Category Archives: General

Monitor Directory for Changes

Here’s a simple script that I setup for my development WSGI server to reload itself once changes in source code are detected:

#!/bin/bash

while true; do
    A=`find $1 -printf '%t' | md5sum`;
    sleep 1
    B=`find $1 -printf '%t' | md5sum`;
    if [ "$A" != "$B" ]; then
        echo "Detected change, doing: $2"
        eval $2
    fi
done

It’s very simple (a poor-man’s replacement for inotify) and doesn’t do anything complicated. Usage ./monitor.sh application "my-reload-services.sh". You can filter out unwanted stuff like maybe *.swp files by referring to the man find pages.

What do you use to monitor for changes? How can the above script be improved?



Don’t Post Images of Your Credit Card Online

Yes, people actually do that and an account I’ve been following @NeedADebitCard aggregates credit card photos on Twitter. Not all images are relevant but many are. Credit card fraud is a serious issue as is, with all our connectivity to the World Wide Web and technology that allows us to be “social” that makes many people act irresponsibly, aggravates this.

Credit cardAnd some people actually think there’s nothing bad in posting parts of the card. Yet, the same people have no understanding of which parts are safe to display and which are not. General rule – don’t show your credit card at all, especially online for the general public to view. I have wiped out the critical information in my version of the image as to stop the propagation of this nonsense. The cardholder pasted the image in the clear. Size is taken from the original.

This was a recent image shared via Instagram and Twitter. The person’s peers left 20+ “aww”-type comments, and nobody pointed out that it might have been a bad idea. A sane person on Twitter did so, and the cardholder responded with confidence that it was not a problem since not all the information is available. Now, see, what you get when you don’t understand the technology you use every day?

The cardholder’s screenname contained her name, so the missing name on the left side is not missing any more. The first four digits are a BIN, a Bank Identification Number (or IIN, Issuer Identification Number). We know the issuer – Capital One, it’s a MasterCard Platinum. Quick search through the many BIN lists available online yielded the first 6 digits of the card – 517805, with the last two digits to confirm a match, plus upon closer inspection you can see digits two and three of the BIN in black under the silver numbers, a 7 and an 8 (look under the finger on the left).

After pointing out the bits of “concealed” information that I’ve managed to find out in under 5 minutes, the cardholder took down the image.

Quite excellent. Even if say the last 4 digits were somehow concealed, Luhn’s Algorithm would decrease the search space quite a bit, leaving a handful of valid numbers (probably, whoever does the math gets some kudos). We’re missing the CVV, but we have the rest – issue and expiry date, photo of the card, photo of the person, and a whole bunch of other photos of the person online (identity fraud anyone?). And the CVV part is not an issue in many CNP (card-not-present) points of sale.

Is posting images of your credit card online bad? Without doubt. And teach your children to be highly responsible when using modern technology, and think twice, no matter how confident they are.

Be safe.



Merging Raw Source Trees With git

Today I had the “pleasure” to manually merge two versions of the same application that was maintained in two different instances by three different programmers without any version control whatsoever.

The versions were quite different, with directory names changed (for now apparent reason) and all sorts of other funky stuff. Manual merging seemed like the only way to go and I chose git branches as my merging headquarters.

Continue reading



Timing Attacks in Web Applications

When code is executed by a machine it takes some time to do so. Execution time ranges from nanoseconds to months and years and even more (think bruteforcing). Web applications construct output producing, in most cases, very short delays (think the time it takes to show Google search results after typing in the query). Depending on what output is request, how it is requested and what the input is web applications can vary their execution time.

Timing Attacks in Web Applications

In this article we’re going to exploit some of the open-source content management systems available using delays in its execution under differing conditions to evoke distinct differences in execution time, which allow us, as attackers, to make some useful conclusions.

Continue reading



Cross-server deployment with servermattic

About a week ago I did a post on Tiny Projects Inspired by WordPress. Readers who actually visited the Code.WordPress Trac would have noticed a tool called servermattic, which is described modestly as “install files and applications to many servers according to their role“.

What is servermattic?

servermattic is a template configuration that allows for deployment of code and configurations across multiple servers – write once, deploy on many machines, update as much as you want with revisions.

Continue reading



ack-grep vs. grep

Following Daniel Bachhuber – The Zen of WordPress Development talk, I’ve started to explore this magical ack tool, a replacement for the native grep.

ack vs. grep

ack can be downloaded from the official and quite modest website called BetterThanGrep.com. ack is also available in all sorts of software repositories, and can be named ack-grep instead (due to a naming conflict).

ack is written in Perl, while grep is written is C. So why the heck does ack appear to be faster? Here are some test with the latest WordPress package.

Continue reading



Ready-to-paste HTML-escaped Code in Vim

I’ve seen countless of websites that paste code and do not escape the <, > and & characters, resulting in broken HTML and missing code. I have been using online HTML entity encoders when pasting code, but today I decided to code a little Vimscript for my Vim.

Escape HTML Entities in VIM

Continue reading



Bitfun: Popcount, Sideways sum, Hamming weight

Bitcount, popcount, sideway sum, Hamming weight

I was going through some simple coding puzzles yesterday night and became fascinated by this seemingly interesting function:

int CountBits (unsigned int x ) {
  static unsigned int mask[] = {
    0x55555555,
    0x33333333,
    0x0F0F0F0F,
    0x00FF00FF,
    0x0000FFFF
  };

  int i ;
  int shift ; /* Number of positions to shift to right*/
  for (i = 0, shift = 1; i < 5; i++, shift *= 2)
    x = (x & mask[i]) + ((x >> shift) & mask[i]);
  return x;
}

Continue reading



Surviving An Internet Blackout

When The Internet Goes Down

On the 12th of February an Anonymous posted the following pastebin: Operation Global Blackout. In case the pastebin disappears here’s the plaintext: Operation Global Blackout Anonymous.

To protest SOPA, Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun, On March 31, the Internet will go Black.

Continue reading