tag:blog.innerewut.de,2010:mephisto/comments Mephisto Drax 2009-09-16T16:37:05Z Barry tag:blog.innerewut.de,2009-09-08:824:825 2009-09-12T02:23:33Z 2009-09-12T02:23:33Z <p>You can also tell <span class="caps">SSH</span> to allow users to modify their environment variables. I’m using Enterprise Ruby on one server under /opt, so I set this to yes in /etc/ssh/sshd_config:</p> <p>PermitUserEnvironment yes</p> <p>and set up the <span class="caps">PATH</span> value I wanted in</p> <pre><code>~/.ssh/environment</code></pre> mehmoomoo tag:blog.innerewut.de,2009-09-03:817:823 2009-09-04T13:23:23Z 2009-09-04T13:23:23Z <p>Garren, you do things according to widely known best practices not because they are always correct but because of consistency and its risk reducing behaviour. Also, 4k storage limitation is bad for many applications.</p> <p>There is by the way no need for argumentum ad hominem.</p> Matt Jones tag:blog.innerewut.de,2009-09-03:817:822 2009-09-03T22:08:41Z 2009-09-03T22:08:41Z <p>The Java people that interpret this as meaning “Rails is insecure” most likely then go back to building <span class="caps">SQL</span> by concatenating query parameters without escaping. Because Java is always secure, right?</p> <p>And session editing by brute-forcing <span class="caps">HMAC</span>-SHA1, while possible in theory, is likely to take ridiculous amounts of time. For example, the much faster <span class="caps">HMAC</span>-MD5 can be scanned at about 4 million hashes/second on a dual 3.2GHz Xeon box (from the MDCrack homepage). So to force a 30 character hex key like Rails generates by default, a quick calculation (16^{30 / 4000000) yields roughly 10}30 seconds, or 10^22 <span class="caps">YEARS</span>. Sure, with two billion Xeons in a cluster, you might finish sometime before the heat death of the universe. But I’d hardly class that as “insecure”.</p> Garren tag:blog.innerewut.de,2009-09-03:817:821 2009-09-03T20:56:36Z 2009-09-03T20:56:36Z <p>“I was honestly baffled to read those couple slides, considering posting them to thedailywtf.com ….”</p> <p>The real wtf is this statement. Cookie session storage isn’t designed to be secure. It’s designed to be convenient, lightweight and very developer friendly. If you, as a developer, are putting together an application that requires actual security and you’re using cookie session storage, well, unlike mehmoomoo, you should know better.</p> Jonathan tag:blog.innerewut.de,2009-09-03:817:820 2009-09-03T19:20:33Z 2009-09-03T19:20:33Z <p>The default session store thing is true in that way that an attacker can read what is in his session. He cannot modify or create content. If you do not like this (and I do), changing it is very easy. It is just one line of configuration.</p> <p>That said, most apps can live fine with it as they just have the user_id in the session. If you have valuable content in it you are prone to session replay attacks.</p> Jim Garvin tag:blog.innerewut.de,2009-09-03:817:819 2009-09-03T19:16:56Z 2009-09-03T19:16:56Z <p>Thanks for getting this out there. The US Government is masterful at wasting tax dollars, and this is a really good example of how they’ve elevated it to an art form. Rewriting applications from ruby to java? <span class="caps">BAH</span>!</p> mehmoomoo tag:blog.innerewut.de,2009-09-03:817:818 2009-09-03T18:59:24Z 2009-09-03T18:59:24Z <p>Well that thing with the cookie session storage is not good. It’s more or less common wisdom to only store the key to session into the cookies, and keep the actual session data elsewhere. I was honestly baffled to read those couple slides, considering posting them to thedailywtf.com ….</p> <p>The rest are as you said: Similar to what the others are doing as well, and manageable reasonably.</p> Phreakaholic tag:blog.innerewut.de,2009-08-21:815:816 2009-08-24T18:04:03Z 2009-08-24T18:04:03Z <p>great tips, it’s pretty useful for me. thanks.</p> Sebastian tag:blog.innerewut.de,2008-11-03:795:804 2008-11-24T15:50:11Z 2008-11-24T15:50:11Z <p>Very usefull post! THanks!</p> Tim tag:blog.innerewut.de,2008-11-03:795:803 2008-11-21T16:51:41Z 2008-11-21T16:51:41Z <p>It looks very nice the new ui, i just had a small problem, it didn’t start at all, because of a problem in exception_notifiable plugin and the view-path (Unprocessed view path found: “…/vendor/plugins/smerf/app/views”. Set your view paths with #append_view_path, #prepend_view_path, or #view_paths=)</p> <p>I just kicked it out, since i don’t need it for webistrano…</p> <p>very nice work.</p> Jonathan tag:blog.innerewut.de,2008-11-03:795:802 2008-11-17T15:34:24Z 2008-11-17T15:34:24Z <p>this link should work: http://labs.peritor.com/webistrano/raw-attachment/wiki/Download/webistrano-1.4.zip</p> Elektronik tag:blog.innerewut.de,2008-11-03:795:801 2008-11-16T23:01:26Z 2008-11-16T23:01:26Z <p>Hallo, es scheint so als ob der Mirror zum Download down ist. Zumindest bekomme ich weder einen 404 noch antwortet der Server auf einen Ping.</p> <p>Bitte prüfen.</p> Denis tag:blog.innerewut.de,2008-11-03:795:797 2008-11-06T15:47:36Z 2008-11-06T15:47:36Z <p>very nice improvement, thanks for sharing it, this project is a must have :)</p> cthornhill tag:blog.innerewut.de,2008-07-08:775:778 2008-07-16T17:49:55Z 2008-07-16T17:49:55Z <p>Jonathan,</p> <p>Thanks – after two hours of misdirection and confusion, I found your post and got back up in 5 min. This is a really nasty sort of error, and I hope the authors are fixing it fast. Many people are having a rough time if they are updating Ruby and Rails (from all the other posts I see). I am also in the middle of going from Mac 10.4 to 10.5 (I was delayed due to projects that prevented me updating in the middle). Thanks for the clear insight and easy fix.</p> Sam Florist, Jr tag:blog.innerewut.de,2008-06-16:760:767 2008-06-24T01:48:56Z 2008-06-24T01:48:56Z <p>Yes, MS has similar feature.</p>