[xwiki-devs] Fwd: [xwiki-notifications] XWiki updates, 9 documents have been modified since 2010/08/05 00:00
9 Aug
2010
9 Aug
'10
10:26 a.m.
Seems some content is missing. The summary refers to "XWiki JavaScript API" and
"XWiki API Reference" pages, but they do not appear in the body of the mail.
Anyone knows what could cause this ?
Jerome.
----- Forwarded Message -----
From: notifications(a)xwiki.org
To: notifications(a)xwiki.org
Sent: Friday, August 6, 2010 12:00:18 AM GMT +01:00 Amsterdam / Berlin / Bern / Rome /
Stockholm / Vienna
Subject: [xwiki-notifications] XWiki updates, 9 documents have been modified since
2010/08/05 00:00
Contents
• dev
• Community
• Release Plans
• Release Plans Archives
• IRC
• IRC Archive for channel #xwiki
• platform
• DevGuide
• XWiki API Reference
• XWiki JavaScript API
• xwiki
• XWiki
• ChristophDewes
• JarbasJunior
• guenter
• pmarzouk
Hello Developers,
This message is sent by XWiki. Here are the documents in your watchlist that have been
modified since the last notification:
dev
Community
Release Plans
Community.ReleasePlans
On 2010/08/05 13:49, the document has been modified by Thomas Mortagne
* [[API doc>>http://platform.xwiki.org/xwiki/bin/view/DevGuide/API]]
([[core>>http://maven.xwiki.org/releases/com/xpn/xwiki/platform/xwiki-co…]]
[[rendering>>http://maven.xwiki.org/releases/org/xwiki/platform/xwiki-c…]])
doc>>http://platform.xwiki.org/xwiki/bin/view/DevGuide/API]]
|= Release notes |= Update download page |= News on OW2 |= News on xwiki.org |= API doc
(core rendering) |= Wikipedia |= Freshmeat |= Wikimatrix |= ANN Mail
= 2.3.2 =
(% style="width: 100%;" %)
|=(% colspan="3" %)Update translations
|= CORE |= XE |= WYSIWYG
| x| x| x
(% style="width: 100%;" %)
|=Module |= Version |= Jira |= Maven |= OW2
| xwiki-core | 2.3.2| x| x| -
| xwiki-plugin-skinx| 1.13.1| x| x| -
| xwiki-platform-web | 2.3.2| x| x| -
| xwiki-product-enterprise | 2.3.2| x| x|x\\
| xwiki-product-enterprise-manager| 2.3.2| x| x|x
(% style="width: 100%;" %)
|= Release notes |= Update download page |= News on OW2 |= News on xwiki.org |= API doc
(core rendering) |= Wikipedia |= Freshmeat |= Wikimatrix |= ANN Mail
|x|x| x|x| x|x| x|x|x
author: xwiki:XWiki.Sergiu > xwiki:XWiki.ThomasMortagne
Release Plans Archives
Community.ReleasePlansArchives
On 2010/08/05 13:49, the document has been modified by Thomas Mortagne
= 2.3.2 =
(% style="width: 100%;" %)
|=(% colspan="3" %)Update translations
|= CORE |= XE |= WYSIWYG
| x| x| x
(% style="width: 100%;" %)
|=Module |= Version |= Jira |= Maven |= OW2
| xwiki-core | 2.3.2| x| x| -
| xwiki-plugin-skinx| 1.13.1| x| x| -
| xwiki-platform-web | 2.3.2| x| x| -
| xwiki-product-enterprise | 2.3.2| x| x|x\\
| xwiki-product-enterprise-manager| 2.3.2| x| x|x
(% style="width: 100%;" %)
|= Release notes |= Update download page |= News on OW2 |= News on xwiki.org |= API doc
(core rendering) |= Wikipedia |= Freshmeat |= Wikimatrix |= ANN Mail
|x|x| x|x| x|x| x|x|x
parent: Scheduler.ReleasePlans > ReleasePlans
author: xwiki:XWiki.Sergiu > xwiki:XWiki.ThomasMortagne
IRC
IRC Archive for channel #xwiki
IRC.xwikiArchive20100805
Between 2010/08/05 01:24 and 2010/08/05 21:48, the document has been modified 3 times, by
1 user: Sergiu Dumitriu
#includeForm("IRC.IRCArchiveClassSheet")
IRC.IRCArchiveClass
channel:
#xwiki
content:
abusenius left at 01:24 (Quit: Konversation terminated!
sdumitriu left at 02:23 (Ping timeout: 240 seconds
tsziklay left at 03:12 (Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]
boscop_ joined #xwiki at 03:53
boscop left at 03:56 (Ping timeout: 265 seconds
MartinCleaver left at 04:35 (Quit: MartinCleaver
venkatesh joined #xwiki at 05:49
kibahop joined #xwiki at 08:27
LadySerena left at 08:36 (Quit: Time to sharpen my claws!
asrfel joined #xwiki at 08:41
sdumitriu joined #xwiki at 08:52
Enygma` joined #xwiki at 08:52
mflorea joined #xwiki at 08:56
lucaa joined #xwiki at 08:56
florinciu joined #xwiki at 09:05
tmortagne joined #xwiki at 09:06
tmortagne left #xwiki at 09:06
mflorea left at 09:21 (Quit: Leaving.
tmortagne joined #xwiki at 09:23
mflorea joined #xwiki at 09:24
vmassol joined #xwiki at 09:32
mflorea - (09:36): guys, how can I delete a translation of a wiki page?
tmortagne left at 09:36 (Quit: Leaving.
sdumitriu - (09:37): mflorea: Add ?language=xz in the /delete/ URL
tmortagne joined #xwiki at 09:38
mflorea - (09:38): let me try
sdumitriu - (09:38): Works only if that’s not the default language of the document
ztane - (09:48): how do I get the password reset dialog working on a private wiki? :)
vmassol left at 09:50 (Quit: Leaving.
KermitTheFragger joined #xwiki at 09:54
tmortagne - (09:54): sounds like a long proposal :)
mangroovie joined #xwiki at 09:54
ztane - (09:56): hmm maybe should go for ldap
sdumitriu - (09:56): ztane: Private = forbid unauthenticated view?
ztane - (09:57): yes
ztane - (09:58): enterprise extranet wiki :))
cjdelisle - (09:59): It has been a long time coming. Oddly enough there aren’t a real lot
of services provided.
ztane - (09:59): do not want anything to leak out to nonauthorized, except the password
reset form
jvdrean joined #xwiki at 10:04
sdumitriu - (10:11): ztane: Sorry, that’s not possible yet
sdumitriu - (10:12): Preventing unauthenticated access really prevents it
abusenius joined #xwiki at 10:21
vmassol joined #xwiki at 10:23
cjdelisle - (10:28): abusenius: Any thing else you need in xwiki-crypto? (working on the
proposal)
abusenius - (10:32): hm, no, just the methods for storing/loading certs/keys that we might
want put elsewhere
abusenius - (10:32): *to put
cjdelisle - (10:33): Yea, IMO load/store is not really in the scope of crypto.
abusenius - (10:35): should I move it to signedscripts? thats the only place it’s used atm
cjdelisle - (10:36): *distraction: IPv6 is a joke, 19.0.0.0 - 19.255.255.255 is Ford Motor
Company ip space, it is not even announced to the backbone routers.
cjdelisle - (10:36): What car company doesn’t need 16,000 unused ips?
abusenius - (10:36): *IPv4?
cjdelisle - (10:37): IP6 is a joke because like 40% of ip4 numbers are routed, 3% respond
to pings.
abusenius - (10:37): it’s a good investment, they will be able to sell it for a lot of
money quite soon :)
cjdelisle - (10:37): Not if arin/ripe catch you.
abusenius - (10:37): well, it’s just that nobody uses them
abusenius - (10:38): well, thats another question
cjdelisle - (10:38): Well not nobody, some halliburton space suddenly started getting
announced from eastern europe.
cjdelisle - (10:38): spam spam spam spam
cjdelisle - (10:41): Halliburton 34.0.0.0 - 34.255.255.255 (to their credit they announce
a couple hundred ips in that range and run their site in it.)
abusenius - (10:42): I’Ve read somewhere that one of the problems is that they used to
give just 2 types of ip ranges, 255.255.255.0 for "small" companies and
255.0.0.0 for "big" companies :)
cjdelisle - (10:45): that 255.255.255.0 is called a /24 because 24 of the 32 bits are
defined. 255.0.0.0 is a /8, nobody can get a /8 anymore, they gave them out in like 1991.
cjdelisle - (10:46): You guys can still get a /24 for like 150€ but arin won’t sell
anything smaller than a /20.
cjdelisle - (10:48): The problem is provide independent space means you announce your
(tiny little) range to all of the backbone routers and the global routing tables get so
huge they need bigger routers.
cjdelisle - (10:50): What’s easiest for the backbone is if 192 routes to usa, 64 routes to
chicago, 32 routes to some isp and 25 routes to the specific computer. Except 192 range is
not like that, 192.64.32.1 might be a computer in chicago and 192.64.33.1 might be in
estonia.
sburjan joined #xwiki at 10:52
cjdelisle - (10:57): humpf... decryption succeeded with wrong password. I think it
decrypted to garbage but I have to check...
abusenius - (10:57): we might want to check if the output == input
cjdelisle - (11:00): yup, repeating the test in loop 0-1000
cjdelisle - (11:01): if the output is the same length, I think the padding scheme doesn’t
notice anything is wrong.
cjdelisle - (11:01): indeed, I already have a bad decryption.
abusenius - (11:03): in theory, a wrong password might decrypt to any meaningful text, but
the probability is very very low
cjdelisle - (11:04): hmm, actually the key would have to be as long as the original text
to decrypt to anything.
cjdelisle - (11:05): I remember someone talking about an algorithm which would decrypt to
various things based on the password given.
cjdelisle - (11:05): It would be pretty obvious to a cryptographer though that there was
more to it though.
abusenius - (11:06): well, if the key is as long as the text, then you can decrypt to any
text of the same length
abusenius - (11:07): if the key is shorter, the number of possible decryptions is much
smaller
cjdelisle - (11:07): But it brings up an interesting topic, if you xor "illegal
data" against random and publish the random on one server and the output on another,
which server gets the takedown notice?
abusenius - (11:07): but one of them might still be meaningful
cjdelisle - (11:08): It’s essentially impossible to determine random from something xor’d
against random.
cjdelisle - (11:09): 4 collisions.
abusenius - (11:09): well, you can easily invent any content you want :)
abusenius - (11:09): what yre you encrypting?
cjdelisle - (11:10): I just rigged the test to repeat trying to decrypt with the wrong
password and dump any time it collides.
Enygma` left at 11:10 (Ping timeout: 276 seconds
cjdelisle - (11:10): decryptWithWrongPasswordTest() * 1000
abusenius - (11:11): so "collision" = successfull decryption to garbage?
cjdelisle - (11:11): yup.
cjdelisle - (11:11): done. 4/1000 tries.
abusenius - (11:11): the only way decryption algorithm can distinguish
"meaningful" text from garbage is the padding
kibahop left #xwiki at 11:12
cjdelisle - (11:12): IMO it should output garbage every time it fails. Imagine trying to
password guess that :D
abusenius - (11:12): so if the garbage by chance contains one byte of correct padding, it
will succeed
abusenius - (11:12): well, you can check for printable character for example
cjdelisle - (11:12): yup, check for invalid utf8
cjdelisle - (11:13): imagine encrypting an mp3, basically any text is valid in an mp3
cjdelisle - (11:13): or mpeg4
abusenius - (11:13): there is a header you can trry to match
abusenius - (11:14): frames etc.
abusenius - (11:14): but it is harder
abusenius - (11:14): thats one of the reasons people first compress, then encrypt :)
cjdelisle - (11:16): Yea, it would be tough trying to beat this algorithm though, it took
like 5 minutes for 2000 cycles of scrypt, I could make it take longer with config too.
cjdelisle - (11:27): proposal sent.
mangroovie left at 11:29 (Ping timeout: 252 seconds
cjdelisle - (11:41): I don’t see the user manager in the sandbox, is it written?
(http://dev.xwiki.org/xwiki/bin/view/Design/UsersModule)
abusenius - (11:42): it is very new imo, probably not yet
cjdelisle - (11:45): The proposed interface looks like it can only be implemented using
some sort of String USER_CLASS = "XWiki.XWikiUsers";
cjdelisle - (11:47): Maybe I should propose a best practice that we never make the core
depend on the content of the database. AKA hardcoding document names.
abusenius - (11:51): which interface?
cjdelisle - (11:53): defined here http://dev.xwiki.org/xwiki/bin/view/Design/UsersModule
mangroovie joined #xwiki at 11:53
venkatesh left at 11:53 (Ping timeout: 265 seconds
abusenius - (11:54): ah, ok
abusenius - (11:56): maybe, I "never ever" rule is quite unrealistic though
abusenius - (11:56): s/I/a/
cjdelisle - (11:58): Well that’s how all best practices are, sometimes you are just plain
painted into a corner.
cjdelisle - (11:58): I usually end up throwing away code when that happens.
abusenius - (12:01): moved cert storage methods out of crypto, about to commit
cjdelisle - (12:01): there was storage in crypto?
cjdelisle - (12:02): I don’t see it...
abusenius - (12:03): well, user document utils were misused for that
abusenius - (12:04): I mean listinf fingerprints etc.
abusenius - (12:04): *listing
venkatesh joined #xwiki at 12:04
cjdelisle - (12:04): Oh, I haven’t looked there in a while. thanks ;)
cjdelisle - (12:04): k I think I know how you can validate a cert.
cjdelisle - (12:05): Take the webid and do a http get on it, you’ll get the foafssl stuff.
cjdelisle - (12:06): We can also set it up so you get a list of signed permissions granted
to the user.
abusenius - (12:07): yea, we could do that
cjdelisle - (12:07): parse those permissions, extract cert from signature, recurse.
cjdelisle - (12:08): It will be awesome but slooooooow.
cjdelisle - (12:09): hmm, maybe not if the user pages get cached.
abusenius - (12:09): the recursion would not be very deep
abusenius - (12:09): unless we overdo it :)
venkatna joined #xwiki at 12:10
abusenius - (12:10): it should be something like admin -> user permission -> cert
cjdelisle - (12:10): What’s awesome about it is I can be on one wiki and give you
permission on another, you can then give permissions to people on my wiki.
venkatesh left at 12:10 (Ping timeout: 248 seconds
abusenius - (12:11): not that everybody was waiting to do that all their life, but yea,
would be possible :)
cjdelisle - (12:12): I don’t expect anyone beating a path to the door for it but I can see
in the future there might be applications.
cjdelisle - (12:13): If I grant admin authority to an admin of another wiki, all of their
wiki’s users get defacto permissions on mine.
cjdelisle - (12:15): the escaping test makes a nice DoS engine.
abusenius - (12:16): :)
cjdelisle - (12:17): Have you seen Websecurity?
abusenius - (12:18): not sure what you mean
abusenius - (12:18): afk for lunch
cjdelisle - (12:19): http://www.websecurify.com/
cjdelisle - (12:19): I’ll go find something to eat too.
florinciu1 joined #xwiki at 12:39
florinciu left at 12:44 (Ping timeout: 276 seconds
florinciu1 left at 12:46 (Read error: Connection reset by peer
florinciu joined #xwiki at 12:47
sylviarusu joined #xwiki at 12:56
florinciu left at 13:05 (Ping timeout: 240 seconds
florinciu joined #xwiki at 13:08
tmortagne - (13:10): cjdelisle: i’m not sure i understand what you mean in XWIKI-5390
cjdelisle - (13:10):
http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xw…
cjdelisle - (13:11): all still version 1.7
tmortagne - (13:12): cjdelisle: there is a hudson project for it already, that’s
http://hudson.xwiki.org/job/xwiki-platform-core-site-job/ but it has been disabled some
time ago because we had issue with javadoc plugin think
tmortagne - (13:12): s/think/I think/
cjdelisle - (13:13): I see, I can try to see if I can get it working again.
tmortagne - (13:13): yep
cjdelisle - (13:13): It’s pretty important because that’s the only place to get javadoc
for XWikiDocument etc.
tmortagne - (13:14): cjdelisle: well there is m2Eclipse automatically downloading
javadoc/source too ;)
tmortagne - (13:14): which is very usefull
tmortagne - (13:15): but it’s only for released projects
cjdelisle - (13:15): When I wrote the DevGuide.Scripting I had to reference some javadoc
so I chose that.
cjdelisle - (13:15): Because it’s hosted.
cjdelisle - (13:16): If I can get this working then I see no reason to keep uploading .zip
files to xwiki.org so that will close another issue.
cjdelisle - (13:16): Make any sense?
tmortagne - (13:17): cjdelisle: it’s not the same thing
tmortagne - (13:17): this job deploy trunk jaavadoc
tmortagne - (13:17): in xwiki.org we provide specific releases javadoc
cjdelisle - (13:17): hmm. good point. Maybe we can have hudson build from branches?
tmortagne - (13:17): what should be done in xwiki.org is having something more dynamic
that get the proper javadoc from maven.xwiki.org files instead of having to attach
tmortagne - (13:18): i want to add this since a long time in zip plugin but never had the
time
cjdelisle - (13:18): in the zip plugin?
tmortagne - (13:19): the xwiki plugin which is used to view the javadoc inside the zip
file attached to the page
tmortagne - (13:19):
http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-render…
cjdelisle - (13:19): make it able to load a page hosted somewhere else?
cjdelisle - (13:19): s/load a page/read a zip/
tmortagne - (13:20): yes make it able to work with a zip from anywhere and not only an
attached file
cjdelisle - (13:20): hmm, as long as it can’t be exploited to... say open really big zips
somewhere?
abusenius - (13:21): re websecurity, no, haven’t seen it before
cjdelisle - (13:22): I was talking to a guy who mentioned if you can convince a bot to
download a file, feed it a linux .iso
tmortagne - (13:23): cjdelisle: you can always indicate a maximum size
abusenius - (13:23): we should try some tools like websecurity on xwiki at some point, but
not now (would be too disappointing ^^)
florinciu left at 13:23 (Ping timeout: 258 seconds
cjdelisle - (13:23): abusenius: I see a bunch of FATAL: not escaping single quote.
cjdelisle - (13:23): I don’t think even escapetoo.xml escapes single quotes.
tmortagne - (13:24): checking something: i think there is something abut javadoc in nexus
actually
abusenius - (13:24): it does
abusenius - (13:24): getXMLEncoded doesn’t
cjdelisle - (13:24): That’s right :)
abusenius - (13:24): afaik
abusenius - (13:24): it is technically correct to not escape single quotes in URL
abusenius - (13:25): but not secure, because a href=’bla’ is also correct
cjdelisle - (13:25): no getXMLEncoded escapes ’ to and it becomes ’ which breaks
everything
abusenius - (13:25): ah, right
tmortagne - (13:25): cjdelisle:
http://nexus.xwiki.org/nexus/service/local/repositories/releases/archive/co…
tmortagne - (13:25): tadaa
cjdelisle - (13:25): cool. I wish it said something like /latest/
tmortagne - (13:26): maybe there is something
tmortagne - (13:27): i will at least modify the API page to go there and stop attaching
files
abusenius - (13:27): is it possible to link javadocs for *all* components on DevGuide/API
?
abusenius - (13:28): currently it only lists core
tmortagne - (13:28): abusenius: and rendering ;)
tmortagne - (13:28): but yes it should be more that theses two
tmortagne - (13:28): should be at least important components
abusenius - (13:28): yea, but you need to do voodoo magic to find other docs :)
cjdelisle - (13:29): That was a nice thing about maven.xwiki.org was everything was linked
together.
tmortagne - (13:31): cjdelisle: you mean maven.xwiki.org/site ?
cjdelisle - (13:31): yup
cjdelisle - (13:32): *idea* What if we added the svn location to the class javadoc comment
in each class, then it will make a link in each javadoc pointing to the source.
cjdelisle - (13:32): Maybe svn config will do the trick.
abusenius - (13:33): wasn’t there a configuration option for javadoc for that?
tmortagne - (13:34): cjdelisle: there is probably some maven javadoc plugin configuration
we could use for it
cjdelisle - (13:34): I don’t know that the javadoc would know where the files are hosted
in svn, it sure would be nice though to have a docjar style [source] button
abusenius - (13:35): (but maybe I saw it in doxygen, not sure)
cjdelisle - (13:36): I really like this format everything is linked from there.
http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/index.html…
abusenius - (13:38):
http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/javadoc.html#… ?
cjdelisle - (13:39): abusenius: I see three tests in error: Blog/Publisher.xml
Panels/CreatePanel.xml templates/createinline.vm Do you want to do something to them
before putting the tests in the tree?
abusenius - (13:40): let me see
cjdelisle - (13:40): Creates an HTML version of each source file (with line numbers)
argh.. hate line numbers.
abusenius - (13:41): well, better than nothing
abusenius - (13:43): I could put those tests in error onto ignore list
cjdelisle - (13:43): also I like the idea of pointing to the actual svn server.
abusenius - (13:43): 2 of them fail because the xredirect is properly escaped, but my test
string isn’t a URL
abusenius - (13:43): 1 fails with 409, no idea why
abusenius - (13:44): there are allready a dozen or so ignored tests in error
cjdelisle - (13:46): Hmm, you really ought to have commit access so you can work on this
once it’s in the tree, unfortunately it’s tough to get a quorum on anything right now.
florinciu joined #xwiki at 13:46
venkatna left at 13:47 (Quit: Leaving
abusenius - (13:48): can it be (sym)linked to sandbox?
cjdelisle - (13:50): I don’t know what svn does with symlinks.
abusenius - (13:51): I think on all decent operating systems it works fine :)
cjdelisle - (13:51): Websecurity is a pretty good DoS cannon, when I ran it locally, my
wiki eventually just ceased up and refused to serve anything.
abusenius - (13:52): checkout on windows would create a copy of the directory
tmortagne - (13:53): i doubt svn will support sym links anyway
tmortagne - (13:53): especially svn 1.4
abusenius - (13:53): ok, if the svn server is 1.4 then we can forget it
abusenius - (13:54): why is it 1.4 btw? it’s like stone age...
tmortagne - (13:55): i agree
tmortagne - (13:55): i’m aking for an upgrade since ages
cjdelisle - (13:55): blah, hudson ceased up in wysiwyg test. Lets see if I can kill the
build...
cjdelisle - (13:56): yay I did something.
cjdelisle - (13:58): last time the javadoc build ran out of swap space (so it says). I’ll
try running it and see what happens this time.
vmassol left at 13:58 (Quit: Leaving.
sburjan - (14:08): cjdelisle, : was the implementation hard ? I mean .. understanding that
technical paper and then implementing
cjdelisle - (14:08): re scrypt?
sburjan - (14:08): We had to implement DES and AES from specs like these..and it was
HORRIBLE
sburjan - (14:08): yes
cjdelisle - (14:08): It wasn’t too bad because there was a reference implementation in c
sburjan - (14:09): oh, so you didn;t wrote if from scratch
cjdelisle - (14:09): It definitly is not AES.
sburjan - (14:09): it’s stronger than AES, right
sburjan - (14:09): AES is totally hard (at least for me)
cjdelisle - (14:09): It does something different.
sburjan - (14:09): yeah, I know
cjdelisle - (14:10): The point is that there is no way to go from the password to the key
without using x amount of ram for y cpu cycles of time.
cjdelisle - (14:10): Fortunately it uses PBKCS2 which I could rip from bouncycastle.
sburjan - (14:10): but basically this is a much more complex hash function, right ?
cjdelisle - (14:11): yup.
sburjan - (14:11): md5 is birthday paradox vulnerable
sburjan - (14:11): I guess this isn;t :)
cjdelisle - (14:11): It uses PBKCS2, and it uses salsa20
cjdelisle - (14:11): ahh, PBKCS2(Sha-256) :)
cjdelisle - (14:12): yea md5 is bad.
sburjan - (14:12): oh :))
sburjan - (14:12): md5 is obsolete
sburjan - (14:12): intresting
sburjan - (14:12): I never understood properly the algebra behind crypto systems
sburjan - (14:13): although i wanted to :)
cjdelisle - (14:13): This isn’t really crypto.
cjdelisle - (14:13): It’s just designed to take a long time.
cjdelisle - (14:13): So it generates an absurd amount of data. Then it takes an int from 4
bytes of a hash output and gets the data at the location of that int.
cjdelisle - (14:14): The idea is you can’t safely throw away any of that data because you
might need it.
sburjan - (14:14): I see
sburjan - (14:14): so this happens for all the new passwords ?
sburjan - (14:14): new user accounts, etc ?
sburjan - (14:15): I nea this happens for every password
cjdelisle - (14:15): So it keeps seeding the hash with pieces of the big block of data,
then it takes the output and feeds it to PBKDF2 again.
sburjan - (14:15): *mean
cjdelisle - (14:16): No it it’s just a service at the moment, once I convince everyone to
include it in the tree, then we can think about using it for the user accounts.
sburjan - (14:16): so what do you hash with these service more exactly ?
cjdelisle - (14:16): Passwords.
sburjan - (14:16): so only user passwords. or are there another type of passwords ?
sburjan - (14:17): that are used in xwiki
cjdelisle - (14:17): It is intended to be useable for the user accounts, I just want to
put the code there before we even talk about implementing it for user passwords.
cjdelisle - (14:17): Sure, any password can be handles by this.
sburjan - (14:17): I see
cjdelisle - (14:17): s/handles/handled/
abusenius - (14:17): btw, XWIKI-70 is the oldest bug (i.e. not feature request or task)
atm
sburjan - (14:18): so it is collision free ? or you made it like this in order to take as
far as possible advante of collisions
Enygma` joined #xwiki at 14:18
cjdelisle - (14:18): It is as collision resistant as pbkdf2(sha256)
cjdelisle - (14:19): because the password is included in the final hash.
sburjan - (14:19): yeah, but the time to find another string that hashes the same...
requires much more time due to y ram and x cpu cycles, right ?
cjdelisle - (14:20): Well the main attack vector is password guessing with word lists.
cjdelisle - (14:20): so it’s not really a collision but the real password that is most
likely to be found.
sburjan - (14:20): hmmm
sburjan - (14:21): dictionary attack ? :)
cjdelisle - (14:21): This makes it difficult because it occupies 1MB of ram for about
100milliseconds.
sburjan - (14:21): i see
cjdelisle - (14:21): These numbers are configurable.
sburjan - (14:21): but the actual auth mechanism is comparing the hash from db with the
hash(typed password), right ?
cjdelisle - (14:21): The default scrypt takes 200MB for 5 seconds.
sburjan - (14:22): like md5 is still used
cjdelisle - (14:22): It’s a little more complicated than that, but that’s the idea.
sburjan - (14:22): I see
cjdelisle - (14:22): You have a PasswordVerificationFunction which is Serializable and
includes all of the information to recreate the same output given the same password.
cjdelisle - (14:23): that is the salt, the memory cost number, and the processor cost
number.
sburjan - (14:23): yeah..
sburjan - (14:23): intresting
cjdelisle - (14:24): So you load the code from the database, deserialize, and feed it the
password to validate.
cjdelisle - (14:24): If we decide in the future to change the function, all we need to do
is create a new function and start using it for all new passwords.
sburjan - (14:24): so each password is serialized in an object that is stored in the db ?
cjdelisle - (14:25): the ourtput from hashing the password is a byte[] in the object yes.
sburjan - (14:25): I see
sburjan - (14:25): pretty cool
cjdelisle - (14:26):
http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/ja…
sburjan - (14:26): and what is the memory and cpu cost going in the ecuation?
sburjan - (14:26): when "hashing" the inputed password in order to compare it
from the serialized object ?
cjdelisle - (14:27): Configurable, but I have it set to 1Mb for 100ms by default.
sburjan - (14:28): yeas, but what operation is slowed down intensionally with the ram and
CPU thing ?
cjdelisle - (14:28): indeed, you can’t have everything :)
boscop_ is now known as boscop (~boscop(a)g227154161.adsl.alicedsl.de
sburjan - (14:30): no no .. where is the slow down come in place ?
sburjan - (14:30): this this slows down .. you wanted this.. cpu cycles, etc
cjdelisle - (14:31): ?
sburjan - (14:32): you force the system to work in time. to be limited by ram and CPU
sburjan - (14:32): not to take advance of the full computational powers of a possible
attacker
cjdelisle - (14:32): If the system is under heavy load when the user registers, then their
crypted password will be weaker.
cjdelisle - (14:33): decrypting the password will always take the same amount of cpu
cycles.
sburjan - (14:33): oh
sburjan - (14:33): so decrypting is the operation that takes advantage of the intentional
slowness
sburjan - (14:33): got it
cjdelisle - (14:34): When crypting the password, It does a test run to get the desired
number of cycles from the desired time to crypt.
cjdelisle - (14:34): It’s not all that accurate but within 100% according to the tests.
sburjan - (14:35): I see
cjdelisle - (14:35): I noticed it usually takes a little more time than it is asked to
take.
sburjan - (14:36): and isnt there a disk if someone tries a dictionary attack to block the
server (DDOS) due to heavy platform load in order to decrypt the passwd ?
sburjan - (14:36): *risk, not disk
cjdelisle - (14:37): Well if you’re trying to ddos the server then you can use infinite
loops etc. if you are trying to guess the password, then you want a graphics processor.
cjdelisle - (14:37): Anyway if you have a botnet (DDoS) then you can get thousands of
windows boxes to try passwords locally.
cjdelisle - (14:39): However I think you can cease up an xwiki installation just by trying
to log in with a million threads right now.
cjdelisle - (14:41): bbiab...
tmortagne left at 14:43 (Read error: Connection reset by peer
tmortagne joined #xwiki at 14:43
sburjan - (14:46): wait, you lost me :)
sburjan - (14:47): the decrypt function is GPU dependant ?
MartinCleaver joined #xwiki at 14:57
abusenius - (14:59): sburjan: he is talking about using GPGPU to speedup breaking hashes
sburjan - (15:01): so it uses graphics card to break hashes ?
abusenius - (15:01): the bad guys use them
sburjan - (15:01): I;m a little bit confused
sburjan - (15:01): yeah, the bad guys
abusenius - (15:01): yes, 1000 threads are better than 4
sburjan - (15:02): a gpu has 1000 threads ?
abusenius - (15:02): new ones yes
sburjan - (15:02): I see
abusenius - (15:02): light-weight threads
sburjan - (15:02): and the other thing I didn’t understand
sburjan - (15:02): Anyway if you have a botnet (DDoS) then you can get thousands of
windows boxes to try passwords locally.
sburjan - (15:03): but how do you get locally the serialized objects that contain the
passwdz ?
abusenius - (15:03): well, assuming you have DB dump or something
sburjan - (15:03): but for that you already need privileges
abusenius - (15:03): sure
abusenius - (15:04): the idea is, if the attacker can get access to the server, he still
can’t find out your password
abusenius - (15:05): otherwise you might as well just sleep(10) on the server side
abusenius - (15:06): having a password in cleartext is bad, because people reuse them for
example
cjdelisle - (15:06): privileges lol. All you need for database dumps is bobby tables.
cjdelisle - (15:06): we’re better than some but never trust the db.
cjdelisle - (15:07): Actually, the password hashes are right in the XWikiUsers object.
sburjan - (15:07): bobby tables ?
cjdelisle - (15:08): http://xkcd.com/327/
cjdelisle - (15:09): It’s a dumb joke but it has sort of turned into a meme.
sburjan - (15:09): yea :))
sburjan - (15:09): but we’re still vulnerable to sql injection ?
cjdelisle - (15:10): hmmmmmmm yes.
mflorea left at 15:11 (Quit: Leaving.
lucaa left at 15:13 (Quit: Leaving.
cjdelisle - (15:13): We’re looking into a way to use encryption to make it so sql
injection is pointless.
sburjan - (15:14): parameterization doesnt work in our case ?
cjdelisle - (15:14): If everything used it then it would work. I’m talking about cases
where there is a registered user and he has access to searchDocuments etc.
sburjan - (15:15): and making them be used everywhere is hard ?
cjdelisle - (15:16): Well even if they are used everywhere all the adversary has to do is
register and write their own vulnerable queries.
cjdelisle - (15:19): We have been talking about having a root "superadmin"
certificate stored in a file on the hard disk. That cert signs the admin’s permissions and
the admin signs the user permissions.
cjdelisle - (15:20): you can dump (or alter) the database but all you get is certificates
and password encrypted private keys
cjdelisle - (15:20): change a cert, break the cert chain, change a key, then it doesn’t
match the cert.
cjdelisle - (15:38): oh sburjan Cryptography (at least public key RSA) works because it’s
fast to raise something to the 65537th power and slow to get the 65537th root.
cjdelisle - (15:39): that’s the "one way trap function"
sylviarusu left at 15:40 (Quit: Leaving.
sburjan - (15:43): I see
sburjan - (15:43): I started to read more about sql injection
sburjan - (15:43): too bad that htere isn;t a "training" site :)
sburjan - (15:43): so I can actually see it work
abusenius - (15:44): try xwiki.org ^^
cjdelisle - (15:45): lol
sburjan - (15:45): i’m sure it’s not vulnerable :))
sburjan - (15:45): you guys fixed it
sburjan - (15:45): :D
sburjan - (15:45): at least the most vital places
cjdelisle - (15:45): actually yea, you’d just end up spamming zipe’s logs with your
attempts.
cjdelisle - (15:45): *xipe
cjdelisle - (15:46): Do you have a local installation on your computer?
sburjan - (15:46): of XWiki ?
cjdelisle - (15:46): yea.
sburjan - (15:46): of course
sburjan - (15:46): I’m writing automatic tests, so i have to test them :P
cjdelisle - (15:47): Well you can play with that. Try using websecurity against it, just
run it over night and see what you get
abusenius - (15:47): sburjan, there are training apps actually,
http://insecurewebapp.sourceforge.net/main/index.html
sburjan - (15:48): hmmm
sburjan - (15:48): I’ll take a look
cjdelisle - (15:49): http://labs.oracle.com/projects/crypto/HowECCWorks-USLetter.pdf
cjdelisle - (15:50): McEllice is a bit more interesting because it can’t be parallelized
(quantum computer proof) but it’s also a lot more complicated.
sburjan - (15:50): lots of math :)
sburjan - (15:50): so this is what your srypto implementation use ?
cjdelisle - (15:51): it doesn’t use any public key (not for password derivation.)
sburjan - (15:52): cjdelisle, : do you have some masters in computer security ? :)
sburjan - (15:52): I know abusenius has
cjdelisle - (15:52): xwiki-crypto does have a public key component, it just uses rsa.
cjdelisle - (15:52): haha masters in what?
sburjan - (15:52): information security :)
sburjan - (15:53): computer security
cjdelisle - (15:53): I took like 2 semesters of programming in college.
abusenius - (15:53): there are no special security degrees afaik
sburjan - (15:54): abusenius, : There are masters in all the europe on
Information/Computer Security
abusenius - (15:54): not in my university :) one can just specialize on that
cjdelisle - (15:54): My professors were all ex-nsa, one recommended I apply there.
sburjan - (15:54): they teach you the algebra behind the cryptosystems
abusenius - (15:54): it is still called "computer science"
sburjan - (15:55): things like chinese remainder theorem
cjdelisle - (15:55): Yea, I read about it a little, I’m sure I’ll learn it sooner or
later.
abusenius - (15:56): we got this in the introduction lecture to crypto
sburjan - (15:56): abusenius, : but your internship is in Security here at X, right ?
abusenius - (15:56): yes
cjdelisle - (15:57): hey, I have a masters in breakeology.
sburjan - (15:57): so you learned the security stuff all by yourself ?
abusenius - (15:57): me?
sburjan - (15:57): yes, you abusenius :)
cjdelisle - (15:57): breakeology, when you learn by breaking stuff.
sburjan - (15:57): breakeology is like .. sociology, antropology ? :))
sburjan - (15:58): so you do have a masters in that :D
abusenius - (15:58): no, I’ve learned everything I could find, but I also took all
lectures on crypto/security we have
abusenius - (15:58): if you’re interested in something, it happens naturally :)
sburjan - (15:59): true
sburjan - (15:59): but that math is pretty hard :))
sburjan - (15:59): all the modulo stuff
sburjan - (15:59): remainders, etc
cjdelisle - (15:59): I have 5 pdfs in my system tray.
sburjan - (15:59): about ?
sburjan - (16:00): security ?
cjdelisle - (16:00): How to get ips, DDoS defense, anycast, conficker, and ecc.
sburjan - (16:00): they should make a book on crypto. Computer Security for retards. and
they should dedicate it to me :))
sburjan - (16:01): Well known idiot’s guide is too high level .. I need something lower
abusenius - (16:01): :D
cjdelisle - (16:01): hah, I noticed that the math all just looks hard with the weird
symbols, read the implementation if you want to understand.
cjdelisle - (16:01): Look at this: http://cr.yp.to/salsa20.html
abusenius - (16:02): I find probability theory harder, groups are not that bad
cjdelisle - (16:02): salsa20 is a full cipher implementation in 22 lines. that is why
Bernstein is full of win.
cjdelisle - (16:03): no stupid s-boxes, no obfuscation. it’s either secure or it’s not and
that doesn’t really depend on how hard it is to understand.
abusenius - (16:04): thats just because it doesn’t include the implementation of the hash
function ;)
cjdelisle - (16:04): yea well it’s actually a cipher. Converting it to a hash which is
collision resistant and such is a bigger task.
cjdelisle - (16:05): but that function placed well in the eurocrypt contest.
abusenius - (16:09): in any case, understanding what you can do (and what not) with some
type of encryption is more important than implementation details
cjdelisle - (16:10): Yea, the devil really is in the details.
cjdelisle - (16:12): I remember reading that people were surprised when joanna rutkowska
showed that a computer with full disk encryption can still be attacked by putting malware
in the mbr.
abusenius - (16:12): less related question, how can I change log4j settings of xwiki
instance I use for escaping-tests/
abusenius - (16:12): ?
abusenius - (16:13): it seems to use debug logging level
cjdelisle - (16:14): take a look at start-wiki and start-wiki-debug.sh there might be
something there about it.
abusenius - (16:15): hm, not really
cjdelisle - (16:16): I don’t know, you could google log4j "-D"
cjdelisle - (16:17): I’m sure there is a -Dsomething which will change it.
abusenius - (16:18): googling...
mflorea joined #xwiki at 16:20
sburjan - (16:21): in java a char is 2 bytes, right ? so a 64 bytes string is actually a
32 char string ?
cjdelisle - (16:22): yes a char is two bytes :/
sburjan - (16:23): in the link you gave me , it says that it takes a 64 bytes strin. about
salsa20
cjdelisle - (16:23): String has a few other components which occupy some space but you’re
pretty much correct.
sburjan - (16:23): but if the input string is less than 64 bytes/32 chars ? it’s getting
padded ?
cjdelisle - (16:24): Well the function will run on much larger pieces of data by breaking
them up, and yes it pads at the end.
cjdelisle - (16:26): The neat thing about salsa is it’s auto seeking. You give it a key
and say block 1000, then you input 1000 along with the key and salt, and it generates some
output which you can use to decrypt the data.
cjdelisle - (16:27): salsa20 doesn’t actually decrypt your data, it generates psudorandom
which you then xor against your data.
lucaa joined #xwiki at 16:28
sburjan - (16:28): hmmm
sburjan - (16:28): so it can be decrypted
sburjan - (16:29): afaik md5 is one way hash
sburjan - (16:29): alsa is reversible ?
cjdelisle - (16:29): yea.
cjdelisle - (16:29): Imagine you take a key and md5 it.
sburjan - (16:29): oh... big diffrence
cjdelisle - (16:30): Actually imagine you take a key, append a number (0) then md5 it.
cjdelisle - (16:30): then you take your plain text and xor it against the output from md5.
sburjan - (16:31): this is how you decrypt it ?
_______________________________________________
notifications mailing list
notifications(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/notifications
9 Aug
9 Aug
11:01 a.m.
New subject: [xwiki-devs] Fwd: [xwiki-notifications] XWiki updates, 9 documents have been modified since 2010/08/05 00:00
On Mon, Aug 9, 2010 at 11:26, Jerome Velociter <jerome(a)xwiki.com> wrote:
Seems some content is missing. The summary refers to
"XWiki JavaScript API"
and "XWiki API Reference" pages, but they do not appear in the body of the
mail.
Anyone knows what could cause this ?
[Message clipped] View entire
message<?ui=2&ik=62926b1305&view=lg&msg=12a44457dabbe100>
The message is trunked.
Jerome.
----- Forwarded Message -----
From: notifications(a)xwiki.org
To: notifications(a)xwiki.org
Sent: Friday, August 6, 2010 12:00:18 AM GMT +01:00 Amsterdam / Berlin /
Bern / Rome / Stockholm / Vienna
Subject: [xwiki-notifications] XWiki updates, 9 documents have been
modified since 2010/08/05 00:00
Contents
• dev
• Community
• Release Plans
• Release Plans Archives
• IRC
• IRC Archive for channel #xwiki
• platform
• DevGuide
• XWiki API Reference
• XWiki JavaScript API
• xwiki
• XWiki
• ChristophDewes
• JarbasJunior
• guenter
• pmarzouk
Hello Developers,
This message is sent by XWiki. Here are the documents in your watchlist
that have been modified since the last notification:
dev
Community
Release Plans
Community.ReleasePlans
On 2010/08/05 13:49, the document has been modified by Thomas Mortagne
* [[API doc>>http://platform.xwiki.org/xwiki/bin/view/DevGuide/API]]
([[core>>
http://maven.xwiki.org/releases/com/xpn/xwiki/platform/xwiki-core/]]
[[rendering>>
http://maven.xwiki.org/releases/org/xwiki/platform/xwiki-core-rendering-api…)
doc>>http://platform.xwiki.org/xwiki/bin/view/DevGuide/API]]
|= Release notes |= Update download page |= News on OW2 |= News on
xwiki.org |= API doc (core rendering) |= Wikipedia |= Freshmeat |=
Wikimatrix |= ANN Mail
= 2.3.2 =
(% style="width: 100%;" %)
|=(% colspan="3" %)Update translations
|= CORE |= XE |= WYSIWYG
| x| x| x
(% style="width: 100%;" %)
|=Module |= Version |= Jira |= Maven |= OW2
| xwiki-core | 2.3.2| x| x| -
| xwiki-plugin-skinx| 1.13.1| x| x| -
| xwiki-platform-web | 2.3.2| x| x| -
| xwiki-product-enterprise | 2.3.2| x| x|x\\
| xwiki-product-enterprise-manager| 2.3.2| x| x|x
(% style="width: 100%;" %)
|= Release notes |= Update download page |= News on OW2 |= News on
xwiki.org |= API doc (core rendering) |= Wikipedia |= Freshmeat |=
Wikimatrix |= ANN Mail
|x|x| x|x| x|x| x|x|x
author: xwiki:XWiki.Sergiu > xwiki:XWiki.ThomasMortagne
Release Plans Archives
Community.ReleasePlansArchives
On 2010/08/05 13:49, the document has been modified by Thomas Mortagne
= 2.3.2 =
(% style="width: 100%;" %)
|=(% colspan="3" %)Update translations
|= CORE |= XE |= WYSIWYG
| x| x| x
(% style="width: 100%;" %)
|=Module |= Version |= Jira |= Maven |= OW2
| xwiki-core | 2.3.2| x| x| -
| xwiki-plugin-skinx| 1.13.1| x| x| -
| xwiki-platform-web | 2.3.2| x| x| -
| xwiki-product-enterprise | 2.3.2| x| x|x\\
| xwiki-product-enterprise-manager| 2.3.2| x| x|x
(% style="width: 100%;" %)
|= Release notes |= Update download page |= News on OW2 |= News on
xwiki.org |= API doc (core rendering) |= Wikipedia |= Freshmeat |=
Wikimatrix |= ANN Mail
|x|x| x|x| x|x| x|x|x
parent: Scheduler.ReleasePlans > ReleasePlans
author: xwiki:XWiki.Sergiu > xwiki:XWiki.ThomasMortagne
IRC
IRC Archive for channel #xwiki
IRC.xwikiArchive20100805
Between 2010/08/05 01:24 and 2010/08/05 21:48, the document has been
modified 3 times, by 1 user: Sergiu Dumitriu
#includeForm("IRC.IRCArchiveClassSheet")
IRC.IRCArchiveClass
channel:
#xwiki
content:
abusenius left at 01:24 (Quit: Konversation terminated!
sdumitriu left at 02:23 (Ping timeout: 240 seconds
tsziklay left at 03:12 (Quit: ChatZilla 0.9.86 [Firefox
3.6.8/20100722155716]
boscop_ joined #xwiki at 03:53
boscop left at 03:56 (Ping timeout: 265 seconds
MartinCleaver left at 04:35 (Quit: MartinCleaver
venkatesh joined #xwiki at 05:49
kibahop joined #xwiki at 08:27
LadySerena left at 08:36 (Quit: Time to sharpen my claws!
asrfel joined #xwiki at 08:41
sdumitriu joined #xwiki at 08:52
Enygma` joined #xwiki at 08:52
mflorea joined #xwiki at 08:56
lucaa joined #xwiki at 08:56
florinciu joined #xwiki at 09:05
tmortagne joined #xwiki at 09:06
tmortagne left #xwiki at 09:06
mflorea left at 09:21 (Quit: Leaving.
tmortagne joined #xwiki at 09:23
mflorea joined #xwiki at 09:24
vmassol joined #xwiki at 09:32
mflorea - (09:36): guys, how can I delete a translation of a wiki page?
tmortagne left at 09:36 (Quit: Leaving.
sdumitriu - (09:37): mflorea: Add ?language=xz in the /delete/ URL
tmortagne joined #xwiki at 09:38
mflorea - (09:38): let me try
sdumitriu - (09:38): Works only if that’s not the default language of the
document
ztane - (09:48): how do I get the password reset dialog working on a
private wiki? :)
vmassol left at 09:50 (Quit: Leaving.
KermitTheFragger joined #xwiki at 09:54
tmortagne - (09:54): sounds like a long proposal :)
mangroovie joined #xwiki at 09:54
ztane - (09:56): hmm maybe should go for ldap
sdumitriu - (09:56): ztane: Private = forbid unauthenticated view?
ztane - (09:57): yes
ztane - (09:58): enterprise extranet wiki :))
cjdelisle - (09:59): It has been a long time coming. Oddly enough there
aren’t a real lot of services provided.
ztane - (09:59): do not want anything to leak out to nonauthorized, except
the password reset form
jvdrean joined #xwiki at 10:04
sdumitriu - (10:11): ztane: Sorry, that’s not possible yet
sdumitriu - (10:12): Preventing unauthenticated access really prevents it
abusenius joined #xwiki at 10:21
vmassol joined #xwiki at 10:23
cjdelisle - (10:28): abusenius: Any thing else you need in xwiki-crypto?
(working on the proposal)
abusenius - (10:32): hm, no, just the methods for storing/loading
certs/keys that we might want put elsewhere
abusenius - (10:32): *to put
cjdelisle - (10:33): Yea, IMO load/store is not really in the scope of
crypto.
abusenius - (10:35): should I move it to signedscripts? thats the only
place it’s used atm
cjdelisle - (10:36): *distraction: IPv6 is a joke, 19.0.0.0 -
19.255.255.255 is Ford Motor Company ip space, it is not even announced to
the backbone routers.
cjdelisle - (10:36): What car company doesn’t need 16,000 unused ips?
abusenius - (10:36): *IPv4?
cjdelisle - (10:37): IP6 is a joke because like 40% of ip4 numbers are
routed, 3% respond to pings.
abusenius - (10:37): it’s a good investment, they will be able to sell it
for a lot of money quite soon :)
cjdelisle - (10:37): Not if arin/ripe catch you.
abusenius - (10:37): well, it’s just that nobody uses them
abusenius - (10:38): well, thats another question
cjdelisle - (10:38): Well not nobody, some halliburton space suddenly
started getting announced from eastern europe.
cjdelisle - (10:38): spam spam spam spam
cjdelisle - (10:41): Halliburton 34.0.0.0 - 34.255.255.255 (to their credit
they announce a couple hundred ips in that range and run their site in it.)
abusenius - (10:42): I’Ve read somewhere that one of the problems is that
they used to give just 2 types of ip ranges, 255.255.255.0 for "small"
companies and 255.0.0.0 for "big" companies :)
cjdelisle - (10:45): that 255.255.255.0 is called a /24 because 24 of the
32 bits are defined. 255.0.0.0 is a /8, nobody can get a /8 anymore, they
gave them out in like 1991.
cjdelisle - (10:46): You guys can still get a /24 for like 150€ but arin
won’t sell anything smaller than a /20.
cjdelisle - (10:48): The problem is provide independent space means you
announce your (tiny little) range to all of the backbone routers and the
global routing tables get so huge they need bigger routers.
cjdelisle - (10:50): What’s easiest for the backbone is if 192 routes to
usa, 64 routes to chicago, 32 routes to some isp and 25 routes to the
specific computer. Except 192 range is not like that, 192.64.32.1 might be a
computer in chicago and 192.64.33.1 might be in estonia.
sburjan joined #xwiki at 10:52
cjdelisle - (10:57): humpf... decryption succeeded with wrong password. I
think it decrypted to garbage but I have to check...
abusenius - (10:57): we might want to check if the output == input
cjdelisle - (11:00): yup, repeating the test in loop 0-1000
cjdelisle - (11:01): if the output is the same length, I think the padding
scheme doesn’t notice anything is wrong.
cjdelisle - (11:01): indeed, I already have a bad decryption.
abusenius - (11:03): in theory, a wrong password might decrypt to any
meaningful text, but the probability is very very low
cjdelisle - (11:04): hmm, actually the key would have to be as long as the
original text to decrypt to anything.
cjdelisle - (11:05): I remember someone talking about an algorithm which
would decrypt to various things based on the password given.
cjdelisle - (11:05): It would be pretty obvious to a cryptographer though
that there was more to it though.
abusenius - (11:06): well, if the key is as long as the text, then you can
decrypt to any text of the same length
abusenius - (11:07): if the key is shorter, the number of possible
decryptions is much smaller
cjdelisle - (11:07): But it brings up an interesting topic, if you xor
"illegal data" against random and publish the random on one server and the
output on another, which server gets the takedown notice?
abusenius - (11:07): but one of them might still be meaningful
cjdelisle - (11:08): It’s essentially impossible to determine random from
something xor’d against random.
cjdelisle - (11:09): 4 collisions.
abusenius - (11:09): well, you can easily invent any content you want :)
abusenius - (11:09): what yre you encrypting?
cjdelisle - (11:10): I just rigged the test to repeat trying to decrypt
with the wrong password and dump any time it collides.
Enygma` left at 11:10 (Ping timeout: 276 seconds
cjdelisle - (11:10): decryptWithWrongPasswordTest() * 1000
abusenius - (11:11): so "collision" = successfull decryption to garbage?
cjdelisle - (11:11): yup.
cjdelisle - (11:11): done. 4/1000 tries.
abusenius - (11:11): the only way decryption algorithm can distinguish
"meaningful" text from garbage is the padding
kibahop left #xwiki at 11:12
cjdelisle - (11:12): IMO it should output garbage every time it fails.
Imagine trying to password guess that :D
abusenius - (11:12): so if the garbage by chance contains one byte of
correct padding, it will succeed
abusenius - (11:12): well, you can check for printable character for
example
cjdelisle - (11:12): yup, check for invalid utf8
cjdelisle - (11:13): imagine encrypting an mp3, basically any text is valid
in an mp3
cjdelisle - (11:13): or mpeg4
abusenius - (11:13): there is a header you can trry to match
abusenius - (11:14): frames etc.
abusenius - (11:14): but it is harder
abusenius - (11:14): thats one of the reasons people first compress, then
encrypt :)
cjdelisle - (11:16): Yea, it would be tough trying to beat this algorithm
though, it took like 5 minutes for 2000 cycles of scrypt, I could make it
take longer with config too.
cjdelisle - (11:27): proposal sent.
mangroovie left at 11:29 (Ping timeout: 252 seconds
cjdelisle - (11:41): I don’t see the user manager in the sandbox, is it
written? (http://dev.xwiki.org/xwiki/bin/view/Design/UsersModule)
abusenius - (11:42): it is very new imo, probably not yet
cjdelisle - (11:45): The proposed interface looks like it can only be
implemented using some sort of String USER_CLASS = "XWiki.XWikiUsers";
cjdelisle - (11:47): Maybe I should propose a best practice that we never
make the core depend on the content of the database. AKA hardcoding document
names.
abusenius - (11:51): which interface?
cjdelisle - (11:53): defined here
http://dev.xwiki.org/xwiki/bin/view/Design/UsersModule
mangroovie joined #xwiki at 11:53
venkatesh left at 11:53 (Ping timeout: 265 seconds
abusenius - (11:54): ah, ok
abusenius - (11:56): maybe, I "never ever" rule is quite unrealistic though
abusenius - (11:56): s/I/a/
cjdelisle - (11:58): Well that’s how all best practices are, sometimes you
are just plain painted into a corner.
cjdelisle - (11:58): I usually end up throwing away code when that happens.
abusenius - (12:01): moved cert storage methods out of crypto, about to
commit
cjdelisle - (12:01): there was storage in crypto?
cjdelisle - (12:02): I don’t see it...
abusenius - (12:03): well, user document utils were misused for that
abusenius - (12:04): I mean listinf fingerprints etc.
abusenius - (12:04): *listing
venkatesh joined #xwiki at 12:04
cjdelisle - (12:04): Oh, I haven’t looked there in a while. thanks ;)
cjdelisle - (12:04): k I think I know how you can validate a cert.
cjdelisle - (12:05): Take the webid and do a http get on it, you’ll get the
foafssl stuff.
cjdelisle - (12:06): We can also set it up so you get a list of signed
permissions granted to the user.
abusenius - (12:07): yea, we could do that
cjdelisle - (12:07): parse those permissions, extract cert from signature,
recurse.
cjdelisle - (12:08): It will be awesome but slooooooow.
cjdelisle - (12:09): hmm, maybe not if the user pages get cached.
abusenius - (12:09): the recursion would not be very deep
abusenius - (12:09): unless we overdo it :)
venkatna joined #xwiki at 12:10
abusenius - (12:10): it should be something like admin -> user permission
-> cert
cjdelisle - (12:10): What’s awesome about it is I can be on one wiki and
give you permission on another, you can then give permissions to people on
my wiki.
venkatesh left at 12:10 (Ping timeout: 248 seconds
abusenius - (12:11): not that everybody was waiting to do that all their
life, but yea, would be possible :)
cjdelisle - (12:12): I don’t expect anyone beating a path to the door for
it but I can see in the future there might be applications.
cjdelisle - (12:13): If I grant admin authority to an admin of another
wiki, all of their wiki’s users get defacto permissions on mine.
cjdelisle - (12:15): the escaping test makes a nice DoS engine.
abusenius - (12:16): :)
cjdelisle - (12:17): Have you seen Websecurity?
abusenius - (12:18): not sure what you mean
abusenius - (12:18): afk for lunch
cjdelisle - (12:19): http://www.websecurify.com/
cjdelisle - (12:19): I’ll go find something to eat too.
florinciu1 joined #xwiki at 12:39
florinciu left at 12:44 (Ping timeout: 276 seconds
florinciu1 left at 12:46 (Read error: Connection reset by peer
florinciu joined #xwiki at 12:47
sylviarusu joined #xwiki at 12:56
florinciu left at 13:05 (Ping timeout: 240 seconds
florinciu joined #xwiki at 13:08
tmortagne - (13:10): cjdelisle: i’m not sure i understand what you mean in
XWIKI-5390
cjdelisle - (13:10):
http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xw…
cjdelisle - (13:11): all still version 1.7
tmortagne - (13:12): cjdelisle: there is a hudson project for it already,
that’s http://hudson.xwiki.org/job/xwiki-platform-core-site-job/ but it
has been disabled some time ago because we had issue with javadoc plugin
think
tmortagne - (13:12): s/think/I think/
cjdelisle - (13:13): I see, I can try to see if I can get it working again.
tmortagne - (13:13): yep
cjdelisle - (13:13): It’s pretty important because that’s the only place to
get javadoc for XWikiDocument etc.
tmortagne - (13:14): cjdelisle: well there is m2Eclipse automatically
downloading javadoc/source too ;)
tmortagne - (13:14): which is very usefull
tmortagne - (13:15): but it’s only for released projects
cjdelisle - (13:15): When I wrote the DevGuide.Scripting I had to reference
some javadoc so I chose that.
cjdelisle - (13:15): Because it’s hosted.
cjdelisle - (13:16): If I can get this working then I see no reason to keep
uploading .zip files to xwiki.org so that will close another issue.
cjdelisle - (13:16): Make any sense?
tmortagne - (13:17): cjdelisle: it’s not the same thing
tmortagne - (13:17): this job deploy trunk jaavadoc
tmortagne - (13:17): in xwiki.org we provide specific releases javadoc
cjdelisle - (13:17): hmm. good point. Maybe we can have hudson build from
branches?
tmortagne - (13:17): what should be done in xwiki.org is having something
more dynamic that get the proper javadoc from maven.xwiki.org files
instead of having to attach
tmortagne - (13:18): i want to add this since a long time in zip plugin but
never had the time
cjdelisle - (13:18): in the zip plugin?
tmortagne - (13:19): the xwiki plugin which is used to view the javadoc
inside the zip file attached to the page
tmortagne - (13:19):
http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-render…
cjdelisle - (13:19): make it able to load a page hosted somewhere else?
cjdelisle - (13:19): s/load a page/read a zip/
tmortagne - (13:20): yes make it able to work with a zip from anywhere and
not only an attached file
cjdelisle - (13:20): hmm, as long as it can’t be exploited to... say open
really big zips somewhere?
abusenius - (13:21): re websecurity, no, haven’t seen it before
cjdelisle - (13:22): I was talking to a guy who mentioned if you can
convince a bot to download a file, feed it a linux .iso
tmortagne - (13:23): cjdelisle: you can always indicate a maximum size
abusenius - (13:23): we should try some tools like websecurity on xwiki at
some point, but not now (would be too disappointing ^^)
florinciu left at 13:23 (Ping timeout: 258 seconds
cjdelisle - (13:23): abusenius: I see a bunch of FATAL: not escaping single
quote.
cjdelisle - (13:23): I don’t think even escapetoo.xml escapes single
quotes.
tmortagne - (13:24): checking something: i think there is something abut
javadoc in nexus actually
abusenius - (13:24): it does
abusenius - (13:24): getXMLEncoded doesn’t
cjdelisle - (13:24): That’s right :)
abusenius - (13:24): afaik
abusenius - (13:24): it is technically correct to not escape single quotes
in URL
abusenius - (13:25): but not secure, because a href=’bla’ is also correct
cjdelisle - (13:25): no getXMLEncoded escapes ’ to and it becomes ’ which
breaks everything
abusenius - (13:25): ah, right
tmortagne - (13:25): cjdelisle:
http://nexus.xwiki.org/nexus/service/local/repositories/releases/archive/co…
tmortagne - (13:25): tadaa
cjdelisle - (13:25): cool. I wish it said something like /latest/
tmortagne - (13:26): maybe there is something
tmortagne - (13:27): i will at least modify the API page to go there and
stop attaching files
abusenius - (13:27): is it possible to link javadocs for *all* components
on DevGuide/API ?
abusenius - (13:28): currently it only lists core
tmortagne - (13:28): abusenius: and rendering ;)
tmortagne - (13:28): but yes it should be more that theses two
tmortagne - (13:28): should be at least important components
abusenius - (13:28): yea, but you need to do voodoo magic to find other
docs :)
cjdelisle - (13:29): That was a nice thing about maven.xwiki.org was
everything was linked together.
tmortagne - (13:31): cjdelisle: you mean maven.xwiki.org/site ?
cjdelisle - (13:31): yup
cjdelisle - (13:32): *idea* What if we added the svn location to the class
javadoc comment in each class, then it will make a link in each javadoc
pointing to the source.
cjdelisle - (13:32): Maybe svn config will do the trick.
abusenius - (13:33): wasn’t there a configuration option for javadoc for
that?
tmortagne - (13:34): cjdelisle: there is probably some maven javadoc plugin
configuration we could use for it
cjdelisle - (13:34): I don’t know that the javadoc would know where the
files are hosted in svn, it sure would be nice though to have a docjar style
[source] button
abusenius - (13:35): (but maybe I saw it in doxygen, not sure)
cjdelisle - (13:36): I really like this format everything is linked from
there.
http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/index.html…
abusenius - (13:38):
http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/javadoc.html#…
cjdelisle - (13:39): abusenius: I see three tests in error:
Blog/Publisher.xml Panels/CreatePanel.xml templates/createinline.vm Do you
want to do something to them before putting the tests in the tree?
abusenius - (13:40): let me see
cjdelisle - (13:40): Creates an HTML version of each source file (with line
numbers) argh.. hate line numbers.
abusenius - (13:41): well, better than nothing
abusenius - (13:43): I could put those tests in error onto ignore list
cjdelisle - (13:43): also I like the idea of pointing to the actual svn
server.
abusenius - (13:43): 2 of them fail because the xredirect is properly
escaped, but my test string isn’t a URL
abusenius - (13:43): 1 fails with 409, no idea why
abusenius - (13:44): there are allready a dozen or so ignored tests in
error
cjdelisle - (13:46): Hmm, you really ought to have commit access so you can
work on this once it’s in the tree, unfortunately it’s tough to get a quorum
on anything right now.
florinciu joined #xwiki at 13:46
venkatna left at 13:47 (Quit: Leaving
abusenius - (13:48): can it be (sym)linked to sandbox?
cjdelisle - (13:50): I don’t know what svn does with symlinks.
abusenius - (13:51): I think on all decent operating systems it works fine
:)
cjdelisle - (13:51): Websecurity is a pretty good DoS cannon, when I ran it
locally, my wiki eventually just ceased up and refused to serve anything.
abusenius - (13:52): checkout on windows would create a copy of the
directory
tmortagne - (13:53): i doubt svn will support sym links anyway
tmortagne - (13:53): especially svn 1.4
abusenius - (13:53): ok, if the svn server is 1.4 then we can forget it
abusenius - (13:54): why is it 1.4 btw? it’s like stone age...
tmortagne - (13:55): i agree
tmortagne - (13:55): i’m aking for an upgrade since ages
cjdelisle - (13:55): blah, hudson ceased up in wysiwyg test. Lets see if I
can kill the build...
cjdelisle - (13:56): yay I did something.
cjdelisle - (13:58): last time the javadoc build ran out of swap space (so
it says). I’ll try running it and see what happens this time.
vmassol left at 13:58 (Quit: Leaving.
sburjan - (14:08): cjdelisle, : was the implementation hard ? I mean ..
understanding that technical paper and then implementing
cjdelisle - (14:08): re scrypt?
sburjan - (14:08): We had to implement DES and AES from specs like
these..and it was HORRIBLE
sburjan - (14:08): yes
cjdelisle - (14:08): It wasn’t too bad because there was a reference
implementation in c
sburjan - (14:09): oh, so you didn;t wrote if from scratch
cjdelisle - (14:09): It definitly is not AES.
sburjan - (14:09): it’s stronger than AES, right
sburjan - (14:09): AES is totally hard (at least for me)
cjdelisle - (14:09): It does something different.
sburjan - (14:09): yeah, I know
cjdelisle - (14:10): The point is that there is no way to go from the
password to the key without using x amount of ram for y cpu cycles of time.
cjdelisle - (14:10): Fortunately it uses PBKCS2 which I could rip from
bouncycastle.
sburjan - (14:10): but basically this is a much more complex hash function,
right ?
cjdelisle - (14:11): yup.
sburjan - (14:11): md5 is birthday paradox vulnerable
sburjan - (14:11): I guess this isn;t :)
cjdelisle - (14:11): It uses PBKCS2, and it uses salsa20
cjdelisle - (14:11): ahh, PBKCS2(Sha-256) :)
cjdelisle - (14:12): yea md5 is bad.
sburjan - (14:12): oh :))
sburjan - (14:12): md5 is obsolete
sburjan - (14:12): intresting
sburjan - (14:12): I never understood properly the algebra behind crypto
systems
sburjan - (14:13): although i wanted to :)
cjdelisle - (14:13): This isn’t really crypto.
cjdelisle - (14:13): It’s just designed to take a long time.
cjdelisle - (14:13): So it generates an absurd amount of data. Then it
takes an int from 4 bytes of a hash output and gets the data at the location
of that int.
cjdelisle - (14:14): The idea is you can’t safely throw away any of that
data because you might need it.
sburjan - (14:14): I see
sburjan - (14:14): so this happens for all the new passwords ?
sburjan - (14:14): new user accounts, etc ?
sburjan - (14:15): I nea this happens for every password
cjdelisle - (14:15): So it keeps seeding the hash with pieces of the big
block of data, then it takes the output and feeds it to PBKDF2 again.
sburjan - (14:15): *mean
cjdelisle - (14:16): No it it’s just a service at the moment, once I
convince everyone to include it in the tree, then we can think about using
it for the user accounts.
sburjan - (14:16): so what do you hash with these service more exactly ?
cjdelisle - (14:16): Passwords.
sburjan - (14:16): so only user passwords. or are there another type of
passwords ?
sburjan - (14:17): that are used in xwiki
cjdelisle - (14:17): It is intended to be useable for the user accounts, I
just want to put the code there before we even talk about implementing it
for user passwords.
cjdelisle - (14:17): Sure, any password can be handles by this.
sburjan - (14:17): I see
cjdelisle - (14:17): s/handles/handled/
abusenius - (14:17): btw, XWIKI-70 is the oldest bug (i.e. not feature
request or task) atm
sburjan - (14:18): so it is collision free ? or you made it like this in
order to take as far as possible advante of collisions
Enygma` joined #xwiki at 14:18
cjdelisle - (14:18): It is as collision resistant as pbkdf2(sha256)
cjdelisle - (14:19): because the password is included in the final hash.
sburjan - (14:19): yeah, but the time to find another string that hashes
the same... requires much more time due to y ram and x cpu cycles, right ?
cjdelisle - (14:20): Well the main attack vector is password guessing with
word lists.
cjdelisle - (14:20): so it’s not really a collision but the real password
that is most likely to be found.
sburjan - (14:20): hmmm
sburjan - (14:21): dictionary attack ? :)
cjdelisle - (14:21): This makes it difficult because it occupies 1MB of ram
for about 100milliseconds.
sburjan - (14:21): i see
cjdelisle - (14:21): These numbers are configurable.
sburjan - (14:21): but the actual auth mechanism is comparing the hash from
db with the hash(typed password), right ?
cjdelisle - (14:21): The default scrypt takes 200MB for 5 seconds.
sburjan - (14:22): like md5 is still used
cjdelisle - (14:22): It’s a little more complicated than that, but that’s
the idea.
sburjan - (14:22): I see
cjdelisle - (14:22): You have a PasswordVerificationFunction which is
Serializable and includes all of the information to recreate the same output
given the same password.
cjdelisle - (14:23): that is the salt, the memory cost number, and the
processor cost number.
sburjan - (14:23): yeah..
sburjan - (14:23): intresting
cjdelisle - (14:24): So you load the code from the database, deserialize,
and feed it the password to validate.
cjdelisle - (14:24): If we decide in the future to change the function, all
we need to do is create a new function and start using it for all new
passwords.
sburjan - (14:24): so each password is serialized in an object that is
stored in the db ?
cjdelisle - (14:25): the ourtput from hashing the password is a byte[] in
the object yes.
sburjan - (14:25): I see
sburjan - (14:25): pretty cool
cjdelisle - (14:26):
http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/ja…
sburjan - (14:26): and what is the memory and cpu cost going in the
ecuation?
sburjan - (14:26): when "hashing" the inputed password in order to compare
it from the serialized object ?
cjdelisle - (14:27): Configurable, but I have it set to 1Mb for 100ms by
default.
sburjan - (14:28): yeas, but what operation is slowed down intensionally
with the ram and CPU thing ?
cjdelisle - (14:28): indeed, you can’t have everything :)
boscop_ is now known as boscop (~boscop(a)g227154161.adsl.alicedsl.de
sburjan - (14:30): no no .. where is the slow down come in place ?
sburjan - (14:30): this this slows down .. you wanted this.. cpu cycles,
etc
cjdelisle - (14:31): ?
sburjan - (14:32): you force the system to work in time. to be limited by
ram and CPU
sburjan - (14:32): not to take advance of the full computational powers of
a possible attacker
cjdelisle - (14:32): If the system is under heavy load when the user
registers, then their crypted password will be weaker.
cjdelisle - (14:33): decrypting the password will always take the same
amount of cpu cycles.
sburjan - (14:33): oh
sburjan - (14:33): so decrypting is the operation that takes advantage of
the intentional slowness
sburjan - (14:33): got it
cjdelisle - (14:34): When crypting the password, It does a test run to get
the desired number of cycles from the desired time to crypt.
cjdelisle - (14:34): It’s not all that accurate but within 100% according
to the tests.
sburjan - (14:35): I see
cjdelisle - (14:35): I noticed it usually takes a little more time than it
is asked to take.
sburjan - (14:36): and isnt there a disk if someone tries a dictionary
attack to block the server (DDOS) due to heavy platform load in order to
decrypt the passwd ?
sburjan - (14:36): *risk, not disk
cjdelisle - (14:37): Well if you’re trying to ddos the server then you can
use infinite loops etc. if you are trying to guess the password, then you
want a graphics processor.
cjdelisle - (14:37): Anyway if you have a botnet (DDoS) then you can get
thousands of windows boxes to try passwords locally.
cjdelisle - (14:39): However I think you can cease up an xwiki installation
just by trying to log in with a million threads right now.
cjdelisle - (14:41): bbiab...
tmortagne left at 14:43 (Read error: Connection reset by peer
tmortagne joined #xwiki at 14:43
sburjan - (14:46): wait, you lost me :)
sburjan - (14:47): the decrypt function is GPU dependant ?
MartinCleaver joined #xwiki at 14:57
abusenius - (14:59): sburjan: he is talking about using GPGPU to speedup
breaking hashes
sburjan - (15:01): so it uses graphics card to break hashes ?
abusenius - (15:01): the bad guys use them
sburjan - (15:01): I;m a little bit confused
sburjan - (15:01): yeah, the bad guys
abusenius - (15:01): yes, 1000 threads are better than 4
sburjan - (15:02): a gpu has 1000 threads ?
abusenius - (15:02): new ones yes
sburjan - (15:02): I see
abusenius - (15:02): light-weight threads
sburjan - (15:02): and the other thing I didn’t understand
sburjan - (15:02): Anyway if you have a botnet (DDoS) then you can get
thousands of windows boxes to try passwords locally.
sburjan - (15:03): but how do you get locally the serialized objects that
contain the passwdz ?
abusenius - (15:03): well, assuming you have DB dump or something
sburjan - (15:03): but for that you already need privileges
abusenius - (15:03): sure
abusenius - (15:04): the idea is, if the attacker can get access to the
server, he still can’t find out your password
abusenius - (15:05): otherwise you might as well just sleep(10) on the
server side
abusenius - (15:06): having a password in cleartext is bad, because people
reuse them for example
cjdelisle - (15:06): privileges lol. All you need for database dumps is
bobby tables.
cjdelisle - (15:06): we’re better than some but never trust the db.
cjdelisle - (15:07): Actually, the password hashes are right in the
XWikiUsers object.
sburjan - (15:07): bobby tables ?
cjdelisle - (15:08): http://xkcd.com/327/
cjdelisle - (15:09): It’s a dumb joke but it has sort of turned into a
meme.
sburjan - (15:09): yea :))
sburjan - (15:09): but we’re still vulnerable to sql injection ?
cjdelisle - (15:10): hmmmmmmm yes.
mflorea left at 15:11 (Quit: Leaving.
lucaa left at 15:13 (Quit: Leaving.
cjdelisle - (15:13): We’re looking into a way to use encryption to make it
so sql injection is pointless.
sburjan - (15:14): parameterization doesnt work in our case ?
cjdelisle - (15:14): If everything used it then it would work. I’m talking
about cases where there is a registered user and he has access to
searchDocuments etc.
sburjan - (15:15): and making them be used everywhere is hard ?
cjdelisle - (15:16): Well even if they are used everywhere all the
adversary has to do is register and write their own vulnerable queries.
cjdelisle - (15:19): We have been talking about having a root "superadmin"
certificate stored in a file on the hard disk. That cert signs the admin’s
permissions and the admin signs the user permissions.
cjdelisle - (15:20): you can dump (or alter) the database but all you get
is certificates and password encrypted private keys
cjdelisle - (15:20): change a cert, break the cert chain, change a key,
then it doesn’t match the cert.
cjdelisle - (15:38): oh sburjan Cryptography (at least public key RSA)
works because it’s fast to raise something to the 65537th power and slow to
get the 65537th root.
cjdelisle - (15:39): that’s the "one way trap function"
sylviarusu left at 15:40 (Quit: Leaving.
sburjan - (15:43): I see
sburjan - (15:43): I started to read more about sql injection
sburjan - (15:43): too bad that htere isn;t a "training" site :)
sburjan - (15:43): so I can actually see it work
abusenius - (15:44): try xwiki.org ^^
cjdelisle - (15:45): lol
sburjan - (15:45): i’m sure it’s not vulnerable :))
sburjan - (15:45): you guys fixed it
sburjan - (15:45): :D
sburjan - (15:45): at least the most vital places
cjdelisle - (15:45): actually yea, you’d just end up spamming zipe’s logs
with your attempts.
cjdelisle - (15:45): *xipe
cjdelisle - (15:46): Do you have a local installation on your computer?
sburjan - (15:46): of XWiki ?
cjdelisle - (15:46): yea.
sburjan - (15:46): of course
sburjan - (15:46): I’m writing automatic tests, so i have to test them :P
cjdelisle - (15:47): Well you can play with that. Try using websecurity
against it, just run it over night and see what you get
abusenius - (15:47): sburjan, there are training apps actually,
http://insecurewebapp.sourceforge.net/main/index.html
sburjan - (15:48): hmmm
sburjan - (15:48): I’ll take a look
cjdelisle - (15:49):
http://labs.oracle.com/projects/crypto/HowECCWorks-USLetter.pdf
cjdelisle - (15:50): McEllice is a bit more interesting because it can’t be
parallelized (quantum computer proof) but it’s also a lot more complicated.
sburjan - (15:50): lots of math :)
sburjan - (15:50): so this is what your srypto implementation use ?
cjdelisle - (15:51): it doesn’t use any public key (not for password
derivation.)
sburjan - (15:52): cjdelisle, : do you have some masters in computer
security ? :)
sburjan - (15:52): I know abusenius has
cjdelisle - (15:52): xwiki-crypto does have a public key component, it just
uses rsa.
cjdelisle - (15:52): haha masters in what?
sburjan - (15:52): information security :)
sburjan - (15:53): computer security
cjdelisle - (15:53): I took like 2 semesters of programming in college.
abusenius - (15:53): there are no special security degrees afaik
sburjan - (15:54): abusenius, : There are masters in all the europe on
Information/Computer Security
abusenius - (15:54): not in my university :) one can just specialize on
that
cjdelisle - (15:54): My professors were all ex-nsa, one recommended I apply
there.
sburjan - (15:54): they teach you the algebra behind the cryptosystems
abusenius - (15:54): it is still called "computer science"
sburjan - (15:55): things like chinese remainder theorem
cjdelisle - (15:55): Yea, I read about it a little, I’m sure I’ll learn it
sooner or later.
abusenius - (15:56): we got this in the introduction lecture to crypto
sburjan - (15:56): abusenius, : but your internship is in Security here at
X, right ?
abusenius - (15:56): yes
cjdelisle - (15:57): hey, I have a masters in breakeology.
sburjan - (15:57): so you learned the security stuff all by yourself ?
abusenius - (15:57): me?
sburjan - (15:57): yes, you abusenius :)
cjdelisle - (15:57): breakeology, when you learn by breaking stuff.
sburjan - (15:57): breakeology is like .. sociology, antropology ? :))
sburjan - (15:58): so you do have a masters in that :D
abusenius - (15:58): no, I’ve learned everything I could find, but I also
took all lectures on crypto/security we have
abusenius - (15:58): if you’re interested in something, it happens
naturally :)
sburjan - (15:59): true
sburjan - (15:59): but that math is pretty hard :))
sburjan - (15:59): all the modulo stuff
sburjan - (15:59): remainders, etc
cjdelisle - (15:59): I have 5 pdfs in my system tray.
sburjan - (15:59): about ?
sburjan - (16:00): security ?
cjdelisle - (16:00): How to get ips, DDoS defense, anycast, conficker, and
ecc.
sburjan - (16:00): they should make a book on crypto. Computer Security for
retards. and they should dedicate it to me :))
sburjan - (16:01): Well known idiot’s guide is too high level .. I need
something lower
abusenius - (16:01): :D
cjdelisle - (16:01): hah, I noticed that the math all just looks hard with
the weird symbols, read the implementation if you want to understand.
cjdelisle - (16:01): Look at this: http://cr.yp.to/salsa20.html
abusenius - (16:02): I find probability theory harder, groups are not that
bad
cjdelisle - (16:02): salsa20 is a full cipher implementation in 22 lines.
that is why Bernstein is full of win.
cjdelisle - (16:03): no stupid s-boxes, no obfuscation. it’s either secure
or it’s not and that doesn’t really depend on how hard it is to understand.
abusenius - (16:04): thats just because it doesn’t include the
implementation of the hash function ;)
cjdelisle - (16:04): yea well it’s actually a cipher. Converting it to a
hash which is collision resistant and such is a bigger task.
cjdelisle - (16:05): but that function placed well in the eurocrypt
contest.
abusenius - (16:09): in any case, understanding what you can do (and what
not) with some type of encryption is more important than implementation
details
cjdelisle - (16:10): Yea, the devil really is in the details.
cjdelisle - (16:12): I remember reading that people were surprised when
joanna rutkowska showed that a computer with full disk encryption can still
be attacked by putting malware in the mbr.
abusenius - (16:12): less related question, how can I change log4j settings
of xwiki instance I use for escaping-tests/
abusenius - (16:12): ?
abusenius - (16:13): it seems to use debug logging level
cjdelisle - (16:14): take a look at start-wiki and start-wiki-debug.sh
there might be something there about it.
abusenius - (16:15): hm, not really
cjdelisle - (16:16): I don’t know, you could google log4j "-D"
cjdelisle - (16:17): I’m sure there is a -Dsomething which will change it.
abusenius - (16:18): googling...
mflorea joined #xwiki at 16:20
sburjan - (16:21): in java a char is 2 bytes, right ? so a 64 bytes string
is actually a 32 char string ?
cjdelisle - (16:22): yes a char is two bytes :/
sburjan - (16:23): in the link you gave me , it says that it takes a 64
bytes strin. about salsa20
cjdelisle - (16:23): String has a few other components which occupy some
space but you’re pretty much correct.
sburjan - (16:23): but if the input string is less than 64 bytes/32 chars ?
it’s getting padded ?
cjdelisle - (16:24): Well the function will run on much larger pieces of
data by breaking them up, and yes it pads at the end.
cjdelisle - (16:26): The neat thing about salsa is it’s auto seeking. You
give it a key and say block 1000, then you input 1000 along with the key and
salt, and it generates some output which you can use to decrypt the data.
cjdelisle - (16:27): salsa20 doesn’t actually decrypt your data, it
generates psudorandom which you then xor against your data.
lucaa joined #xwiki at 16:28
sburjan - (16:28): hmmm
sburjan - (16:28): so it can be decrypted
sburjan - (16:29): afaik md5 is one way hash
sburjan - (16:29): alsa is reversible ?
cjdelisle - (16:29): yea.
cjdelisle - (16:29): Imagine you take a key and md5 it.
sburjan - (16:29): oh... big diffrence
cjdelisle - (16:30): Actually imagine you take a key, append a number (0)
then md5 it.
cjdelisle - (16:30): then you take your plain text and xor it against the
output from md5.
sburjan - (16:31): this is how you decrypt it ?
_______________________________________________
notifications mailing list
notifications(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/notifications
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
11:17 a.m.
New subject: [xwiki-devs] Fwd: [xwiki-notifications] XWiki updates, 9 documents have been modified since 2010/08/05 00:00
----- "Ecaterina Valica" <valicac(a)gmail.com> wrote:
On Mon, Aug 9, 2010 at 11:26, Jerome Velociter
<jerome(a)xwiki.com>
wrote:
Ah, sorry I missed that
Thanks
Jerome.
Seems some content is missing. The summary refers
to "XWiki
JavaScript API"
and "XWiki API Reference" pages, but
they do not appear in the body
of the
mail.
Anyone knows what could cause this ?
[Message clipped] View entire
message<?ui=2&ik=62926b1305&view=lg&msg=12a44457dabbe100>
The message is trunked.
Jerome.
----- Forwarded Message -----
From: notifications(a)xwiki.org
To: notifications(a)xwiki.org
Sent: Friday, August 6, 2010 12:00:18 AM GMT +01:00 Amsterdam /
Berlin /
Bern / Rome / Stockholm / Vienna
Subject: [xwiki-notifications] XWiki updates, 9 documents have been
modified since 2010/08/05 00:00
Contents
• dev
• Community
• Release Plans
• Release Plans Archives
• IRC
• IRC Archive for channel #xwiki
• platform
• DevGuide
• XWiki API Reference
• XWiki JavaScript API
• xwiki
• XWiki
• ChristophDewes
• JarbasJunior
• guenter
• pmarzouk
Hello Developers,
This message is sent by XWiki. Here are the documents in your
watchlist
that have been modified since the last
notification:
dev
Community
Release Plans
Community.ReleasePlans
On 2010/08/05 13:49, the document has been modified by Thomas
Mortagne
* [[API
doc>>http://platform.xwiki.org/xwiki/bin/view/DevGuide/API]]
([[core>>
http://maven.xwiki.org/releases/com/xpn/xwiki/platform/xwiki-core/]]
[[rendering>>
http://maven.xwiki.org/releases/org/xwiki/platform/xwiki-core-rendering-api…)
doc>>http://platform.xwiki.org/xwiki/bin/view/DevGuide/API]]
|= Release notes |= Update download page |= News on OW2 |= News on
xwiki.org |= API doc (core rendering) |= Wikipedia |= Freshmeat |=
Wikimatrix |= ANN Mail
= 2.3.2 =
(% style="width: 100%;" %)
|=(% colspan="3" %)Update translations
|= CORE |= XE |= WYSIWYG
| x| x| x
(% style="width: 100%;" %)
|=Module |= Version |= Jira |= Maven |= OW2
| xwiki-core | 2.3.2| x| x| -
| xwiki-plugin-skinx| 1.13.1| x| x| -
| xwiki-platform-web | 2.3.2| x| x| -
| xwiki-product-enterprise | 2.3.2| x| x|x\\
| xwiki-product-enterprise-manager| 2.3.2| x| x|x
(% style="width: 100%;" %)
|= Release notes |= Update download page |= News on OW2 |= News on
xwiki.org |= API doc (core rendering) |= Wikipedia |= Freshmeat |=
Wikimatrix |= ANN Mail
|x|x| x|x| x|x| x|x|x
author: xwiki:XWiki.Sergiu > xwiki:XWiki.ThomasMortagne
Release Plans Archives
Community.ReleasePlansArchives
On 2010/08/05 13:49, the document has been modified by Thomas
Mortagne
= 2.3.2 =
(% style="width: 100%;" %)
|=(% colspan="3" %)Update translations
|= CORE |= XE |= WYSIWYG
| x| x| x
(% style="width: 100%;" %)
|=Module |= Version |= Jira |= Maven |= OW2
| xwiki-core | 2.3.2| x| x| -
| xwiki-plugin-skinx| 1.13.1| x| x| -
| xwiki-platform-web | 2.3.2| x| x| -
| xwiki-product-enterprise | 2.3.2| x| x|x\\
| xwiki-product-enterprise-manager| 2.3.2| x| x|x
(% style="width: 100%;" %)
|= Release notes |= Update download page |= News on OW2 |= News on
xwiki.org |= API doc (core rendering) |= Wikipedia |= Freshmeat |=
Wikimatrix |= ANN Mail
|x|x| x|x| x|x| x|x|x
parent: Scheduler.ReleasePlans > ReleasePlans
author: xwiki:XWiki.Sergiu > xwiki:XWiki.ThomasMortagne
IRC
IRC Archive for channel #xwiki
IRC.xwikiArchive20100805
Between 2010/08/05 01:24 and 2010/08/05 21:48, the document has
been
modified 3 times, by 1 user: Sergiu Dumitriu
#includeForm("IRC.IRCArchiveClassSheet")
IRC.IRCArchiveClass
channel:
#xwiki
content:
abusenius left at 01:24 (Quit: Konversation terminated!
sdumitriu left at 02:23 (Ping timeout: 240 seconds
tsziklay left at 03:12 (Quit: ChatZilla 0.9.86 [Firefox
3.6.8/20100722155716]
boscop_ joined #xwiki at 03:53
boscop left at 03:56 (Ping timeout: 265 seconds
MartinCleaver left at 04:35 (Quit: MartinCleaver
venkatesh joined #xwiki at 05:49
kibahop joined #xwiki at 08:27
LadySerena left at 08:36 (Quit: Time to sharpen my claws!
asrfel joined #xwiki at 08:41
sdumitriu joined #xwiki at 08:52
Enygma` joined #xwiki at 08:52
mflorea joined #xwiki at 08:56
lucaa joined #xwiki at 08:56
florinciu joined #xwiki at 09:05
tmortagne joined #xwiki at 09:06
tmortagne left #xwiki at 09:06
mflorea left at 09:21 (Quit: Leaving.
tmortagne joined #xwiki at 09:23
mflorea joined #xwiki at 09:24
vmassol joined #xwiki at 09:32
mflorea - (09:36): guys, how can I delete a translation of a wiki
page?
tmortagne left at 09:36 (Quit: Leaving.
sdumitriu - (09:37): mflorea: Add ?language=xz in the /delete/ URL
tmortagne joined #xwiki at 09:38
mflorea - (09:38): let me try
sdumitriu - (09:38): Works only if that’s not the default language
of the
document
ztane - (09:48): how do I get the password reset dialog working on
a
private wiki? :)
vmassol left at 09:50 (Quit: Leaving.
KermitTheFragger joined #xwiki at 09:54
tmortagne - (09:54): sounds like a long proposal :)
mangroovie joined #xwiki at 09:54
ztane - (09:56): hmm maybe should go for ldap
sdumitriu - (09:56): ztane: Private = forbid unauthenticated view?
ztane - (09:57): yes
ztane - (09:58): enterprise extranet wiki :))
cjdelisle - (09:59): It has been a long time coming. Oddly enough
there
aren’t a real lot of services provided.
ztane - (09:59): do not want anything to leak out to nonauthorized,
except
the password reset form
jvdrean joined #xwiki at 10:04
sdumitriu - (10:11): ztane: Sorry, that’s not possible yet
sdumitriu - (10:12): Preventing unauthenticated access really
prevents it
abusenius joined #xwiki at 10:21
vmassol joined #xwiki at 10:23
cjdelisle - (10:28): abusenius: Any thing else you need in
xwiki-crypto?
(working on the proposal)
abusenius - (10:32): hm, no, just the methods for storing/loading
certs/keys that we might want put elsewhere
abusenius - (10:32): *to put
cjdelisle - (10:33): Yea, IMO load/store is not really in the scope
of
crypto.
abusenius - (10:35): should I move it to signedscripts? thats the
only
place it’s used atm
cjdelisle - (10:36): *distraction: IPv6 is a joke, 19.0.0.0 -
19.255.255.255 is Ford Motor Company ip space, it is not even
announced to
the backbone routers.
cjdelisle - (10:36): What car company doesn’t need 16,000 unused
ips?
abusenius - (10:36): *IPv4?
cjdelisle - (10:37): IP6 is a joke because like 40% of ip4 numbers
are
routed, 3% respond to pings.
abusenius - (10:37): it’s a good investment, they will be able to
sell it
for a lot of money quite soon :)
cjdelisle - (10:37): Not if arin/ripe catch you.
abusenius - (10:37): well, it’s just that nobody uses them
abusenius - (10:38): well, thats another question
cjdelisle - (10:38): Well not nobody, some halliburton space
suddenly
started getting announced from eastern europe.
cjdelisle - (10:38): spam spam spam spam
cjdelisle - (10:41): Halliburton 34.0.0.0 - 34.255.255.255 (to their
credit
they announce a couple hundred ips in that range
and run their site
in it.)
abusenius - (10:42): I’Ve read somewhere that one
of the problems is
that
they used to give just 2 types of ip ranges,
255.255.255.0 for
"small"
companies and 255.0.0.0 for "big"
companies :)
cjdelisle - (10:45): that 255.255.255.0 is called a /24 because 24
of the
32 bits are defined. 255.0.0.0 is a /8, nobody
can get a /8 anymore,
they
gave them out in like 1991.
cjdelisle - (10:46): You guys can still get a /24 for like 150€ but
arin
won’t sell anything smaller than a /20.
cjdelisle - (10:48): The problem is provide independent space means
you
announce your (tiny little) range to all of the
backbone routers and
the
global routing tables get so huge they need
bigger routers.
cjdelisle - (10:50): What’s easiest for the backbone is if 192
routes to
usa, 64 routes to chicago, 32 routes to some isp
and 25 routes to
the
specific computer. Except 192 range is not like
that, 192.64.32.1
might be a
computer in chicago and 192.64.33.1 might be in
estonia.
sburjan joined #xwiki at 10:52
cjdelisle - (10:57): humpf... decryption succeeded with wrong
password. I
think it decrypted to garbage but I have to
check...
abusenius - (10:57): we might want to check if the output == input
cjdelisle - (11:00): yup, repeating the test in loop 0-1000
cjdelisle - (11:01): if the output is the same length, I think the
padding
scheme doesn’t notice anything is wrong.
cjdelisle - (11:01): indeed, I already have a bad decryption.
abusenius - (11:03): in theory, a wrong password might decrypt to
any
meaningful text, but the probability is very very
low
cjdelisle - (11:04): hmm, actually the key would have to be as long
as the
original text to decrypt to anything.
cjdelisle - (11:05): I remember someone talking about an algorithm
which
would decrypt to various things based on the
password given.
cjdelisle - (11:05): It would be pretty obvious to a cryptographer
though
that there was more to it though.
abusenius - (11:06): well, if the key is as long as the text, then
you can
decrypt to any text of the same length
abusenius - (11:07): if the key is shorter, the number of possible
decryptions is much smaller
cjdelisle - (11:07): But it brings up an interesting topic, if you
xor
"illegal data" against random and
publish the random on one server
and the
output on another, which server gets the takedown
notice?
abusenius - (11:07): but one of them might still be meaningful
cjdelisle - (11:08): It’s essentially impossible to determine random
from
something xor’d against random.
cjdelisle - (11:09): 4 collisions.
abusenius - (11:09): well, you can easily invent any content you
want :)
abusenius - (11:09): what yre you encrypting?
cjdelisle - (11:10): I just rigged the test to repeat trying to
decrypt
with the wrong password and dump any time it
collides.
Enygma` left at 11:10 (Ping timeout: 276 seconds
cjdelisle - (11:10): decryptWithWrongPasswordTest() * 1000
abusenius - (11:11): so "collision" = successfull decryption to
garbage?
cjdelisle - (11:11): yup.
cjdelisle - (11:11): done. 4/1000 tries.
abusenius - (11:11): the only way decryption algorithm can
distinguish
"meaningful" text from garbage is the
padding
kibahop left #xwiki at 11:12
cjdelisle - (11:12): IMO it should output garbage every time it
fails.
Imagine trying to password guess that :D
abusenius - (11:12): so if the garbage by chance contains one byte
of
correct padding, it will succeed
abusenius - (11:12): well, you can check for printable character
for
example
cjdelisle - (11:12): yup, check for invalid utf8
cjdelisle - (11:13): imagine encrypting an mp3, basically any text
is valid
in an mp3
cjdelisle - (11:13): or mpeg4
abusenius - (11:13): there is a header you can trry to match
abusenius - (11:14): frames etc.
abusenius - (11:14): but it is harder
abusenius - (11:14): thats one of the reasons people first compress,
then
encrypt :)
cjdelisle - (11:16): Yea, it would be tough trying to beat this
algorithm
though, it took like 5 minutes for 2000 cycles of
scrypt, I could
make it
take longer with config too.
cjdelisle - (11:27): proposal sent.
mangroovie left at 11:29 (Ping timeout: 252 seconds
cjdelisle - (11:41): I don’t see the user manager in the sandbox, is
it
written?
(http://dev.xwiki.org/xwiki/bin/view/Design/UsersModule)
abusenius - (11:42): it is very new imo, probably not yet
cjdelisle - (11:45): The proposed interface looks like it can only
be
implemented using some sort of String USER_CLASS
=
"XWiki.XWikiUsers";
cjdelisle - (11:47): Maybe I should propose a
best practice that we
never
make the core depend on the content of the
database. AKA hardcoding
document
names.
abusenius - (11:51): which interface?
cjdelisle - (11:53): defined here
http://dev.xwiki.org/xwiki/bin/view/Design/UsersModule
mangroovie joined #xwiki at 11:53
venkatesh left at 11:53 (Ping timeout: 265 seconds
abusenius - (11:54): ah, ok
abusenius - (11:56): maybe, I "never ever" rule is quite unrealistic
though
abusenius - (11:56): s/I/a/
cjdelisle - (11:58): Well that’s how all best practices are,
sometimes you
are just plain painted into a corner.
cjdelisle - (11:58): I usually end up throwing away code when that
happens.
abusenius - (12:01): moved cert storage methods
out of crypto, about
to
commit
cjdelisle - (12:01): there was storage in crypto?
cjdelisle - (12:02): I don’t see it...
abusenius - (12:03): well, user document utils were misused for
that
abusenius - (12:04): I mean listinf fingerprints
etc.
abusenius - (12:04): *listing
venkatesh joined #xwiki at 12:04
cjdelisle - (12:04): Oh, I haven’t looked there in a while. thanks
;)
cjdelisle - (12:04): k I think I know how you can
validate a cert.
cjdelisle - (12:05): Take the webid and do a http get on it, you’ll
get the
foafssl stuff.
cjdelisle - (12:06): We can also set it up so you get a list of
signed
permissions granted to the user.
abusenius - (12:07): yea, we could do that
cjdelisle - (12:07): parse those permissions, extract cert from
signature,
recurse.
cjdelisle - (12:08): It will be awesome but slooooooow.
cjdelisle - (12:09): hmm, maybe not if the user pages get cached.
abusenius - (12:09): the recursion would not be very deep
abusenius - (12:09): unless we overdo it :)
venkatna joined #xwiki at 12:10
abusenius - (12:10): it should be something like admin -> user
permission
-> cert
cjdelisle - (12:10): What’s awesome about it is I can be on one wiki
and
give you permission on another, you can then give
permissions to
people on
my wiki.
venkatesh left at 12:10 (Ping timeout: 248 seconds
abusenius - (12:11): not that everybody was waiting to do that all
their
life, but yea, would be possible :)
cjdelisle - (12:12): I don’t expect anyone beating a path to the
door for
it but I can see in the future there might be
applications.
cjdelisle - (12:13): If I grant admin authority to an admin of
another
wiki, all of their wiki’s users get defacto
permissions on mine.
cjdelisle - (12:15): the escaping test makes a nice DoS engine.
abusenius - (12:16): :)
cjdelisle - (12:17): Have you seen Websecurity?
abusenius - (12:18): not sure what you mean
abusenius - (12:18): afk for lunch
cjdelisle - (12:19): http://www.websecurify.com/
cjdelisle - (12:19): I’ll go find something to eat too.
florinciu1 joined #xwiki at 12:39
florinciu left at 12:44 (Ping timeout: 276 seconds
florinciu1 left at 12:46 (Read error: Connection reset by peer
florinciu joined #xwiki at 12:47
sylviarusu joined #xwiki at 12:56
florinciu left at 13:05 (Ping timeout: 240 seconds
florinciu joined #xwiki at 13:08
tmortagne - (13:10): cjdelisle: i’m not sure i understand what you
mean in
XWIKI-5390
cjdelisle - (13:10):
http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xw…
cjdelisle - (13:11): all still version 1.7
tmortagne - (13:12): cjdelisle: there is a hudson project for it
already,
it
has been disabled some time ago because we had
issue with javadoc
plugin
think
tmortagne - (13:12): s/think/I think/
cjdelisle - (13:13): I see, I can try to see if I can get it working
again.
tmortagne - (13:13): yep
cjdelisle - (13:13): It’s pretty important because that’s the only
place to
get javadoc for XWikiDocument etc.
tmortagne - (13:14): cjdelisle: well there is m2Eclipse
automatically
downloading javadoc/source too ;)
tmortagne - (13:14): which is very usefull
tmortagne - (13:15): but it’s only for released projects
cjdelisle - (13:15): When I wrote the DevGuide.Scripting I had to
reference
some javadoc so I chose that.
cjdelisle - (13:15): Because it’s hosted.
cjdelisle - (13:16): If I can get this working then I see no reason
to keep
uploading .zip files to xwiki.org so that will
close another issue.
cjdelisle - (13:16): Make any sense?
tmortagne - (13:17): cjdelisle: it’s not the same thing
tmortagne - (13:17): this job deploy trunk jaavadoc
tmortagne - (13:17): in xwiki.org we provide specific releases
javadoc
cjdelisle - (13:17): hmm. good point. Maybe we
can have hudson build
from
branches?
tmortagne - (13:17): what should be done in xwiki.org is having
something
more dynamic that get the proper javadoc from
maven.xwiki.org files
instead of having to attach
tmortagne - (13:18): i want to add this since a long time in zip
plugin but
never had the time
cjdelisle - (13:18): in the zip plugin?
tmortagne - (13:19): the xwiki plugin which is used to view the
javadoc
inside the zip file attached to the page
tmortagne - (13:19):
http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-render…
cjdelisle - (13:19): make it able to load a page
hosted somewhere
else?
cjdelisle - (13:19): s/load a page/read a zip/
tmortagne - (13:20): yes make it able to work with a zip from
anywhere and
not only an attached file
cjdelisle - (13:20): hmm, as long as it can’t be exploited to... say
open
really big zips somewhere?
abusenius - (13:21): re websecurity, no, haven’t seen it before
cjdelisle - (13:22): I was talking to a guy who mentioned if you
can
convince a bot to download a file, feed it a
linux .iso
tmortagne - (13:23): cjdelisle: you can always indicate a maximum
size
abusenius - (13:23): we should try some tools
like websecurity on
xwiki at
some point, but not now (would be too
disappointing ^^)
florinciu left at 13:23 (Ping timeout: 258 seconds
cjdelisle - (13:23): abusenius: I see a bunch of FATAL: not escaping
single
quote.
cjdelisle - (13:23): I don’t think even escapetoo.xml escapes
single
quotes.
tmortagne - (13:24): checking something: i think there is something
abut
javadoc in nexus actually
abusenius - (13:24): it does
abusenius - (13:24): getXMLEncoded doesn’t
cjdelisle - (13:24): That’s right :)
abusenius - (13:24): afaik
abusenius - (13:24): it is technically correct to not escape single
quotes
in URL
abusenius - (13:25): but not secure, because a href=’bla’ is also
correct
cjdelisle - (13:25): no getXMLEncoded escapes ’
to and it becomes ’
which
breaks everything
abusenius - (13:25): ah, right
tmortagne - (13:25): cjdelisle:
http://nexus.xwiki.org/nexus/service/local/repositories/releases/archive/co…
tmortagne - (13:25): tadaa
cjdelisle - (13:25): cool. I wish it said something like /latest/
tmortagne - (13:26): maybe there is something
tmortagne - (13:27): i will at least modify the API page to go there
and
stop attaching files
abusenius - (13:27): is it possible to link javadocs for *all*
components
on DevGuide/API ?
abusenius - (13:28): currently it only lists core
tmortagne - (13:28): abusenius: and rendering ;)
tmortagne - (13:28): but yes it should be more that theses two
tmortagne - (13:28): should be at least important components
abusenius - (13:28): yea, but you need to do voodoo magic to find
other
docs :)
cjdelisle - (13:29): That was a nice thing about maven.xwiki.org
was
everything was linked together.
tmortagne - (13:31): cjdelisle: you mean maven.xwiki.org/site ?
cjdelisle - (13:31): yup
cjdelisle - (13:32): *idea* What if we added the svn location to the
class
javadoc comment in each class, then it will make
a link in each
javadoc
pointing to the source.
cjdelisle - (13:32): Maybe svn config will do the trick.
abusenius - (13:33): wasn’t there a configuration option for javadoc
for
that?
tmortagne - (13:34): cjdelisle: there is probably some maven javadoc
plugin
configuration we could use for it
cjdelisle - (13:34): I don’t know that the javadoc would know where
the
files are hosted in svn, it sure would be nice
though to have a
docjar style
[source] button
abusenius - (13:35): (but maybe I saw it in doxygen, not sure)
cjdelisle - (13:36): I really like this format everything is linked
from
there.
http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/index.html…
abusenius - (13:38):
http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/javadoc.html#…
cjdelisle - (13:39): abusenius: I see three tests
in error:
Blog/Publisher.xml Panels/CreatePanel.xml templates/createinline.vm
Do you
want to do something to them before putting the
tests in the tree?
abusenius - (13:40): let me see
cjdelisle - (13:40): Creates an HTML version of each source file
(with line
numbers) argh.. hate line numbers.
abusenius - (13:41): well, better than nothing
abusenius - (13:43): I could put those tests in error onto ignore
list
cjdelisle - (13:43): also I like the idea of
pointing to the actual
svn
server.
abusenius - (13:43): 2 of them fail because the xredirect is
properly
escaped, but my test string isn’t a URL
abusenius - (13:43): 1 fails with 409, no idea why
abusenius - (13:44): there are allready a dozen or so ignored tests
in
error
cjdelisle - (13:46): Hmm, you really ought to have commit access so
you can
work on this once it’s in the tree, unfortunately
it’s tough to get
a quorum
on anything right now.
florinciu joined #xwiki at 13:46
venkatna left at 13:47 (Quit: Leaving
abusenius - (13:48): can it be (sym)linked to sandbox?
cjdelisle - (13:50): I don’t know what svn does with symlinks.
abusenius - (13:51): I think on all decent operating systems it
works fine
:)
cjdelisle - (13:51): Websecurity is a pretty good DoS cannon, when I
ran it
locally, my wiki eventually just ceased up and
refused to serve
anything.
abusenius - (13:52): checkout on windows would
create a copy of the
directory
tmortagne - (13:53): i doubt svn will support sym links anyway
tmortagne - (13:53): especially svn 1.4
abusenius - (13:53): ok, if the svn server is 1.4 then we can forget
it
abusenius - (13:54): why is it 1.4 btw? it’s like
stone age...
tmortagne - (13:55): i agree
tmortagne - (13:55): i’m aking for an upgrade since ages
cjdelisle - (13:55): blah, hudson ceased up in wysiwyg test. Lets
see if I
can kill the build...
cjdelisle - (13:56): yay I did something.
cjdelisle - (13:58): last time the javadoc build ran out of swap
space (so
it says). I’ll try running it and see what
happens this time.
vmassol left at 13:58 (Quit: Leaving.
sburjan - (14:08): cjdelisle, : was the implementation hard ? I mean
..
understanding that technical paper and then
implementing
cjdelisle - (14:08): re scrypt?
sburjan - (14:08): We had to implement DES and AES from specs like
these..and it was HORRIBLE
sburjan - (14:08): yes
cjdelisle - (14:08): It wasn’t too bad because there was a
reference
implementation in c
sburjan - (14:09): oh, so you didn;t wrote if from scratch
cjdelisle - (14:09): It definitly is not AES.
sburjan - (14:09): it’s stronger than AES, right
sburjan - (14:09): AES is totally hard (at least for me)
cjdelisle - (14:09): It does something different.
sburjan - (14:09): yeah, I know
cjdelisle - (14:10): The point is that there is no way to go from
the
password to the key without using x amount of ram
for y cpu cycles
of time.
cjdelisle - (14:10): Fortunately it uses PBKCS2
which I could rip
from
bouncycastle.
sburjan - (14:10): but basically this is a much more complex hash
function,
right ?
cjdelisle - (14:11): yup.
sburjan - (14:11): md5 is birthday paradox vulnerable
sburjan - (14:11): I guess this isn;t :)
cjdelisle - (14:11): It uses PBKCS2, and it uses salsa20
cjdelisle - (14:11): ahh, PBKCS2(Sha-256) :)
cjdelisle - (14:12): yea md5 is bad.
sburjan - (14:12): oh :))
sburjan - (14:12): md5 is obsolete
sburjan - (14:12): intresting
sburjan - (14:12): I never understood properly the algebra behind
crypto
systems
sburjan - (14:13): although i wanted to :)
cjdelisle - (14:13): This isn’t really crypto.
cjdelisle - (14:13): It’s just designed to take a long time.
cjdelisle - (14:13): So it generates an absurd amount of data. Then
it
takes an int from 4 bytes of a hash output and
gets the data at the
location
of that int.
cjdelisle - (14:14): The idea is you can’t safely throw away any of
that
data because you might need it.
sburjan - (14:14): I see
sburjan - (14:14): so this happens for all the new passwords ?
sburjan - (14:14): new user accounts, etc ?
sburjan - (14:15): I nea this happens for every password
cjdelisle - (14:15): So it keeps seeding the hash with pieces of the
big
block of data, then it takes the output and feeds
it to PBKDF2
again.
sburjan - (14:15): *mean
cjdelisle - (14:16): No it it’s just a service at the moment, once
I
convince everyone to include it in the tree, then
we can think about
using
it for the user accounts.
sburjan - (14:16): so what do you hash with these service more
exactly ?
cjdelisle - (14:16): Passwords.
sburjan - (14:16): so only user passwords. or are there another type
of
passwords ?
sburjan - (14:17): that are used in xwiki
cjdelisle - (14:17): It is intended to be useable for the user
accounts, I
just want to put the code there before we even
talk about
implementing it
for user passwords.
cjdelisle - (14:17): Sure, any password can be handles by this.
sburjan - (14:17): I see
cjdelisle - (14:17): s/handles/handled/
abusenius - (14:17): btw, XWIKI-70 is the oldest bug (i.e. not
feature
request or task) atm
sburjan - (14:18): so it is collision free ? or you made it like
this in
order to take as far as possible advante of
collisions
Enygma` joined #xwiki at 14:18
cjdelisle - (14:18): It is as collision resistant as pbkdf2(sha256)
cjdelisle - (14:19): because the password is included in the final
hash.
sburjan - (14:19): yeah, but the time to find
another string that
hashes
the same... requires much more time due to y ram
and x cpu cycles,
right ?
cjdelisle - (14:20): Well the main attack vector
is password
guessing with
word lists.
cjdelisle - (14:20): so it’s not really a collision but the real
password
that is most likely to be found.
sburjan - (14:20): hmmm
sburjan - (14:21): dictionary attack ? :)
cjdelisle - (14:21): This makes it difficult because it occupies 1MB
of ram
for about 100milliseconds.
sburjan - (14:21): i see
cjdelisle - (14:21): These numbers are configurable.
sburjan - (14:21): but the actual auth mechanism is comparing the
hash from
db with the hash(typed password), right ?
cjdelisle - (14:21): The default scrypt takes 200MB for 5 seconds.
sburjan - (14:22): like md5 is still used
cjdelisle - (14:22): It’s a little more complicated than that, but
that’s
the idea.
sburjan - (14:22): I see
cjdelisle - (14:22): You have a PasswordVerificationFunction which
is
Serializable and includes all of the information
to recreate the
same output
given the same password.
cjdelisle - (14:23): that is the salt, the memory cost number, and
the
processor cost number.
sburjan - (14:23): yeah..
sburjan - (14:23): intresting
cjdelisle - (14:24): So you load the code from the database,
deserialize,
and feed it the password to validate.
cjdelisle - (14:24): If we decide in the future to change the
function, all
we need to do is create a new function and start
using it for all
new
passwords.
sburjan - (14:24): so each password is serialized in an object that
is
stored in the db ?
cjdelisle - (14:25): the ourtput from hashing the password is a
byte[] in
the object yes.
sburjan - (14:25): I see
sburjan - (14:25): pretty cool
cjdelisle - (14:26):
http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/ja…
sburjan - (14:26): and what is the memory and cpu
cost going in the
ecuation?
sburjan - (14:26): when "hashing" the inputed password in order to
compare
it from the serialized object ?
cjdelisle - (14:27): Configurable, but I have it set to 1Mb for
100ms by
default.
sburjan - (14:28): yeas, but what operation is slowed down
intensionally
with the ram and CPU thing ?
cjdelisle - (14:28): indeed, you can’t have everything :)
boscop_ is now known as boscop (~boscop(a)g227154161.adsl.alicedsl.de
sburjan - (14:30): no no .. where is the slow down come in place ?
sburjan - (14:30): this this slows down .. you wanted this.. cpu
cycles,
etc
cjdelisle - (14:31): ?
sburjan - (14:32): you force the system to work in time. to be
limited by
ram and CPU
sburjan - (14:32): not to take advance of the full computational
powers of
a possible attacker
cjdelisle - (14:32): If the system is under heavy load when the
user
registers, then their crypted password will be
weaker.
cjdelisle - (14:33): decrypting the password will always take the
same
amount of cpu cycles.
sburjan - (14:33): oh
sburjan - (14:33): so decrypting is the operation that takes
advantage of
the intentional slowness
sburjan - (14:33): got it
cjdelisle - (14:34): When crypting the password, It does a test run
to get
the desired number of cycles from the desired
time to crypt.
cjdelisle - (14:34): It’s not all that accurate but within 100%
according
to the tests.
sburjan - (14:35): I see
cjdelisle - (14:35): I noticed it usually takes a little more time
than it
is asked to take.
sburjan - (14:36): and isnt there a disk if someone tries a
dictionary
attack to block the server (DDOS) due to heavy
platform load in
order to
decrypt the passwd ?
sburjan - (14:36): *risk, not disk
cjdelisle - (14:37): Well if you’re trying to ddos the server then
you can
use infinite loops etc. if you are trying to
guess the password,
then you
want a graphics processor.
cjdelisle - (14:37): Anyway if you have a botnet (DDoS) then you can
get
thousands of windows boxes to try passwords
locally.
cjdelisle - (14:39): However I think you can cease up an xwiki
installation
just by trying to log in with a million threads
right now.
cjdelisle - (14:41): bbiab...
tmortagne left at 14:43 (Read error: Connection reset by peer
tmortagne joined #xwiki at 14:43
sburjan - (14:46): wait, you lost me :)
sburjan - (14:47): the decrypt function is GPU dependant ?
MartinCleaver joined #xwiki at 14:57
abusenius - (14:59): sburjan: he is talking about using GPGPU to
speedup
breaking hashes
sburjan - (15:01): so it uses graphics card to break hashes ?
abusenius - (15:01): the bad guys use them
sburjan - (15:01): I;m a little bit confused
sburjan - (15:01): yeah, the bad guys
abusenius - (15:01): yes, 1000 threads are better than 4
sburjan - (15:02): a gpu has 1000 threads ?
abusenius - (15:02): new ones yes
sburjan - (15:02): I see
abusenius - (15:02): light-weight threads
sburjan - (15:02): and the other thing I didn’t understand
sburjan - (15:02): Anyway if you have a botnet (DDoS) then you can
get
thousands of windows boxes to try passwords
locally.
sburjan - (15:03): but how do you get locally the serialized objects
that
contain the passwdz ?
abusenius - (15:03): well, assuming you have DB dump or something
sburjan - (15:03): but for that you already need privileges
abusenius - (15:03): sure
abusenius - (15:04): the idea is, if the attacker can get access to
the
server, he still can’t find out your password
abusenius - (15:05): otherwise you might as well just sleep(10) on
the
server side
abusenius - (15:06): having a password in cleartext is bad, because
people
reuse them for example
cjdelisle - (15:06): privileges lol. All you need for database dumps
is
bobby tables.
cjdelisle - (15:06): we’re better than some but never trust the db.
cjdelisle - (15:07): Actually, the password hashes are right in the
XWikiUsers object.
sburjan - (15:07): bobby tables ?
cjdelisle - (15:08): http://xkcd.com/327/
cjdelisle - (15:09): It’s a dumb joke but it has sort of turned into
a
meme.
sburjan - (15:09): yea :))
sburjan - (15:09): but we’re still vulnerable to sql injection ?
cjdelisle - (15:10): hmmmmmmm yes.
mflorea left at 15:11 (Quit: Leaving.
lucaa left at 15:13 (Quit: Leaving.
cjdelisle - (15:13): We’re looking into a way to use encryption to
make it
so sql injection is pointless.
sburjan - (15:14): parameterization doesnt work in our case ?
cjdelisle - (15:14): If everything used it then it would work. I’m
talking
about cases where there is a registered user and
he has access to
searchDocuments etc.
sburjan - (15:15): and making them be used everywhere is hard ?
cjdelisle - (15:16): Well even if they are used everywhere all the
adversary has to do is register and write their own vulnerable
queries.
cjdelisle - (15:19): We have been talking about
having a root
"superadmin"
certificate stored in a file on the hard disk.
That cert signs the
admin’s
permissions and the admin signs the user
permissions.
cjdelisle - (15:20): you can dump (or alter) the database but all
you get
is certificates and password encrypted private
keys
cjdelisle - (15:20): change a cert, break the cert chain, change a
key,
then it doesn’t match the cert.
cjdelisle - (15:38): oh sburjan Cryptography (at least public key
RSA)
works because it’s fast to raise something to the
65537th power and
slow to
get the 65537th root.
cjdelisle - (15:39): that’s the "one way trap function"
sylviarusu left at 15:40 (Quit: Leaving.
sburjan - (15:43): I see
sburjan - (15:43): I started to read more about sql injection
sburjan - (15:43): too bad that htere isn;t a "training" site :)
sburjan - (15:43): so I can actually see it work
abusenius - (15:44): try xwiki.org ^^
cjdelisle - (15:45): lol
sburjan - (15:45): i’m sure it’s not vulnerable :))
sburjan - (15:45): you guys fixed it
sburjan - (15:45): :D
sburjan - (15:45): at least the most vital places
cjdelisle - (15:45): actually yea, you’d just end up spamming zipe’s
logs
with your attempts.
cjdelisle - (15:45): *xipe
cjdelisle - (15:46): Do you have a local installation on your
computer?
sburjan - (15:46): of XWiki ?
cjdelisle - (15:46): yea.
sburjan - (15:46): of course
sburjan - (15:46): I’m writing automatic tests, so i have to test
them :P
cjdelisle - (15:47): Well you can play with that.
Try using
websecurity
against it, just run it over night and see what
you get
abusenius - (15:47): sburjan, there are training apps actually,
http://insecurewebapp.sourceforge.net/main/index.html
sburjan - (15:48): hmmm
sburjan - (15:48): I’ll take a look
cjdelisle - (15:49):
http://labs.oracle.com/projects/crypto/HowECCWorks-USLetter.pdf
cjdelisle - (15:50): McEllice is a bit more interesting because it
can’t be
parallelized (quantum computer proof) but it’s
also a lot more
complicated.
sburjan - (15:50): lots of math :)
sburjan - (15:50): so this is what your srypto implementation use ?
cjdelisle - (15:51): it doesn’t use any public key (not for
password
derivation.)
sburjan - (15:52): cjdelisle, : do you have some masters in
computer
security ? :)
sburjan - (15:52): I know abusenius has
cjdelisle - (15:52): xwiki-crypto does have a public key component,
it just
uses rsa.
cjdelisle - (15:52): haha masters in what?
sburjan - (15:52): information security :)
sburjan - (15:53): computer security
cjdelisle - (15:53): I took like 2 semesters of programming in
college.
abusenius - (15:53): there are no special
security degrees afaik
sburjan - (15:54): abusenius, : There are masters in all the europe
on
Information/Computer Security
abusenius - (15:54): not in my university :) one can just specialize
on
that
cjdelisle - (15:54): My professors were all ex-nsa, one recommended
I apply
there.
sburjan - (15:54): they teach you the algebra behind the
cryptosystems
abusenius - (15:54): it is still called
"computer science"
sburjan - (15:55): things like chinese remainder theorem
cjdelisle - (15:55): Yea, I read about it a little, I’m sure I’ll
learn it
sooner or later.
abusenius - (15:56): we got this in the introduction lecture to
crypto
sburjan - (15:56): abusenius, : but your
internship is in Security
here at
X, right ?
abusenius - (15:56): yes
cjdelisle - (15:57): hey, I have a masters in breakeology.
sburjan - (15:57): so you learned the security stuff all by yourself
?
abusenius - (15:57): me?
sburjan - (15:57): yes, you abusenius :)
cjdelisle - (15:57): breakeology, when you learn by breaking stuff.
sburjan - (15:57): breakeology is like .. sociology, antropology ?
:))
sburjan - (15:58): so you do have a masters in
that :D
abusenius - (15:58): no, I’ve learned everything I could find, but I
also
took all lectures on crypto/security we have
abusenius - (15:58): if you’re interested in something, it happens
naturally :)
sburjan - (15:59): true
sburjan - (15:59): but that math is pretty hard :))
sburjan - (15:59): all the modulo stuff
sburjan - (15:59): remainders, etc
cjdelisle - (15:59): I have 5 pdfs in my system tray.
sburjan - (15:59): about ?
sburjan - (16:00): security ?
cjdelisle - (16:00): How to get ips, DDoS defense, anycast,
conficker, and
ecc.
sburjan - (16:00): they should make a book on crypto. Computer
Security for
retards. and they should dedicate it to me :))
sburjan - (16:01): Well known idiot’s guide is too high level .. I
need
something lower
abusenius - (16:01): :D
cjdelisle - (16:01): hah, I noticed that the math all just looks
hard with
the weird symbols, read the implementation if you
want to
understand.
cjdelisle - (16:01): Look at this:
http://cr.yp.to/salsa20.html
abusenius - (16:02): I find probability theory harder, groups are
not that
bad
cjdelisle - (16:02): salsa20 is a full cipher implementation in 22
lines.
that is why Bernstein is full of win.
cjdelisle - (16:03): no stupid s-boxes, no obfuscation. it’s either
secure
or it’s not and that doesn’t really depend on how
hard it is to
understand.
abusenius - (16:04): thats just because it
doesn’t include the
implementation of the hash function ;)
cjdelisle - (16:04): yea well it’s actually a cipher. Converting it
to a
hash which is collision resistant and such is a
bigger task.
cjdelisle - (16:05): but that function placed well in the eurocrypt
contest.
abusenius - (16:09): in any case, understanding what you can do (and
what
not) with some type of encryption is more
important than
implementation
details
cjdelisle - (16:10): Yea, the devil really is in the details.
cjdelisle - (16:12): I remember reading that people were surprised
when
joanna rutkowska showed that a computer with full
disk encryption
can still
be attacked by putting malware in the mbr.
abusenius - (16:12): less related question, how can I change log4j
settings
of xwiki instance I use for escaping-tests/
abusenius - (16:12): ?
abusenius - (16:13): it seems to use debug logging level
cjdelisle - (16:14): take a look at start-wiki and
start-wiki-debug.sh
there might be something there about it.
abusenius - (16:15): hm, not really
cjdelisle - (16:16): I don’t know, you could google log4j "-D"
cjdelisle - (16:17): I’m sure there is a -Dsomething which will
change it.
abusenius - (16:18): googling...
mflorea joined #xwiki at 16:20
sburjan - (16:21): in java a char is 2 bytes, right ? so a 64 bytes
string
is actually a 32 char string ?
cjdelisle - (16:22): yes a char is two bytes :/
sburjan - (16:23): in the link you gave me , it says that it takes a
64
bytes strin. about salsa20
cjdelisle - (16:23): String has a few other components which occupy
some
space but you’re pretty much correct.
sburjan - (16:23): but if the input string is less than 64 bytes/32
chars ?
it’s getting padded ?
cjdelisle - (16:24): Well the function will run on much larger
pieces of
data by breaking them up, and yes it pads at the
end.
cjdelisle - (16:26): The neat thing about salsa is it’s auto
seeking. You
give it a key and say block 1000, then you input
1000 along with the
key and
salt, and it generates some output which you can
use to decrypt the
data.
cjdelisle - (16:27): salsa20 doesn’t actually
decrypt your data, it
generates psudorandom which you then xor against your data.
lucaa joined #xwiki at 16:28
sburjan - (16:28): hmmm
sburjan - (16:28): so it can be decrypted
sburjan - (16:29): afaik md5 is one way hash
sburjan - (16:29): alsa is reversible ?
cjdelisle - (16:29): yea.
cjdelisle - (16:29): Imagine you take a key and md5 it.
sburjan - (16:29): oh... big diffrence
cjdelisle - (16:30): Actually imagine you take a key, append a
number (0)
then md5 it.
cjdelisle - (16:30): then you take your plain text and xor it
against the
output from md5.
sburjan - (16:31): this is how you decrypt it ?
_______________________________________________
notifications mailing list
notifications(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/notifications
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
5205
days inactive
5205
days old
2 comments
2 participants
participants (2)
-
Ecaterina Valica -
Jerome Velociter