Saturday, November 13, 2010

How to get 64-bit Firefox 4b7 for Mac today


Firefox 4b7 has been released for quite some time already, but so far you can't find the 64-bit Mac OS X version in any obvious places. And no.. the usual Mac OS X version you get from Mozilla is a 32-bit binary.

But there's a way to get it...

First, you need to download an older beta, which is publicly availble in 64-bit binary:
ftp://ftp.mozilla.org/pub/firefox/releases/4.0b6/mac64/en-US/Firefox%204.0%20Beta%206.dmg

Install it.

Then, you update it. Help -> Check for Updates...

It will magically update itself to 4.0b7, 64-bit. The update logic in Firefox goes to a weird server called aus2.mozilla.org which doesn't give you any trivial public file listing - so you have to rely on the update process to help you there.

Edit: From FF4b8 and up, the Mac .dmg is already a 64-bit binary by default.

Saturday, October 23, 2010

How much faster is your iPhone's CPU compared with your computer?

Had this strange idea while working in SSE Labs office today.. it's by no means accurate or representative of anything other than OpenSSL performance - it doesn't even use multiple cores - but it gives you some idea of the magnitudes we're talking about.

The test is done by the command
$ openssl speed rsa

It's very easy. Every UNIX computer with OpenSSL can do it.

iPhone 3GS:
Martin-Kous-iPhone:~ root# openssl speed rsa
To get the most accurate results, try to run this
program when this computer is idle.
Doing 512 bit private rsa's for 10s: 1997 512 bit private RSA's in 9.78s
Doing 512 bit public rsa's for 10s: 22561 512 bit public RSA's in 9.80s
Doing 1024 bit private rsa's for 10s: 378 1024 bit private RSA's in 9.81s
Doing 1024 bit public rsa's for 10s: 7353 1024 bit public RSA's in 9.54s
Doing 2048 bit private rsa's for 10s: 62 2048 bit private RSA's in 9.83s
Doing 2048 bit public rsa's for 10s: 2200 2048 bit public RSA's in 9.81s
Doing 4096 bit private rsa's for 10s: 10 4096 bit private RSA's in 10.68s
Doing 4096 bit public rsa's for 10s: 617 4096 bit public RSA's in 9.75s
OpenSSL 0.9.8k 25 Mar 2009
built on: date not available
options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr)
compiler: arm-apple-darwin9-gcc -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -D__DARWIN_UNIX03 -O3 -fomit-frame-pointer -fno-common
available timing options: TIMEB USE_TOD HZ=100 [sysconf value]
timing function used: getrusage
sign verify sign/s verify/s
rsa 512 bits 0.004897s 0.000434s 204.2 2302.1
rsa 1024 bits 0.025952s 0.001297s 38.5 770.8
rsa 2048 bits 0.158548s 0.004459s 6.3 224.3
rsa 4096 bits 1.068000s 0.015802s 0.9 63.3


2007 MacBook Pro:
Martin-Kous-MacBook-Pro:Downloads martinkou$ openssl speed rsa
Doing 512 bit private rsa's for 10s: 25711 512 bit private RSA's in 9.92s
Doing 512 bit public rsa's for 10s: 316964 512 bit public RSA's in 9.93s
Doing 1024 bit private rsa's for 10s: 5190 1024 bit private RSA's in 9.90s
Doing 1024 bit public rsa's for 10s: 93072 1024 bit public RSA's in 8.72s
Doing 2048 bit private rsa's for 10s: 833 2048 bit private RSA's in 9.58s
Doing 2048 bit public rsa's for 10s: 30686 2048 bit public RSA's in 9.75s
Doing 4096 bit private rsa's for 10s: 133 4096 bit private RSA's in 9.88s
Doing 4096 bit public rsa's for 10s: 9285 4096 bit public RSA's in 9.91s
OpenSSL 1.0.0a 1 Jun 2010
built on: Sat Oct 2 20:39:58 PDT 2010
options:bn(64,64) rc4(ptr,char) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: /usr/bin/gcc-4.2 -fPIC -fno-common -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall
sign verify sign/s verify/s
rsa 512 bits 0.000386s 0.000031s 2591.8 31919.8
rsa 1024 bits 0.001908s 0.000094s 524.2 10673.4
rsa 2048 bits 0.011501s 0.000318s 87.0 3147.3
rsa 4096 bits 0.074286s 0.001067s 13.5 936.9


Xeon X3450 Server:
martinkou@hydrogen:~$ openssl speed rsa
Doing 512 bit private rsa's for 10s: 102939 512 bit private RSA's in 10.00s
Doing 512 bit public rsa's for 10s: 1143301 512 bit public RSA's in 10.00s
Doing 1024 bit private rsa's for 10s: 21075 1024 bit private RSA's in 10.00s
Doing 1024 bit public rsa's for 10s: 398744 1024 bit public RSA's in 10.00s
Doing 2048 bit private rsa's for 10s: 3418 2048 bit private RSA's in 10.01s
Doing 2048 bit public rsa's for 10s: 115004 2048 bit public RSA's in 10.00s
Doing 4096 bit private rsa's for 10s: 487 4096 bit private RSA's in 10.02s
Doing 4096 bit public rsa's for 10s: 30813 4096 bit public RSA's in 10.00s
OpenSSL 0.9.8k 25 Mar 2009
built on: Thu Aug 12 13:29:53 UTC 2010
options:bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int) aes(partial) blowfish(ptr2)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
sign verify sign/s verify/s
rsa 512 bits 0.000097s 0.000009s 10293.9 114330.1
rsa 1024 bits 0.000474s 0.000025s 2107.5 39874.4
rsa 2048 bits 0.002929s 0.000087s 341.5 11500.4
rsa 4096 bits 0.020575s 0.000325s 48.6 3081.3


So the average iPhone is roughly 10 to 40x slower than your desktop computer, if we don't include the 1 or 11 other CPU cores in your desktop. If that is included as well.. your desktop computer is easily 100x faster than your iPhone.

Wednesday, September 1, 2010

Really short way to generate a secure password in Python

Needed something like that today, was going to write a character table and mix it up with a pseudo-random number generator (i.e. the normal approach), but a thought struck me...
# This assumes you've imported os somewhere in your code.
new_password = os.urandom(8).encode("base64")[0:-2]

Done! QED! FIN!

The only minor problem: It doesn't generate pronounceable passwords, but the passwords I use aren't pronounceable anyways.

Sunday, August 22, 2010

Foursquare considered harmful - DON'T USE [Updated w/ 4sq's reply]

Update [2010-08-31]: foursquare has released their v1.9.2 update on App Store today which should fix the problem.

Update: I posted this on Aug 21st morning and foursquare replied to my blog post with a statement on their HTTPS authentication system rollout that night, so they're working on fixing the issue right now. That's actually a very awesomely fast response. Looking forward to their next update.

Yet Another Update: It has come to my attention from reader fdqps that Gowalla for iPhone is having the same problem. I've run the same test on Gowalla, and unfortunately, I can confirm they're having the same problem as well. So, stop also using Gowalla until they've rolled out an update for this problem.

One More Update: Gowalla has responded this morning that they're rolling out a client update in the near future that'll fix the security problem. Again, very fast response.

Original blog post below:

If you care to intercept the messages your Foursquare app sends out from your iPhone.. you'll see something very unpleasant.

The above screenshot was taken from Wireshark listening in on a gateway Wifi NIC to my iPhone. Take a good look at the "Authorization: Basic" line in the above screenshot - Foursquare sends my account's username and password in plaintext over HTTP, without any encryption. They send it every time you open that Foursquare app. If anybody has access to any routers between you and foursquare, or foursquare's DNS happens to be hijacked by anybody anywhere up your DNS chain.. or someone is setting up a public wifi intercepting foursquare HTTP requests, and you joined it... you're screwed.

Yes, I said they send it every time.

I wasn't aware of the problem until I saw the Gaming foursquare with 9 lines of Perl article from Slashdot this morning. Plenty of people are trying to shorten that 9 lines of Perl on Slashdot.. but the big problem I noticed from the source code was... Why the hell can I send my login/password in plaintext and login to foursquare, at all?!!

So, in conclusion, don't use foursquare until they fixed their security hole. If it's on your mobile phone, remove it right now. Facebook Places is at least decent enough to do the login part via HTTPS.

Update: I see quite some people on Hacker News are having a hard time believing it. You can reproduce this screen with your own Wireshark and any Wifi access point. I used MacBook Pro's Internet Sharing to do it. Here's how you can reproduce it:

  1. Plug your MBP to wired ethernet - you have one of these in your home, right?
  2. Open an ad-hoc network in your MBP, and share Internet access via that ad-hoc network.
  3. Connect your iPhone to your MBP's ad-hoc network, now it should be able to access the Internet via your MBP.
  4. Install and fire up Wireshark in your MBP - make sure to read the instructions or otherwise it can't capture packets.
  5. Get Wireshark to capture packets on the ad-hoc Wifi interface.
  6. Filter out the HTTP packets going to *.foursquare.com by adding the filter 'http.host contains "foursquare"'
  7. Fire up Foursquare on your iPhone, login if you haven't already
  8. Boom, you've just sent your password in plain text, over the Internet.
Update 2: A commenter, kidsat, on Hacker News found Foursquare for Android is doing the same thing. So if it's on your Android phone, remove it too - wait for them to fix the security bug before you go back to use it

Thursday, April 1, 2010

List of hidden commands in UNIXKCD


Shouldn't be complete, I have other things to do today anyways... but here it goes:

pwd
lpr
hello joshua
xyzzy
date
hello
xkcd
su
fuck
whoami
nano
top
moo
ping
find
more
your gay
hi
echo
bash
ssh
uname
finger
emacs
vi
vim
asl
goto
find kitten
buy stuff
:(){ :|:& };: (for those who haven't been into the dark side of programming, this is a classical fork bomb)
apt-get
irc
curl
latest
sudo
shutdown
poweroff
logout
cheat
clear
dir
exit
go
goto
halp
help
light
locate
look
man
poweroff
quit
reboot
reddit
restart
rm
make me a sandwich
make love
go [west | east | north | ...]
i read the source code

Many of the commands have variations. Like, you can ask sudo to do different things.