Author: Nayar

Published on by Nayar

Debian

I was charged of implementing a tunnel with RObust Header Compression (ROHC). Boss asked me which server you want to do the job? Naturally, I said Ubuntu. He said, OK, I’ll give you Debian. I said to myself it shouldn’t be a hassle Ubuntu and Debian are same. Ubuntu is derived from it. But to my surprise, Debian seems to be another Operating System completely.

sudo

First surprise, Debian doesn’t comes with sudo. On my VPS on which i had only root account, I installed sudo and created another user instead of root directly


# adduser nayar sudo
# apt-get install sudo
# su nayar
$ sudo blah blah...

When I installed Debian in my VirtualBox, it would ask a password for root and another password for the user. If i remember well, Ubuntu doesn’t asks for password for root. Do you think it’s a security issue for user root to have a password? My gut says so. Not proven.

Certificate Authority (CA) with OpenSSL

I was following a tutorial which says run the following code

/etc/ssl/misc/CA.pl -newca/usr/lib/ssl/misc/CA.pl -newca

apt-get install

The following command would yield the same results on Ubuntu as well as on Debian. They’re classics.

# apt-get install gcc cmake build-essentials git

But for other stuffs, gotta hunt real hard to know which package is providing for x library or modules. Why are there these diferences? grrrrr

Anyways, these differences are making me learn a lot but delays my work though.

Published on by Nayar

Composer

It’s awesome, isn’t it? For those who don’t know it, “Composer is a tool for dependency management in PHP”. For example, if you are going to use Slim Framework with Twig Templating system, just create a file named ‘composer.json’ in your working folder with the following contents


{
  "require": {
    "slim/slim": "2.*",
    "twig/twig": "1.*"
  }
}

Then run the following command:

$ composer install

It shall download them in a folder named vendor. Include the following code in your PHP script:

require 'vendor/autoload.php';

All libraries just work like magic 😀

Apparently Composer has some sort of repository where people upload their codes. I didn’t want to signup on their website to put my library. I’m sort of a control freak. I wanted to host my code on Github and yet people include my library in the Composer magic. Yes! Composer supports downloading from Github.


{
  "repositories": [
    {
      "url": "https://github.com/Nayar/mera-framework-php",
      "type": "git"
    }
  ],
  "require": {
    "slim/slim": "2.*",
    "twig/twig": "1.*",
    "meraframeworkphp": "*"
  },
}

However i was getting this error when I was initializing composer repositories.

Loading composer repositories with package information
Reading composer.json of meraframeworkphp (master)
Installing dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

Problem 1
– The requested package meraframeworkphp could not be found in any version, there may be a typo in the package name.

Potential causes:
– A typo in the package name
– The package is not available in a stable-enough version according to your minimum-stability setting
see for more details.

Read for further common problems.

Composer uses Git tags to actually find the repository version. Ran the following in my library git then it worked awesome:

$ git tag -a v1.0.0 -m 'First release'
$ git push origin v1.0.0

Published on by Nayar

First Name vs Given Name in Designing REST API

Been reading the book RESTful Web APIs by Leonard Richardson & Mike Amundsen. One section that is worth blogging about it the discussion on First Name vs Given name.

Traditionally, lots of forms we filled in our lives contained “First Name”, “Middle Name” and “Last Name”. As a database designer, I’d have 3 fields for it too. But what is “First Name” and “Last Name”?

Richardson and Amundsen in their book titled “RESTful Web APIs” state that:

“For instance, “first name” is not an accurate term. It’s an artifact of Western culture, in which we put the a person’s given name first. In some other cutltures, the family name comes first. The current oresident of China is named Xi Jinping. His “first name” is Jinping. That’s why givenname is a better semantic descriptor than firstname.”

I always write my name as Nayar Joolfoo (Nayar being given name and Joolfoo my surname).

If ever i were to write my surname first, i’d write it like this: JOOLFOO Nayar which makes it pretty clear what is my given name and surname.

Published on by Nayar

Secure Gate or Secure Safe?

Me, Nadim and Ish were having a little talk about how to store passwords in databases.

Traditionally, passwords for a user are hashed using an algorithm such as MD5 and SHA-1 and then the hash gets stored in the database. Since hashing is a 1 way function, you cannot have a function MD5-reversed for example in which you pass in the hash and it will give you the original password. However, using rainbow tables we can try to find the original password.

Another issue with this is that if an attacker gains access to the database, if 2 persons use the same passwords, the hashes will be the same.

The use of a salt passwords can help to make current pre-computed rainbow tables. Me and Nadim were this discussing whether each user should have a different salt or not? And should the salt also be stored in database?

I think the most secure way would be to have 1 common salt for all, 1 salt for each user and then run the hashing algorithm to get the hash to be stored in the database. The common salt should be stored in a text file so as the attacker having the database cannot have the common salt unless he has access to the server file-system itself.

Enter Ish Sookun
Ish was of opinion that if your system is secure enough, there is not need to secure and encrypt the database.

If the database has been configured to accept only the IP of the web server, all files have been rightly chmodded, only the needful php libraries are installed, if all unused ports are blocked correctly, it doesn’t matter whether passwords are stored even in plain text.

He says what’s the point of having a secure safe which cannot be broken if your front gate is open, doors are open, you have no camera in your house. Eventually, the ones who steal your safe will use grinders to open it!

On another extreme, if you have the most secure gate, it doesn’t matter if you walk naked inside and leave your money scattered everywhere on the floor since no one can get past your gate.

Conclusion
I don’t think all companies can have the funds to hire a System Administrator with the caliber of Ish Sookun. If all do, there is only 1 Ish.

Security should be multi-layer IMO. Because we never know when your main gate might be breached.

There was a time the Great Wall of China could be used to defend. But since drones and satellites were invented, all walls are basically useless nowadays.