If you ever want to use a crypto library in Python, you’ll be sad to note that there isn’t one built into Python impressive repertoire of modules. In fact, you’ll most likely hit pycrypt on your Google search to find one. And there is some dirty work you’ll have to do if you want to use symmetric cryptography using this library. And one of the hard/easy parts is knowing the difference between ECB and CBC.

Here, we start initializing the AES object using CBC mode:

>>> from Crypto.Cipher import AES;
>>> aes = AES.new('some key here', AES.MODE_CBC, 'INIT_VECTOR')
Traceback (most recent call last):
File "<console>", line 1, in <module>
ValueError: IV must be 16 bytes long

oops. You’ll have to make you’re initialization vector 16 bytes long. Also, your key has to be 16, 24, or 32 bytes long as well. Let’s do something better :

>>> aes = AES.new('J2-+sfd%932mIt:{', AES.MODE_CBC, 'wir&/>H54mgd9a";')

ah! much better. Even if it was me smashing my hand against the keyboard. Now let’s encrypt/decrypt something important.

>>> aes.encrypt('the answer to life the universe and everything is 42')
Traceback (most recent call last):
File "<console>", line 1, in <module>
ValueError: Input strings must be a multiple of 16 in length

You’ll have to do the dirty work remember:

>>>> ciphertext = aes.encrypt('the answer to life the universe and everything is 42195479204957')
>>> ciphertext
'f0\xa9\xf9f&X)\x0e\x08=\x06\x97\xcbF\xddK\x1a\xa6i\x1d\x02"}\xd9\\\xaa\xb6\xd9J\xe3Q\x07\xaev\x012\xbf\rPN\xd2\xf9\xf7$\x93\xe0/\xcb\xae9\x91K\xd01\xab\xb7\xdb\reR\xff\xef\x1c'

Much better. Now lets decrypt it:

>>> aes.decrypt(ciphertext)
'\xc8\xaf.\x97\x05\x80\n\xe9\xe6\xc4Ju\x04\xbe\xa1Nfe the universe and everything is 42195479204957'

Woah! That isn’t the whole message! So what’s going on?

Remember that initialization vector you set in the beginning? That sets the stage for the first block. But each block becomes the initialization vector for the second block, and so on. So when you decrypt, it is using the initialization vector from the block before. That’s why the first 16 bytes are screwed up. This is a feature of CBC, but not ECB:

>>> aes = AES.new('J2-+sfd%932mIt:{', AES.MODE_ECB, 'wir&/>H54mgd9a";')
>>> ciphertext = aes.encrypt('the answer to life the universe and everything is 42195479204957')
>>> aes.decrypt(ciphertext)'the answer to life the universe and everything is 42195479204957'

And yes, this is a feature. Read the block cipher modes wikipedia article for a better explination. So what’s the answer? Simply, to call aes.new() again before calling decrypt!

I have two wishes for Santa Claus this year: stable software and freshly baked bread.

My first wish won’t be granted. So he is obligated to fulfill the second one for sure. And the second wish is becoming a non-trivial task.

Sasketchewan, where I currently live now, lies in what is considered Canada’s breakbasket. We learned about it in school. They apparently grow a lot of wheat here. Wheat, as you may or may not know, is one of the critical ingredients in most breads.

So why is it that I can’t find a goddamn bakery that makes fresh goddamn bread in the middle of this goddamn breadfactory?

I went to four “bakeries”. Two didn’t sell bread at all, just pastries. One only sold a variety of toast. And the last one, which was only a 10 minute bus ride from my house, and recommended to me by a co-worker, closes at fucking 5pm (isn’t that when most people finish work and fresh bread is something on their mind?)

What the fuck.

When having a discussion with my co-workers about this, here is how they manage to get bread:

1. Get a breadmaker and have your girlfriend make it for you
2. Get your girlfriend, which works in a bakery, to get it for you when she leaves work

Either solution requires a girlfriend. Fuck this shit.

It happened a few days ago, and it was bound to happen sooner or later. My sister could no longer log into her account on her Windows XP machine. When you tried, it went to a black screen with only the mouse cursor shown. The common symptoms of a broken computer, like one caused by a virus infection.

Normally, this sort of thing would be a geeks nightmare. One would have to spend time to fix it or reinstall Windows XP. There are supposedly tools to fix this (System restore and such) but past experience has shown this rarely fixes the problem.

But I was prepared this time. When I first set-up my sister’s machine, I made her a limited user. And it was one of the better decisions I made. I simply created her a new account, and everything worked and she was happy to have her computer back with AIM and MSN and iTunes (though not the music, though that can easily be copied over).

This has some pitfalls. I have to log in to do random stupid stuff like change the clock time, install new software, and update Firefox. But these hassles, even when combined, have paid off for themselves by not having me sit in front of a broken computer.

Managing her account from Regina is gonna be hard though. And I don’t have much time to resolve this problem.

Yesterday, I accepted an offer to work at NetSecure Technologies which is a company based in Regina doing Firefox extension and C# work (mainly the former. I never worked with the latter, and they are aware of that). This also means I have to relocate to a city who I know nothing about. In fact, I will likely be a typical snobby Torontoian for the year contract that it is for.

Unfortunately I will be leaving my current employer PPX. Good people. But I am excited about my new job responsibilities, and think it will be a better fit for me.

This was originally written early September. The patch was live late September. And 4 weeks of results later, this post. My apologies if I mixed past and present tense

The number of add-on downloads was always an interesting figure to me. Over several months, one of my add-ons was getting over 100 downloads a week without any promotion. But my ADU remains almost constant every week. It may increase by a few, but compared to the number of downloads, it only seemed like I got an abnormally low number of conversions. Less than 15% of users who downloaded my add-on turned into a ADU.

This didn’t seem right, so for 0.7 release of Safe extension, I added some code that sent me some info whenever someone uninstalled from the Add-ons Manager.

According to the add-ons dashboard, I had 78 ADU users for version 0.7 (submitted 2009-08-14. Averaged over a period of 1 week.).

How many downloads since it was uploaded? About 659 (I likely uploaded it late evening, so it might be less then that). So about 11% of the users that downloaded the extension didn’t uninstall it. But how many users chose to uninstall it using the Add-ons manager?

Ten.

So what of the other 500+ users? How did they uninstall my extension? I wondered whether web crawlers were downloading my extension. 500 seems like an awfully big number. Maybe a broken crawler? Well, actually, it turned out that AMO’s robot.txt did not exclude robots from downloading extensions at all. And how often a crawler visits is determined by the provider. Google cache takes a snapshot around once every week for me.

I realized that these numbers won’t be accurate because there are more ways to uninstall an add-on, including new profile or deleting the add-ons folder from the profile. But these seem like rare cases. Certainly not responsible for such a misleading number.

I filed and fixed a earlier bug to have robots.txt exclude crawlers from the /downloads/ path of each of our localized versions of AMO.

After 4 weeks, my stats have leveled off and the number of downloads have dropped by about 10 a day. My add-on downloads dropped from >10 to about 3 a day. This won’t be considerable to popular add-ons (AdBlock Plus shows no difference, they are still getting 80,000 downloads a day). Looking at the statistics on AMO, total downloads have dropped over 100,000 a day since the stuff went live last month. Good stuff.

This is something that’s been floating in my head. Not sure how much this is worth advancing, or whether it is deeply flawed. Or whether it was considered at some point but not indexed by Google good enough.

Many sites do mix HTTP and HTTPS content. Sites that do this are no-longer considered secure (Larry goes away, the lock has a warning symbol over it) for good reason, the insecure content cannot be trusted. It may have been tampered with. If the content was a javascript file for instance, it could be very bad news.

But if we know that data from a secure source can’t be tampered with, could it vouch for content that isn’t secure? Let’s take an example of a fictitious webpage :


<script type="text/javascript" src="http://media.cesaroliveira.net/badass-javascript.js"></script>
<img src="http://media.cesaroliveira.net/panda.jpg" alt="look out!" />
Credit card number : <input type="text" ...


Even though the site is served securely, some important information is sent insecurely. I am proposing that the secure content is able to pass along a hash (sha1, not md5) of the content that it expects. If the content in the insecure channel meets the has the same hash value, then we can be reasonably assured that the data has not been tampered with during transport. Let’s see the code again :


<script type="text/javascript" src="http://media.cesaroliveira.net/badass-javascript.js" data-hash="sha1:12b36be3076d357b2d390b2df3f9b65cd55b93e1" ></script>
<img src="http://media.cesaroliveira.net/panda.jpg" alt="look out!" data-hash="sha1:bcf31e777fa69753f8ecf9701fc9b6f1518b51b3" />
Credit card number : <input type="text" ...


Starts with data- because I doubt something like this would be implemented outside of my head. But it seems to solve the problem of tampering with the data. If the hashes don’t match, the website is still broken. If they do match then we should be able to breathe easily.

Of course, in time people will figure out vulnerabilities. Hash collisions is a problem. But this is something that web had to deal with before. Maybe a nice edition would be allowing multiple hash values, like :

<img src=”http://media.cesaroliveira.net/panda.jpg” alt=”look out!” data-hash=”sha1:bcf31e777fa69753f8ecf9701fc9b6f1518b51b3;md5:953c78ac57ca68bfe532eb50120c8aa1″ />

Yeah. I know I said no md5

Today I submitted version 0.7 of the safe add-on. This was not a version with additional features, but rather a version that collects stats from users who uninstall the add-on.

I mainly did this because I wanted to know more about why only a small percentage of users who downloaded my extension continued on using it. How long have they used the extension? What options have they enabled (if any)? Where are my users coming from? I stopped short of asking people to complete a feedback form, instead opting to just send data to my server. It’s relatively anonymous, except for the IP address which gets recorded.

Unfortunately, this doesn’t really give me useful statistics from people who stay with my add-on. Which is still useful. My best hope is that it’ll answer at least one of my questions that it was set out to answer.

A few days ago, I went to buy a pair of new shoes. I decided that I would put effort this time into actually looking for vegan (or as they say, cruelty-free) shoes. Generally I am more lax about leather/pelts than most other vegetarians, but I still don’t like supporting the industry. So I decided to go and buy hemp shoes (FYI, paylesss hoes seems to have leather-free shoes, according to the TVA). I found this little place called Left Feet, which had hemp shoes that didn’t look like a hippy designed it.

The shop is small. Very small. With limited selection that caters to people who go out of their way to buy products that are typically made with leather. After I found a pair that I liked, I brought it home and saw a pamphlet at the bottom of the box (emphasis on their part, not mine).

Join the Blackspot Community

You’re now the owner of a pair of Blackspot shoes. It’s a purchase that could be unlike any you have made before. By buying Blackspots you’ve become a member of an international movement to regain control of our own minds and communities.

The open-source logo, hand-drawn on the side of your Blackspots, is a symbol of resistance against the kind of big-money hyperbranding that has been undermining civil society for decades. Earth-friendly, anti-sweatshop (made in Europe), cruelty-free, and pro-grassroots, the Blackspot model represents fundamental change.

The open-source logo they talked about looks like below. Despite the name the logo is white, not black. The black you do see is dirt. If you touch it, it feels sticky. Kinda like gum.

The reason why it’s called an open-source logo is because anyone can supposedly use it. It’s not a particularly great logo, and it likely didn’t go through over a dozen iterations.

On the plus side, they were very well priced for what they claim to do (organic hemp, biodegradable materials, made by unionized workers). I am happy with the purchase despite the smaller selection.

I was first made aware of the fact that maps.google.com now uses geolocation by sdwilsh, which is new in Firefox 3.5. But when I loaded maps, I was surprised to see that it didn’t work when I visited the site. And I was using something even more recent than Firefox 3.5, Minefield. Surely, it has geolocation, so what is going on?

The reason maps doesn’t support Minefield is because of *drumrolls* … browser sniffing. Developers… no wait… GOOGLE web developers, I thought we moved on?

The actual bit of code is here unminimized and tidied up ;

function isBrowserGeolocationSupported(){
    if (window.navigator &&
        navigator.userAgent.search("Firefox") != -1 &&
        navigator.geolocation)
        return true;
    if (window.navigator &&
        navigator.userAgent.search("Chrome") != -1)
        return Number(String(/Chrome\/[0-9]+/.exec(navigator.userAgent)).substr(7))>=2;
    var gearsFactory=null;

The hell? Ok, so I understand they do a bit of browser sniffing because it looks like Chrome had a old/broken implementation of geolocation. But I wish there was a more graceful way of doing this (maybe something like navigator.geolocation.version < 1). One that didn't break every application that may implement geolocation that isn't named Firefox. Because, those exist too.