Friday, February 5, 2016

Upgrading cabal of Haskell in Linux

When updating cabal, one might get this:

$ cabal update
$ cabal install cabal-install cabal
.......
Linking dist/build/cabal/cabal ...
Installing executable(s) in /home/alex/.cabal/bin
Installed cabal-install-1.22.8.0

$ cabal --version
cabal-install version 1.16.0.2
using version 1.16.0 of the Cabal library
Where is cabal we just installed gone? And the answer is that it's at /home/{your_user}/.cabal/bin And the old one is at /usr/bin/cabal How can we fix that? We should add the path to the newer version to PATH. As a rule, I do that via ~/.bashrc:

$ vim ~/.bashrc
And then

export PATH=/home/alex/.cabal/bin:$PATH
$ source ~/.bashrc
To ensure from now on the newer version of cabal will be used:

$ cabal --version
cabal-install version 1.22.8.0
using version 1.22.7.0 of the Cabal library 

Monday, February 1, 2016

Statics in Rust aren't that simple

1) Suppose we have this:

static MY_STATIC = 123;
fn main() {
  println!("MY_STATIC = {}", MY_STATIC);
}
That gives a compilation error: expected ':', found '=' The type of a static has to be defined, let's fix that:

static MY_STATIC: i32 = 123;
And it gives us:

// =>
MY_STATIC = 123
2) Let's create 2 static variables with the same name but in the different lexical scopes:

static MY_STATIC: i32 = 123;
fn main() {
  println!("MY_STATIC = {}", MY_STATIC);
  
  static MY_STATIC: i32 = 456;
  println!("MY_STATIC = {}", MY_STATIC);
}
And it compiles well and only a single warning implies that something is a little wrong:

warning: static item is never used: `MY_STATIC`, #[warn(dead_code)] on by default
static MY_STATIC: i32 = 123;

// =>
MY_STATIC = 456
MY_STATIC = 456
3) Let's add one more function and print the value of the global static variable in it:

static MY_STATIC: i32 = 123;
fn main() {
  println!("MY_STATIC = {}", MY_STATIC);
  
  static MY_STATIC: i32 = 456;
  println!("MY_STATIC = {}\n", MY_STATIC);
  func2();
}

fn func2() {
  println!("MY_STATIC = {}", MY_STATIC);
}

// =>
MY_STATIC = 456
MY_STATIC = 456
MY_STATIC = 123

Wednesday, January 27, 2016

Is stackoverflow.com still worth it spending your time answering the questions?

I think not because it's already too late to catch up with those who have been there since the beginning and, thus have the rating of hundred of thousands points. And also nowadays it's more difficult to give an answer to a question right off the bat simply because most of fundamental and simple questions have already been answered. 

The bottom line, I suggest that you spend on the matter only a small amount of time and think of it as a supplement for getting traffic for your blog or building your online profile for potential employers.

Thursday, December 3, 2015

Making a variable in a loop in javascript evaluate immediatelly

Suppose we have this code:

var td;
for (var i = 1; i < 10; i++) {
  td = document.getElementById('td_' + i);
  if (typeof window.addEventListener === 'function') {
    
    td.addEventListener('click', function() {

      // td is evaluated when the 'click' event occurs and 
      // by then "i" == 10
      console.log(td); 
    
    });

  }
}

console.log(td2) will print "td_10" each time. Why? Because the value of "td" doesn't get evaluated immediately. It's evaluated when the even "click" occurs. And it occurs somewhere after the loop when the variable "i" is equal to 10.

To make "td" evaluate right away, we need to pass it as an argument to a self-invoked function.

var td;
for (var i = 1; i < 10; i++) {
  td = document.getElementById('td_' + i);
  if (typeof window.addEventListener === 'function') {
    
    ///
    // self-invoked function
    (function (td2) {
      
      td.addEventListener('click', function() {
      
        // td2 (being equal to td) is evaluated right away. 
        // When the 'click' event occurs, "i" will have the value of 1 to 9
        console.log(td2); 
      
      });


    })(td);
    ///

  }
}

Tuesday, July 21, 2015

Timing attacks

What are the timing attacks?

The timing attacks are the ones that are applicable when it takes different time for an application to compare the provided secret with the original one. When does it take the different time? When comparison is performed symbol by symbol and stops once the current symbols in the provided secret is different from the current symbol in the original one.

def compare_secrets(secret_original, secret_provided):
  if len(secret_original) != len(secret_provided):
    return False

  for x in secret_original:
    for y in secret_provided:
      if x != y:
        return False

  return True


It takes one amount of time to compare the same passwords or strings, for the different ones it takes another, less, amount.

One can, however, argue that the time difference is so negligible so that it's impossible to exploit this vulnerability. Against all the odds, it is possible. My code had this vulnerability https://github.com/GildedHonour/rust-jwt/issues/1

How to exploit it?

Try to brute-force the password and measure the time it takes for the application to respond. When the current attempt takes less time than the previous one, it implies that the current password partially matches the original one. That is, the less time is takes, the larger amount of symbols match. By keeping brute-forcing the password and analyzing the response time, you can eventually find the password.

How to protect your code?

Don't break the process when the symbols are different. When it comes to performance, it's, indeed, not efficient. However, from the point of view of security this code is safe.


 def compare_secrets(secret_original, secret_provided):
  res = True
  for x in secret_original:
    for y in secret_provided:
      if x != y and res == True:
        res = False

  return res

Thursday, July 9, 2015

Deploying a Rails 4 application on Heroku.com with the assets on Amazon S3

I had a task to deploy a Rails 4 application to heroku.com and make it serve the assets from Amazon S3. After a couple of days trying to do that through trial and error I eventually made it work. Here's how to do that:

1) Precompile the assets locally

rake asset:precompile

What this command does is:

a) Combines them into the single css and js files
b) Copies them to public/assets
c) Creates public/assets/manifest-.json


2) Upload them to S3 manually. I suggest avoid using gems when possible. The less gem and dependencies you use, the better it is. This is because using gems makes our job even more difficult: not only do they require us to learn their interfaces, they may have errors in them.

For example, the latest version of the most popular gem asset_sync for synchronizing assets was in the state "tests failed" when I was working on the task.

And in general, in order to better understand what's going on under the hood, you have to avoid using high-level stuff.

To upload assets to S3 you can use an utility called s3cmd. I think that's the only way to do it and there's no way to do it via a browser.


cd public

s3cmd . s3://your-bucket-name

where the "." denotes your current directory being public.

Sunday, June 21, 2015

When working on a website or application, it's better not to waste your time trying to make it perfect. Instead you should focus on making it work first, creating a simple demo. And the faster you go, the better it is.

Only after the first demo is finished, you can massage it by refactoring the code,
dealing with the performance, etc. But not at beginning, otherwise you'll never finish it.