393f2a4b07cc81a92 | |
23:03.07 | synic | +----------------------------------+ |
23:03.13 | synic | [synic@bwent ~]$ php -r "print md5('bwent');" |
23:03.13 | synic | 149911be96ebe2a393f2a4b07cc81a92 |
23:07.12 | macnewbold | well, at least they match :) that's a good sign |
23:08.02 | synic | hehe |
23:08.29 | tierra|w | actually, all my hashes are hashed a second time with an internal string (made from a hash of random characters)... while that string could be taken as well if the hashes were every compromised, it also means the person would have to come up with all new tables anyway making that site useless |
23:08.41 | tierra|w | s/every/ever |
23:09.10 | tierra|w | my own way of salting my hash browns |
23:10.11 | synic | mmm |
23:10.14 | synic | hash browns |
23:23.29 | *** join/#uphpu drewbono (~andrew@byu176783wks.rn.byu.edu) |
23:23.52 | bigdog_ut | they both use the system implementation of md5 though |
23:25.36 | dataw0lf | Yeah, I thought what was brought up was a problem inherent with the md5 encryption scheme in and of itself. |
23:25.46 | dataw0lf | which I haven't heard of. |
23:26.44 | bigdog_ut | but does unix impl of md5 use a salt internally? |
23:29.15 | dataw0lf | No. |
23:29.33 | macnewbold | new |
23:29.37 | macnewbold | I mean, yes |
23:29.45 | bigdog_ut | yes it does use salt in it? |
23:29.47 | macnewbold | although it uses the salt on passwords |
23:29.55 | macnewbold | not for the general md5 computation |
23:30.06 | synic | man crypt |
23:30.11 | dataw0lf | salt's are just added for the benefit of more security. |
23:30.17 | bigdog_ut | yeah |
23:30.23 | dataw0lf | since a 'hacker' would have to bruteforce the salt as well. |
23:31.18 | macnewbold | if you ever look at a password file on linux/unix, etc, if it's using MD5, the password hashes will have something like $1$1ba81f83$<hash> |
23:31.36 | macnewbold | that's the code for "I'm an md5 hash, and here's my salt" |
23:31.47 | dataw0lf | sure, it uses salt for password encryption. |
23:31.58 | dataw0lf | but *nix systems don't default to a salt. |
23:32.18 | macnewbold | yeah, they do, for passwords. whether it's md5 or des or whatever |
23:32.37 | macnewbold | but a standard md5() call has not much to do with salt... it's just a hash |
23:32.43 | dataw0lf | that's what I'm saying. |
23:33.05 | dataw0lf | if you call md5 in a *nix system it won't magically add a salt for you. |
23:33.25 | macnewbold | right. I guess I've been talking about it wrong... salt is something you use with passwords and such, not something that is a part of the hashing strategy |
23:33.54 | macnewbold | salt's like an automatic way to add 12 random chars to any good or bad password, to make it much more secure |
23:35.12 | *** join/#uphpu drewbono (~andrew@byu176783wks.rn.byu.edu) |
23:36.38 | bigdog_ut | cause it is said in the email that linux uses salted md5 hashes? |
23:36.59 | macnewbold | yes, they do, in their password files |
23:37.11 | macnewbold | but a plain old md5 hash isn't salted (in any language) |
23:38.02 | bigdog_ut | but i think they use sha1 though for those right? |
23:40.03 | tierra|w | that's what I thought |
23:41.57 | bigdog_ut | what sucks is that site runs on m$ crap |
23:42.07 | bigdog_ut | -> passcracking.com |
23:46.11 | macnewbold | bigdog_ut: don't know whether they default to sha1 or md5, but it's salted, for sure. Check your password file: if the hashes start with $1$ it's md5, or $2$ is blowfish or sha1 or something. |
23:53.20 | *** join/#uphpu wps (~wps@byu074602wks.rn.byu.edu) |
23:53.25 | *** mode/#uphpu [+o wps] by ChanServ |
23:54.11 | *** join/#uphpu spiderbiter (~spiderbit@38.119.177.194) |