Patrick’s development blog

Encrypt chat conversations in Pidgin using pidgin-otr

Posted in Articles, Security by Patrick on March 17, 2009

Pidgin is an excellent “chat client” or instant messaging client. I’ve even replaced the MSN client on my Windows system with Pidgin. It’s open source and has support for many different chat networks like MSN, ICQ…

There’s a plugin called pidgin-otr (Off-the-Record messaging) which allows you to encrypt your conversations (assuming the other part also has pidgin-otr installed). Regretfully, people never seems to care about encryption even if they seem to get close to crazy if someone invades their privacy, quite the paradox… Well that’s just another story which i’m not going to post here, as i’m just spreading the word about everything that’s good : )

The Off-the-Record messaging plugin uses public and private keys. It’s very easy to use. Just download the plugin, activate it in the Pidgin add-on menu and generate a key. In the conversation window, a button will appear that makes it easy to toggle encryption on/off.

Download Pidgin from: http://www.pidgin.im/download/
Download Pidgin-otr from: http://www.cypherpunks.ca/otr/index.php#downloads

Advertisements

Encrypting mail in Thunderbird using GnuPG and Enigmail

Posted in Articles, Security by Patrick on March 17, 2009

Thunderbird is a mail user agent developed by Mozilla. GnuPG is an encryption program (free software) that uses the standard OpenPGP. This standard is based on encryption using a private and public key. The private key is used to decrypt the data while the public key is used to encrypt the data.

The Thunderbird add-on Enigmail, provides an “back-end” interface to GnuPG so the user can use Thunderbird to encrypt/decrypt mail. After installing Enigmail, generate a keypair. This will create a public and private key for the current account. The public key is meant to be distributed so other people can send mail encrypted to you. The private key however, is important NOT to distribute. Since it is used to encrypt the messages sent to you with your public key. The public key is usually uploaded to a keyserver.

It’s possible to search for public keys on the keyservers and add public keys into a local list and configure Thunderbird to encrypt all messages by default (supposing the public key to the person in question is added into your key list). Both Thunderbird, GnuPG and Enigmail, are very useful indeed : )

For more information about GnuPG and Enigmail:
http://www.gnupg.org/
http://enigmail.mozdev.org/home/index.php

become anonymous on the internet using Tor

Posted in Articles, Security by Patrick on July 23, 2008

Tor is a platform independent program that protects you from traffic analysis. Traffic analysis is a form of surveillance of your network traffic which is a threat to your personal integrity. Tor is usually used to surf anonymously, but can also be used with for example instant-messaging applications.

How Tor works
When using Tor, your communication with the internet is protected by distributing it trough a network of different relays trough the world which are run by volunteers. The communication is also encrypted so no one can see what you’re doing or learn your location.

I recommend using the Firefox add-on Torbutton which provides an easy way to disable/enable Tor in Firefox. This way, you don’t have to configure your browser either.

Pitfalls with Tor
Watch out for cookies, flash files, java applets and similiar web applications. They can reveal your IP-address even if you use Tor. Using Add-ons for Mozilla Firefox like No Script and Flash Block can prevent this. Be sure that you don’t fall for things like this.

Even if Tor encrypts your traffic inside the Tor-network and makes you anonymous. The last relay you are connected to, which is directly communication with the webserver can still see your traffic. Don’t use Tor if you do things that can expose your identity, for example logging in to your webmail (if you truly want to be anonymous that is). Using an encrypted protocol like HTTPS prevents this though.

Read more about potential pitfalls here: http://www.torproject.org/download.html.en#Warning

To sum it up
If you want to surf anonymously, this is a very useful program as it also hides your IP-address. But remember that web apps like Flash can still expose your IP. A lot of people believes that installing Tor will automagically make them anonymous. That’s wrong however. You have to configure the application correctly you want to use with Tor. If you’re using Firefox, the Torbutton add-on makes this automatically.

A good idea might be to install a portable browser which you use only when you want to be anonymous. Configure this browser so it doesn’t accept cookies and install a flash blocker, block java and other “media” that could expose your IP-address. It’s recommended to only use services like webmail if the site uses SSL or another secure connection.

There is a portable version of Firefox called Firefoxportable.
Tor’s official website: http://www.torproject.org/

How to make a simple window in SDL

Posted in Articles, SDL / OpenGL by Patrick on June 25, 2008

Creating windows in SDL is dead easy and doesn’t involve so much code as the Win32 API does for example. SDL is a popular library for game development and it’s cross platform too, so it works on Linux as well.

Install SDL for Windows
1. Download the latest version of SDL from their site
2. Choose the file SDL-devel-1.2.13-VC8.zip
3. Move all include files from the .zip file you downloaded, into the corresponding include folder in your IDE/compilator. Do the same with the files from the /lib folder.
4. In order to be able to open SDL apps without distributing the .dll files with each application. Move the SDL.dll file into the windows/ folder. When you test your application on another computer, you have to distribute the dll files however.
5. Add the SDL lib files into your linker options. In Visual C++ Express this is done by going into Project -> Project Properties -> Linker -> Input. Type the following into the Additional Dependencies field: SDL.lib SDLmain.lib

Install SDL for GNU/Linux
Use your package manager and install the development libraries for SDL. For Debian based systems, i’ve posted an article about how to install SDL here.

Install SDL for Mac OS X
There are development libraries on SDL’s homepage for Mac OS X as well. There are so many different IDE’s for Mac as well, so i’ll not go into that in this article. There are many great tutorials about this already.

Create a window in SDL

#include “SDL.h”

SDL_Surface *screen;

SDL_Event event;

int main(int argc, char *argv[]) {
SDL_Init(SDL_INIT_VIDEO);

screen = SDL_SetVideoMode(640, 480, 16, SDL_SWSURFACE);

SDL_WM_SetCaption(“Simple Window”, “Simple Window”);

bool done=false;

while(!done) {
while(SDL_PollEvent(&event)) {
if (event.type == SDL_QUIT) {
done=true;
}
}

// fill the screen with black color
SDL_FillRect(screen, &screen->clip_rect, SDL_MapRGB(screen->format, 0, 0, 0));

// update the screen buffer
SDL_Flip(screen);
}

SDL_Quit();

return 0;
}

First I include SDL and create a surface called screen. This surface is going to represent the window, it’s called a display surface. A surface in SDL is a rectangular area which contains pixels. Surfaces are also used to represent images, text and pixels in general.

The main function in a SDL program most have the arguments int argc, char *argv[] or int argc, char **argv (technically the same) in order to work.

The initialization of the window is done by the following lines:

SDL_Init(SDL_INIT_VIDEO);
screen = SDL_SetVideoMode(640, 480, 16, SDL_SWSURFACE);

SDL_Init initializes SDL and should be called first. The second line sets the video mode to a specified width and height (640×480). The third parameter of SDL_SetVideoMode represents bits per pixels and the fourth parameter is a flag used to specify some settings for the video mode and how it is going to be created. Here’s a list of all the flags that can be used as the fourth parameter. It’s also possible to combine flags with each other.

Flags that can be used in SDL_SetVideoMode(..)
SDL_SWSURFACE – creates the video surface in the system memory
SDL_HWSURFACE – creates the video surface in the video memory
SDL_ASYNCBLIT – enable asynchronous display mode, may speed up on some cpu’s
SDL_ANYFORMAT – if requested bpp value cannot be used, SDL generates an appropriate video display
SDL_HWPALETTE – this flag gives SDL some kind of palette access
SDL_DOUBLEBUF – enable double buffering, most be used with the HWSURFACE flag
SDL_FULLSCREEN – fullscreen mode will be used if possible
SDL_OPENGL – creates a opengl rendering context
SDL_OPENGL – same as above but it uses normal blitting operations (blitting = showing surfaces)
SDL_RESIZABLE – makes the window resizable
SDL_NOFRAME – creates a window without a frame or titlebar if possible

Read more about SDL_SetVideoMode at the documentation.

————————————————

Set window title
The next line after SDL_SetVideoMode is the setcaption line. This is straightforward as it is. It sets the window title. This is optional, but simple enough so it would be a waste not to use it.

Main loop
The first while loop contains an expression which uses a boolean variable (done). In this program, this variable is set to true when we want to close the program. This while loop is often called the main loop. It’s in the main loop where all the processing is done, that is, drawing, moving things, updating the screen, etc. You can say this is where all the program code is supposed to be, except the initialization code.

Event loop
At the start of the game loop, a new while loop is located. This is the event loop, where all events are processed in the program. Events are messages that is sent to the program whenever the user do something, for example moves the mouse, clicks a button or closes the window. It’s up to us which events we want to handle. In this example, the only event that’s being checked is the SDL_QUIT event. This event is sent to the program when the user clicks on the close button in the top right corner of the application. If we left this event out, we would have to kill the application in order to close it, the close button wouldn’t work.

Fill the background color and update the screen
After the event loop, there are two lines. The first one fills the display surface (screen) with a black color. The second line updates the screen buffer, we have to call this at the end of the main loop, to make sure that the display surface is updated. Well, the SDL_FillRect function call isn’t really necessary in this program since we doesn’t draw anything, not the SDL_Flip() call either. The background color of the application is by default black. However, don’t forget to fill the background or add a background image, if you draw something on the screen though.

centering a <div> using CSS

Posted in Articles, Webdesign by Patrick on February 14, 2008

Centering something in HTML/XHTML isn’t a matter of course anymore. That doesn’t mean it’s anywhere hard, but designers get to know more and more about web standards nowadays and constantly struggles with web browsers that are a little deviant *cough* (Internet Explorer).

In the good old days, most people would probably attempt to center something using the <center> tag (I know this is the stone age). I’m not sure if it’s just that nobody cared back then, but nowadays it’s not a part of the standard. In my option, designing websites consists mostly of creating ugly hacks so the website works fairly well with most browsers, this is quite sad.

Anyways, this is what i’ve come across about how to center div’s using CSS.


#contents {
width: 400px;
margin-left: auto;
margin-right: auto;
}

<div id=”contents”>
Insert text/image/whatever here..
</div>

This would naturally be everything we would need in order to center the
<div> tag. Some browsers just behave differently (like Internet Explorer) though. That’s why we have to add text-align: center; into the body section of the CSS code. This will also center the text in the div so we will have to counter that by adding text-align: left; into the #contents id.

Centering a div using CSS


body {
text-align: center;
}

#contents {
text-align: left;
width: 400px;
margin-left: auto;
margin-right: auto;
}

<div id=”contents”>
Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
</div>

The width attribute was put there in order to get a constant size of the box. It would look ridicilious other way. Now the contents box will be centered horizontally.

checking prime numbers

Posted in Articles, C++ by Patrick on February 12, 2008

It’s amazing how many functions i’ve found on the internet during the time I was writing a prime checker function and none of these functions worked, which was very surprising. I learned a few things at least. When checking if a number is a prime, you only have to check if the number is divisible by any value until its square root. An exception is number 2 which is a prime number.

The first twenty primes are 2,3,5,7,11,13,17,19,23,29,31,37,41,43,47,53,59,61,67,71

And as you probably know, a prime number is always positive (>1) and only divisible by 1 and itself. The following c++ program types the first 50 prime numbers.

IsPrime.cpp

#include <iostream>
#include <cmath>

bool isPrime(int n) {
if (n<=1) return false;
if (n==2) return true;

for (int i=2;i<sqrt(static_cast<double>(n))+1;i++) {
if (n%i==0) return false;
}
return true;
}

int main() {
for (int i=0;i<50;i++) {
if (isPrime(i)) std::cout << i << " ";
}

std::cin.get();
return 0;

}

This function was made rather quickly, but i’m pretty sure it works since the 50 first prime numbers were correct.

secure hashes in PHP using salt

Posted in Articles, Security by Patrick on February 12, 2008

This tutorial shows the principle of using a salt in order to secure your password hashes. It’s written with my scripting-language of choice which is PHP, but the principle is the same with whatever server-language you might be using. Before going on, i’ll explain some facts that might be good to know before reading the article.

Brute force
Brute force is a comparison technique which goes trough all possible characters and in this case runs trough an algorithm to compare with the hashed password. To put it simply, it compares all different characters until it finds the right password.

One way encryption
The process of encrypting a string so it cannot be decrypted. These are also called hashing algorithms. The most used ones are md5 and sha1. The general difference between these two is that sha1 is generally stronger since it returns a 160-bit fingerprint while md5 is 128-bit. You might ask how we can make use of something that cannot be decrypted. It’s quite easy, we compare different hashes and do not decrypt them.

Whenever you store information about a user in your database. You most likely store the passwords using a one way encryption like md5 or sha1. If not, you really have to think over your security, big time. Still, even if you encrypt the passwords, they can still be cracked using brute force, rainbow tables or dictionary attacks. If we assume the passwords are very sloppy and insecure while the hashes have leaked to the cracker. Unfortunately it’s very uncommon that the users use a smart password, so it’s no use relying on the users.

This is where salt comes in. It simply adds a certain string into the password before hashing it. It’s not any harder to do than regular hashing.

The principle of using salt

// this is what it normally looks like when hashing a string using md5
$password = md5($password);

// using a salt, you instead concentate a string to the password before hashing it
$password = md5($salt.$password);

If we assume $password contains a very weak password, for example “abcdef”. Which would be very easy to brute force. The salt can make this password practically as strong as you want it. There are many methods out there and people constantly invent new ways to generate a salt. In my option, the salt doesn’t need to be that complicated though. The only way someone can brute force the password in this state, is by knowing which salt you use. If they’ve come that far, it wouldn’t matter in any case.

A salt can be as complicated or simple as you want it. Here is an example.

Creating a simple salt

$password = "banana";
$salt = "aB1cD2eF3G";
$password = md5($salt.$password);

This might not be the best and most used salt method out there, but it works. Suppose you use the password “banana” from the example. Then the generated hash would actually become “aB1cD2eF3Gbanana” which is a considerably stronger password than “banana”. This takes care of the user’s bad habit of using easy passwords with only lowercase characters. Just remember that you don’t have to use the salt in the beginning of the string, the principle is the same if you type md5($password.$salt). You can do however you want.

I have seen it’s very common to combine different encryption methods as well. This is in my option very effective. If we create a salt based on the password that uses sha1 and md5 together and then use md5 to concentate these strings like a normal salt. We would get a salt that contains a double encryption of two different encryption methods. The hash we get from this is then added to the password before hashing it once again.

$password = "banana"
$salt = sha1(md5($password));
$password = md5($password.$salt);

This would be equal to a password that is a hash itself + it’s regular password.

md5("f8bbff024e7d04d98a349ccb0984ad85d8ba86fabanana");

Brute forcing the password hash in this case would mean to brute force the sha1 generated string with the password”f8bbff024e7d04d98a349ccb0984ad85d8ba86fabanana”. In other words close to impossible unless you have over million years and a supercomputer at hand. Well, even if you had, you would only get another hash out of the current one, if you want it to be that way.

How to crack salted hashes
The only known way to crack salted hashes is to know the salt algorithm. If the cracker knows this, it’s possible to brute force it by adding the necessary data before starting the brute force process. It’s hard to explain in words so i’ll give another example.

// the regular salt process, this is the “algorithm”
$salt = md5($password);
$password = md5($salt.$password);

// we suppose $test_string is the string it tests
// since this is brute force it’ll be various different strings
// “a”, “b”, “c”, “d” .. “aa”, “ab” … etc

// if md5(md5(“abc”). “abc”) is equal to
// md5(md5($password). $password) then
// “abc” is the password we are searching for

if (md5(md5($test_string). $test_string) == md5($salt.$password))
echo $test_string; // this is the password

To put it simply, if the cracker knows what salt algorithm is used. We will be back to step one and the salted hash is just as vulnerable as the regular md5 hash that isn’t salted. It’s very unlikely that the cracker do know though, i’m just pointing out the flaws.

This is how webmasters can protect their users from evil crackers or annoying skiddies that have come across a cracking program. Not many webmasters secure their website and use salted passwords though, some even leave them in clear text in the database. So i’ll let my next article be about how to create strong passwords so the users themselves can protect their password/account better. Strong passwords should be an obvious thing, but it sadly isn’t.