Monday, April 18, 2016

My REST API web service for WiFi access points

I've built https://www.wifi123456.xyz. It's a REST API web service which allows you to retrieve and submit the information about WiFi access points with their passwords. It's built in Haskell and uses PostgreSql.

At the moment it's in the alpha version. 

Saturday, April 9, 2016

My idea about creating strong passwords which can't be lost and are easily accessible.

Memorizing a long password isn't trivial. Changing a password is difficult also. My idea is that instead of memorizing a long, complicated password, what if we calculated a hash of a peace of text which is always available somewhere?

Say, we have a favorite or not necessarily favourite book, movie or song. It can be in English, Chinese or Spanish  regardless of what our native language is so long as we're comfortable in understanding it. We take one phrase from that book, movie or song and calculate SHA-3 from it. And Bob's your uncle, that's our password.

Note that we don't have to remember the whole phrase or phrases. We only need to remember which hash algorithm we've applied and where that peace of text is located: the name of the book or song or whether it be. Then when we need to restore a password, we go to the Internet or wherever it's stored, for example, on our usb-flash drive, take it and calculate a hash from it and the password is restored.

To make it more secure, we could:
  - Take a few sequential phrases and mix them or take them non-sequentially.
  - Add noise to it, for example, "@" in the beginning and "#" to the end and that'll completely change the hash or the password.

FAQ

How is it better than memorizing a long password?
In this approach we don't have to memorize the whole string being the password.  We merely have to memorize where to get that peace of text and how to calculate the password from it. The bottom line is, even though we don't remember our password exactly, we always can calculate or restore it.

How can one calculate a hash of a peace of text?
In the terminal or in any programming language.

Will the password have to be calculated a few times each day manually?
Yes. But that can be automated.

At the moment this idea is rather raw, it should be improved.

Thursday, April 7, 2016

Multi-line strings in Haskell

When we have a very long string in Haskell, how can we break it into a multi-line one without calling any function on it to concatenate it back? It turns out that Haskell has special syntax for that. To do it we use a backslash at the end and beginning of a string:

 let longLine = "long_line1___\
  \long_line2___\
  \long_line3"

-- => "long_line1___long_line2___long_line3"




Sublime Text 3 doesn't highlight it properly. Nonetheless, it's valid and compiles.

Wednesday, March 30, 2016

Passing secrets in a URL is vulnerable

Today I saw a website with REST API and an example of a request to it:

    curl "https://api.website.com/v1/entity/123&key=YOUR-API-KEY"

Note that it's a client-to-server REST API request, and there're no cookies being sent.

It reminded me of dozens of the websites with REST API designed the same way which I've seen so far where they pass the secret, API KEY, in the url. The protocol can be HTTP or HTTPS, but there's no difference. No matter how you slice it, the secret is sent in plain text and thus can be intercepted by man-in-the-middle or seen in the logs on a server. And that's a vulnerability.

To fix this, the API KEY has to be passed in the headers.

UPDATE:

Actually, the query string or path after the domain name, is not transmitted in the clear. The TLS handshake is done using the main, domain part of a url.  After that all the traffic, including the request path in the url, is encrypted. However, depending on the implementation of a web server, the part of the url might or might not appear in the logs. Depending on the settings of a server, even the POST data might be logged httpd.apache.org/docs/current/mod/mod_dumpio.html

Also,  it still can appear in other places such as history of a browser.

Thursday, March 24, 2016

The dependencies in Javascript projects have played a trick on the developers using them.

Many Javascript and Ruby developers have the addiction of using the dependencies of 1 line of code long instead of writing that line of code themselves. But one must remember that a dependency makes you dependent. Here's my previous article about the matter http://www.alexmaslakov.com/2016/02/that-application-is-wise-which-has-less.html

And here you go:

http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

http://www.haneycodes.net/npm-left-pad-have-we-forgotten-how-to-program/

Note that some of the dependencies in npm had literally 1 line of code.

Thursday, March 17, 2016

Dual-booting with 2 Linux distributions: Ubuntu and Arch and a separate partition for Home

On my laptop I have 2 Linux OS, Ubuntu and Arch,  and a separate partition for the home directory which is convenient for sharing files between them. It's recommended, however, not to share the home directory completely because even the same applications from the different OS can spoil each others files such as configuration ones. Thus I've given a different name to my default user in Arch. That way, in Ubuntu I have the user Alex and in Arch I have the user Arch. Here's what my home partition look like:


    /home (/dev/sda5)
      /alex
      /arch


Each of them has his own directory for Document, Downloads, etc.  That's not wise and I'm going to change that and intertwine those directories by linking them so there won't redundant copies:

    ln -s /home/alex/Documents /home/arch/Documents 
    ln -s /home/alex/Downloads /home/arch/Downloads 

And no avail. The error occurred because the 2nd arguments, the folders of the arch, those folders were real and existed. It's impossible to do relink 2 real directories because the whole idea of the command link is to create a link from a virtual directory to real and here we had 2 directories being real. Let's fix that:

    rm -rf /home/arch/Documents
    rm -rf /home/arch/Downloads

Now we can go back to square one and create the sym links all over again:


    ln -s /home/alex/Documents /home/arch/Documents 
    ln -s /home/alex/Downloads /home/arch/Downloads 





The same way we can create the links for the Music, Videos, .ssh and other directories.