On Mon, Aug 9, 2010 at 11:26, Jerome Velociter <[email protected]> wrote:
> Seems some content is missing. The summary refers to "XWiki JavaScript API" > and "XWiki API Reference" pages, but they do not appear in the body of the > mail. > > Anyone knows what could cause this ? > [Message clipped] View entire message<?ui=2&ik=62926b1305&view=lg&msg=12a44457dabbe100> The message is trunked. > > Jerome. > > > ----- Forwarded Message ----- > From: [email protected] > To: [email protected] > Sent: Friday, August 6, 2010 12:00:18 AM GMT +01:00 Amsterdam / Berlin / > Bern / Rome / Stockholm / Vienna > Subject: [xwiki-notifications] XWiki updates, 9 documents have been > modified since 2010/08/05 00:00 > > > > > Contents > > > • dev > • Community > • Release Plans > • Release Plans Archives > • IRC > • IRC Archive for channel #xwiki > • platform > • DevGuide > • XWiki API Reference > • XWiki JavaScript API > • xwiki > • XWiki > • ChristophDewes > • JarbasJunior > • guenter > • pmarzouk > Hello Developers, > > This message is sent by XWiki. Here are the documents in your watchlist > that have been modified since the last notification: > dev > > Community > > Release Plans > Community.ReleasePlans > > > On 2010/08/05 13:49, the document has been modified by Thomas Mortagne > > > > > * [[API doc>>http://platform.xwiki.org/xwiki/bin/view/DevGuide/API]] > ([[core>> > http://maven.xwiki.org/releases/com/xpn/xwiki/platform/xwiki-core/]] > [[rendering>> > http://maven.xwiki.org/releases/org/xwiki/platform/xwiki-core-rendering-api/]]) > doc>>http://platform.xwiki.org/xwiki/bin/view/DevGuide/API]] > |= Release notes |= Update download page |= News on OW2 |= News on > xwiki.org |= API doc (core rendering) |= Wikipedia |= Freshmeat |= > Wikimatrix |= ANN Mail > = 2.3.2 = > (% style="width: 100%;" %) > |=(% colspan="3" %)Update translations > |= CORE |= XE |= WYSIWYG > | x| x| x > (% style="width: 100%;" %) > |=Module |= Version |= Jira |= Maven |= OW2 > | xwiki-core | 2.3.2| x| x| - > | xwiki-plugin-skinx| 1.13.1| x| x| - > | xwiki-platform-web | 2.3.2| x| x| - > | xwiki-product-enterprise | 2.3.2| x| x|x\\ > | xwiki-product-enterprise-manager| 2.3.2| x| x|x > (% style="width: 100%;" %) > |= Release notes |= Update download page |= News on OW2 |= News on > xwiki.org |= API doc (core rendering) |= Wikipedia |= Freshmeat |= > Wikimatrix |= ANN Mail > |x|x| x|x| x|x| x|x|x > author: xwiki:XWiki.Sergiu > xwiki:XWiki.ThomasMortagne > Release Plans Archives > Community.ReleasePlansArchives > > > On 2010/08/05 13:49, the document has been modified by Thomas Mortagne > > > > > = 2.3.2 = > > (% style="width: 100%;" %) > |=(% colspan="3" %)Update translations > |= CORE |= XE |= WYSIWYG > | x| x| x > > (% style="width: 100%;" %) > |=Module |= Version |= Jira |= Maven |= OW2 > | xwiki-core | 2.3.2| x| x| - > | xwiki-plugin-skinx| 1.13.1| x| x| - > | xwiki-platform-web | 2.3.2| x| x| - > | xwiki-product-enterprise | 2.3.2| x| x|x\\ > | xwiki-product-enterprise-manager| 2.3.2| x| x|x > > (% style="width: 100%;" %) > |= Release notes |= Update download page |= News on OW2 |= News on > xwiki.org |= API doc (core rendering) |= Wikipedia |= Freshmeat |= > Wikimatrix |= ANN Mail > |x|x| x|x| x|x| x|x|x > > parent: Scheduler.ReleasePlans > ReleasePlans > author: xwiki:XWiki.Sergiu > xwiki:XWiki.ThomasMortagne > IRC > > IRC Archive for channel #xwiki > IRC.xwikiArchive20100805 > > > Between 2010/08/05 01:24 and 2010/08/05 21:48, the document has been > modified 3 times, by 1 user: Sergiu Dumitriu > > > > > #includeForm("IRC.IRCArchiveClassSheet") > IRC.IRCArchiveClass > channel: > > > #xwiki > content: > > > abusenius left at 01:24 (Quit: Konversation terminated! > sdumitriu left at 02:23 (Ping timeout: 240 seconds > tsziklay left at 03:12 (Quit: ChatZilla 0.9.86 [Firefox > 3.6.8/20100722155716] > boscop_ joined #xwiki at 03:53 > boscop left at 03:56 (Ping timeout: 265 seconds > MartinCleaver left at 04:35 (Quit: MartinCleaver > venkatesh joined #xwiki at 05:49 > kibahop joined #xwiki at 08:27 > LadySerena left at 08:36 (Quit: Time to sharpen my claws! > asrfel joined #xwiki at 08:41 > sdumitriu joined #xwiki at 08:52 > Enygma` joined #xwiki at 08:52 > mflorea joined #xwiki at 08:56 > lucaa joined #xwiki at 08:56 > florinciu joined #xwiki at 09:05 > tmortagne joined #xwiki at 09:06 > tmortagne left #xwiki at 09:06 > mflorea left at 09:21 (Quit: Leaving. > tmortagne joined #xwiki at 09:23 > mflorea joined #xwiki at 09:24 > vmassol joined #xwiki at 09:32 > mflorea - (09:36): guys, how can I delete a translation of a wiki page? > tmortagne left at 09:36 (Quit: Leaving. > sdumitriu - (09:37): mflorea: Add ?language=xz in the /delete/ URL > tmortagne joined #xwiki at 09:38 > mflorea - (09:38): let me try > sdumitriu - (09:38): Works only if that’s not the default language of the > document > ztane - (09:48): how do I get the password reset dialog working on a > private wiki? :) > vmassol left at 09:50 (Quit: Leaving. > KermitTheFragger joined #xwiki at 09:54 > tmortagne - (09:54): sounds like a long proposal :) > mangroovie joined #xwiki at 09:54 > ztane - (09:56): hmm maybe should go for ldap > sdumitriu - (09:56): ztane: Private = forbid unauthenticated view? > ztane - (09:57): yes > ztane - (09:58): enterprise extranet wiki :)) > cjdelisle - (09:59): It has been a long time coming. Oddly enough there > aren’t a real lot of services provided. > ztane - (09:59): do not want anything to leak out to nonauthorized, except > the password reset form > jvdrean joined #xwiki at 10:04 > sdumitriu - (10:11): ztane: Sorry, that’s not possible yet > sdumitriu - (10:12): Preventing unauthenticated access really prevents it > abusenius joined #xwiki at 10:21 > vmassol joined #xwiki at 10:23 > cjdelisle - (10:28): abusenius: Any thing else you need in xwiki-crypto? > (working on the proposal) > abusenius - (10:32): hm, no, just the methods for storing/loading > certs/keys that we might want put elsewhere > abusenius - (10:32): *to put > cjdelisle - (10:33): Yea, IMO load/store is not really in the scope of > crypto. > abusenius - (10:35): should I move it to signedscripts? thats the only > place it’s used atm > cjdelisle - (10:36): *distraction: IPv6 is a joke, 19.0.0.0 - > 19.255.255.255 is Ford Motor Company ip space, it is not even announced to > the backbone routers. > cjdelisle - (10:36): What car company doesn’t need 16,000 unused ips? > abusenius - (10:36): *IPv4? > cjdelisle - (10:37): IP6 is a joke because like 40% of ip4 numbers are > routed, 3% respond to pings. > abusenius - (10:37): it’s a good investment, they will be able to sell it > for a lot of money quite soon :) > cjdelisle - (10:37): Not if arin/ripe catch you. > abusenius - (10:37): well, it’s just that nobody uses them > abusenius - (10:38): well, thats another question > cjdelisle - (10:38): Well not nobody, some halliburton space suddenly > started getting announced from eastern europe. > cjdelisle - (10:38): spam spam spam spam > cjdelisle - (10:41): Halliburton 34.0.0.0 - 34.255.255.255 (to their credit > they announce a couple hundred ips in that range and run their site in it.) > abusenius - (10:42): I’Ve read somewhere that one of the problems is that > they used to give just 2 types of ip ranges, 255.255.255.0 for "small" > companies and 255.0.0.0 for "big" companies :) > cjdelisle - (10:45): that 255.255.255.0 is called a /24 because 24 of the > 32 bits are defined. 255.0.0.0 is a /8, nobody can get a /8 anymore, they > gave them out in like 1991. > cjdelisle - (10:46): You guys can still get a /24 for like 150€ but arin > won’t sell anything smaller than a /20. > cjdelisle - (10:48): The problem is provide independent space means you > announce your (tiny little) range to all of the backbone routers and the > global routing tables get so huge they need bigger routers. > cjdelisle - (10:50): What’s easiest for the backbone is if 192 routes to > usa, 64 routes to chicago, 32 routes to some isp and 25 routes to the > specific computer. Except 192 range is not like that, 192.64.32.1 might be a > computer in chicago and 192.64.33.1 might be in estonia. > sburjan joined #xwiki at 10:52 > cjdelisle - (10:57): humpf... decryption succeeded with wrong password. I > think it decrypted to garbage but I have to check... > abusenius - (10:57): we might want to check if the output == input > cjdelisle - (11:00): yup, repeating the test in loop 0-1000 > cjdelisle - (11:01): if the output is the same length, I think the padding > scheme doesn’t notice anything is wrong. > cjdelisle - (11:01): indeed, I already have a bad decryption. > abusenius - (11:03): in theory, a wrong password might decrypt to any > meaningful text, but the probability is very very low > cjdelisle - (11:04): hmm, actually the key would have to be as long as the > original text to decrypt to anything. > cjdelisle - (11:05): I remember someone talking about an algorithm which > would decrypt to various things based on the password given. > cjdelisle - (11:05): It would be pretty obvious to a cryptographer though > that there was more to it though. > abusenius - (11:06): well, if the key is as long as the text, then you can > decrypt to any text of the same length > abusenius - (11:07): if the key is shorter, the number of possible > decryptions is much smaller > cjdelisle - (11:07): But it brings up an interesting topic, if you xor > "illegal data" against random and publish the random on one server and the > output on another, which server gets the takedown notice? > abusenius - (11:07): but one of them might still be meaningful > cjdelisle - (11:08): It’s essentially impossible to determine random from > something xor’d against random. > cjdelisle - (11:09): 4 collisions. > abusenius - (11:09): well, you can easily invent any content you want :) > abusenius - (11:09): what yre you encrypting? > cjdelisle - (11:10): I just rigged the test to repeat trying to decrypt > with the wrong password and dump any time it collides. > Enygma` left at 11:10 (Ping timeout: 276 seconds > cjdelisle - (11:10): decryptWithWrongPasswordTest() * 1000 > abusenius - (11:11): so "collision" = successfull decryption to garbage? > cjdelisle - (11:11): yup. > cjdelisle - (11:11): done. 4/1000 tries. > abusenius - (11:11): the only way decryption algorithm can distinguish > "meaningful" text from garbage is the padding > kibahop left #xwiki at 11:12 > cjdelisle - (11:12): IMO it should output garbage every time it fails. > Imagine trying to password guess that :D > abusenius - (11:12): so if the garbage by chance contains one byte of > correct padding, it will succeed > abusenius - (11:12): well, you can check for printable character for > example > cjdelisle - (11:12): yup, check for invalid utf8 > cjdelisle - (11:13): imagine encrypting an mp3, basically any text is valid > in an mp3 > cjdelisle - (11:13): or mpeg4 > abusenius - (11:13): there is a header you can trry to match > abusenius - (11:14): frames etc. > abusenius - (11:14): but it is harder > abusenius - (11:14): thats one of the reasons people first compress, then > encrypt :) > cjdelisle - (11:16): Yea, it would be tough trying to beat this algorithm > though, it took like 5 minutes for 2000 cycles of scrypt, I could make it > take longer with config too. > cjdelisle - (11:27): proposal sent. > mangroovie left at 11:29 (Ping timeout: 252 seconds > cjdelisle - (11:41): I don’t see the user manager in the sandbox, is it > written? (http://dev.xwiki.org/xwiki/bin/view/Design/UsersModule) > abusenius - (11:42): it is very new imo, probably not yet > cjdelisle - (11:45): The proposed interface looks like it can only be > implemented using some sort of String USER_CLASS = "XWiki.XWikiUsers"; > cjdelisle - (11:47): Maybe I should propose a best practice that we never > make the core depend on the content of the database. AKA hardcoding document > names. > abusenius - (11:51): which interface? > cjdelisle - (11:53): defined here > http://dev.xwiki.org/xwiki/bin/view/Design/UsersModule > mangroovie joined #xwiki at 11:53 > venkatesh left at 11:53 (Ping timeout: 265 seconds > abusenius - (11:54): ah, ok > abusenius - (11:56): maybe, I "never ever" rule is quite unrealistic though > abusenius - (11:56): s/I/a/ > cjdelisle - (11:58): Well that’s how all best practices are, sometimes you > are just plain painted into a corner. > cjdelisle - (11:58): I usually end up throwing away code when that happens. > abusenius - (12:01): moved cert storage methods out of crypto, about to > commit > cjdelisle - (12:01): there was storage in crypto? > cjdelisle - (12:02): I don’t see it... > abusenius - (12:03): well, user document utils were misused for that > abusenius - (12:04): I mean listinf fingerprints etc. > abusenius - (12:04): *listing > venkatesh joined #xwiki at 12:04 > cjdelisle - (12:04): Oh, I haven’t looked there in a while. thanks ;) > cjdelisle - (12:04): k I think I know how you can validate a cert. > cjdelisle - (12:05): Take the webid and do a http get on it, you’ll get the > foafssl stuff. > cjdelisle - (12:06): We can also set it up so you get a list of signed > permissions granted to the user. > abusenius - (12:07): yea, we could do that > cjdelisle - (12:07): parse those permissions, extract cert from signature, > recurse. > cjdelisle - (12:08): It will be awesome but slooooooow. > cjdelisle - (12:09): hmm, maybe not if the user pages get cached. > abusenius - (12:09): the recursion would not be very deep > abusenius - (12:09): unless we overdo it :) > venkatna joined #xwiki at 12:10 > abusenius - (12:10): it should be something like admin -> user permission > -> cert > cjdelisle - (12:10): What’s awesome about it is I can be on one wiki and > give you permission on another, you can then give permissions to people on > my wiki. > venkatesh left at 12:10 (Ping timeout: 248 seconds > abusenius - (12:11): not that everybody was waiting to do that all their > life, but yea, would be possible :) > cjdelisle - (12:12): I don’t expect anyone beating a path to the door for > it but I can see in the future there might be applications. > cjdelisle - (12:13): If I grant admin authority to an admin of another > wiki, all of their wiki’s users get defacto permissions on mine. > cjdelisle - (12:15): the escaping test makes a nice DoS engine. > abusenius - (12:16): :) > cjdelisle - (12:17): Have you seen Websecurity? > abusenius - (12:18): not sure what you mean > abusenius - (12:18): afk for lunch > cjdelisle - (12:19): http://www.websecurify.com/ > cjdelisle - (12:19): I’ll go find something to eat too. > florinciu1 joined #xwiki at 12:39 > florinciu left at 12:44 (Ping timeout: 276 seconds > florinciu1 left at 12:46 (Read error: Connection reset by peer > florinciu joined #xwiki at 12:47 > sylviarusu joined #xwiki at 12:56 > florinciu left at 13:05 (Ping timeout: 240 seconds > florinciu joined #xwiki at 13:08 > tmortagne - (13:10): cjdelisle: i’m not sure i understand what you mean in > XWIKI-5390 > cjdelisle - (13:10): > http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xwiki/api/package-summary.html > cjdelisle - (13:11): all still version 1.7 > tmortagne - (13:12): cjdelisle: there is a hudson project for it already, > that’s http://hudson.xwiki.org/job/xwiki-platform-core-site-job/ but it > has been disabled some time ago because we had issue with javadoc plugin > think > tmortagne - (13:12): s/think/I think/ > cjdelisle - (13:13): I see, I can try to see if I can get it working again. > tmortagne - (13:13): yep > cjdelisle - (13:13): It’s pretty important because that’s the only place to > get javadoc for XWikiDocument etc. > tmortagne - (13:14): cjdelisle: well there is m2Eclipse automatically > downloading javadoc/source too ;) > tmortagne - (13:14): which is very usefull > tmortagne - (13:15): but it’s only for released projects > cjdelisle - (13:15): When I wrote the DevGuide.Scripting I had to reference > some javadoc so I chose that. > cjdelisle - (13:15): Because it’s hosted. > cjdelisle - (13:16): If I can get this working then I see no reason to keep > uploading .zip files to xwiki.org so that will close another issue. > cjdelisle - (13:16): Make any sense? > tmortagne - (13:17): cjdelisle: it’s not the same thing > tmortagne - (13:17): this job deploy trunk jaavadoc > tmortagne - (13:17): in xwiki.org we provide specific releases javadoc > cjdelisle - (13:17): hmm. good point. Maybe we can have hudson build from > branches? > tmortagne - (13:17): what should be done in xwiki.org is having something > more dynamic that get the proper javadoc from maven.xwiki.org files > instead of having to attach > tmortagne - (13:18): i want to add this since a long time in zip plugin but > never had the time > cjdelisle - (13:18): in the zip plugin? > tmortagne - (13:19): the xwiki plugin which is used to view the javadoc > inside the zip file attached to the page > tmortagne - (13:19): > http://platform.xwiki.org/xwiki/bin/download/DevGuide/API/xwiki-core-rendering-api-2.3.2-javadoc.jar/index.html > cjdelisle - (13:19): make it able to load a page hosted somewhere else? > cjdelisle - (13:19): s/load a page/read a zip/ > tmortagne - (13:20): yes make it able to work with a zip from anywhere and > not only an attached file > cjdelisle - (13:20): hmm, as long as it can’t be exploited to... say open > really big zips somewhere? > abusenius - (13:21): re websecurity, no, haven’t seen it before > cjdelisle - (13:22): I was talking to a guy who mentioned if you can > convince a bot to download a file, feed it a linux .iso > tmortagne - (13:23): cjdelisle: you can always indicate a maximum size > abusenius - (13:23): we should try some tools like websecurity on xwiki at > some point, but not now (would be too disappointing ^^) > florinciu left at 13:23 (Ping timeout: 258 seconds > cjdelisle - (13:23): abusenius: I see a bunch of FATAL: not escaping single > quote. > cjdelisle - (13:23): I don’t think even escapetoo.xml escapes single > quotes. > tmortagne - (13:24): checking something: i think there is something abut > javadoc in nexus actually > abusenius - (13:24): it does > abusenius - (13:24): getXMLEncoded doesn’t > cjdelisle - (13:24): That’s right :) > abusenius - (13:24): afaik > abusenius - (13:24): it is technically correct to not escape single quotes > in URL > abusenius - (13:25): but not secure, because a href=’bla’ is also correct > cjdelisle - (13:25): no getXMLEncoded escapes ’ to and it becomes ’ which > breaks everything > abusenius - (13:25): ah, right > tmortagne - (13:25): cjdelisle: > http://nexus.xwiki.org/nexus/service/local/repositories/releases/archive/com/xpn/xwiki/platform/xwiki-core/2.4/xwiki-core-2.4-javadoc.jar/!/index.html<http://nexus.xwiki.org/nexus/service/local/repositories/releases/archive/com/xpn/xwiki/platform/xwiki-core/2.4/xwiki-core-2.4-javadoc.jar/%21/index.html> > tmortagne - (13:25): tadaa > cjdelisle - (13:25): cool. I wish it said something like /latest/ > tmortagne - (13:26): maybe there is something > tmortagne - (13:27): i will at least modify the API page to go there and > stop attaching files > abusenius - (13:27): is it possible to link javadocs for *all* components > on DevGuide/API ? > abusenius - (13:28): currently it only lists core > tmortagne - (13:28): abusenius: and rendering ;) > tmortagne - (13:28): but yes it should be more that theses two > tmortagne - (13:28): should be at least important components > abusenius - (13:28): yea, but you need to do voodoo magic to find other > docs :) > cjdelisle - (13:29): That was a nice thing about maven.xwiki.org was > everything was linked together. > tmortagne - (13:31): cjdelisle: you mean maven.xwiki.org/site ? > cjdelisle - (13:31): yup > cjdelisle - (13:32): *idea* What if we added the svn location to the class > javadoc comment in each class, then it will make a link in each javadoc > pointing to the source. > cjdelisle - (13:32): Maybe svn config will do the trick. > abusenius - (13:33): wasn’t there a configuration option for javadoc for > that? > tmortagne - (13:34): cjdelisle: there is probably some maven javadoc plugin > configuration we could use for it > cjdelisle - (13:34): I don’t know that the javadoc would know where the > files are hosted in svn, it sure would be nice though to have a docjar style > [source] button > abusenius - (13:35): (but maybe I saw it in doxygen, not sure) > cjdelisle - (13:36): I really like this format everything is linked from > there. > http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/index.html?com/xpn/xwiki/api/package-summary.html > abusenius - (13:38): > http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/javadoc.html#linksource? > cjdelisle - (13:39): abusenius: I see three tests in error: > Blog/Publisher.xml Panels/CreatePanel.xml templates/createinline.vm Do you > want to do something to them before putting the tests in the tree? > abusenius - (13:40): let me see > cjdelisle - (13:40): Creates an HTML version of each source file (with line > numbers) argh.. hate line numbers. > abusenius - (13:41): well, better than nothing > abusenius - (13:43): I could put those tests in error onto ignore list > cjdelisle - (13:43): also I like the idea of pointing to the actual svn > server. > abusenius - (13:43): 2 of them fail because the xredirect is properly > escaped, but my test string isn’t a URL > abusenius - (13:43): 1 fails with 409, no idea why > abusenius - (13:44): there are allready a dozen or so ignored tests in > error > cjdelisle - (13:46): Hmm, you really ought to have commit access so you can > work on this once it’s in the tree, unfortunately it’s tough to get a quorum > on anything right now. > florinciu joined #xwiki at 13:46 > venkatna left at 13:47 (Quit: Leaving > abusenius - (13:48): can it be (sym)linked to sandbox? > cjdelisle - (13:50): I don’t know what svn does with symlinks. > abusenius - (13:51): I think on all decent operating systems it works fine > :) > cjdelisle - (13:51): Websecurity is a pretty good DoS cannon, when I ran it > locally, my wiki eventually just ceased up and refused to serve anything. > abusenius - (13:52): checkout on windows would create a copy of the > directory > tmortagne - (13:53): i doubt svn will support sym links anyway > tmortagne - (13:53): especially svn 1.4 > abusenius - (13:53): ok, if the svn server is 1.4 then we can forget it > abusenius - (13:54): why is it 1.4 btw? it’s like stone age... > tmortagne - (13:55): i agree > tmortagne - (13:55): i’m aking for an upgrade since ages > cjdelisle - (13:55): blah, hudson ceased up in wysiwyg test. Lets see if I > can kill the build... > cjdelisle - (13:56): yay I did something. > cjdelisle - (13:58): last time the javadoc build ran out of swap space (so > it says). I’ll try running it and see what happens this time. > vmassol left at 13:58 (Quit: Leaving. > sburjan - (14:08): cjdelisle, : was the implementation hard ? I mean .. > understanding that technical paper and then implementing > cjdelisle - (14:08): re scrypt? > sburjan - (14:08): We had to implement DES and AES from specs like > these..and it was HORRIBLE > sburjan - (14:08): yes > cjdelisle - (14:08): It wasn’t too bad because there was a reference > implementation in c > sburjan - (14:09): oh, so you didn;t wrote if from scratch > cjdelisle - (14:09): It definitly is not AES. > sburjan - (14:09): it’s stronger than AES, right > sburjan - (14:09): AES is totally hard (at least for me) > cjdelisle - (14:09): It does something different. > sburjan - (14:09): yeah, I know > cjdelisle - (14:10): The point is that there is no way to go from the > password to the key without using x amount of ram for y cpu cycles of time. > cjdelisle - (14:10): Fortunately it uses PBKCS2 which I could rip from > bouncycastle. > sburjan - (14:10): but basically this is a much more complex hash function, > right ? > cjdelisle - (14:11): yup. > sburjan - (14:11): md5 is birthday paradox vulnerable > sburjan - (14:11): I guess this isn;t :) > cjdelisle - (14:11): It uses PBKCS2, and it uses salsa20 > cjdelisle - (14:11): ahh, PBKCS2(Sha-256) :) > cjdelisle - (14:12): yea md5 is bad. > sburjan - (14:12): oh :)) > sburjan - (14:12): md5 is obsolete > sburjan - (14:12): intresting > sburjan - (14:12): I never understood properly the algebra behind crypto > systems > sburjan - (14:13): although i wanted to :) > cjdelisle - (14:13): This isn’t really crypto. > cjdelisle - (14:13): It’s just designed to take a long time. > cjdelisle - (14:13): So it generates an absurd amount of data. Then it > takes an int from 4 bytes of a hash output and gets the data at the location > of that int. > cjdelisle - (14:14): The idea is you can’t safely throw away any of that > data because you might need it. > sburjan - (14:14): I see > sburjan - (14:14): so this happens for all the new passwords ? > sburjan - (14:14): new user accounts, etc ? > sburjan - (14:15): I nea this happens for every password > cjdelisle - (14:15): So it keeps seeding the hash with pieces of the big > block of data, then it takes the output and feeds it to PBKDF2 again. > sburjan - (14:15): *mean > cjdelisle - (14:16): No it it’s just a service at the moment, once I > convince everyone to include it in the tree, then we can think about using > it for the user accounts. > sburjan - (14:16): so what do you hash with these service more exactly ? > cjdelisle - (14:16): Passwords. > sburjan - (14:16): so only user passwords. or are there another type of > passwords ? > sburjan - (14:17): that are used in xwiki > cjdelisle - (14:17): It is intended to be useable for the user accounts, I > just want to put the code there before we even talk about implementing it > for user passwords. > cjdelisle - (14:17): Sure, any password can be handles by this. > sburjan - (14:17): I see > cjdelisle - (14:17): s/handles/handled/ > abusenius - (14:17): btw, XWIKI-70 is the oldest bug (i.e. not feature > request or task) atm > sburjan - (14:18): so it is collision free ? or you made it like this in > order to take as far as possible advante of collisions > Enygma` joined #xwiki at 14:18 > cjdelisle - (14:18): It is as collision resistant as pbkdf2(sha256) > cjdelisle - (14:19): because the password is included in the final hash. > sburjan - (14:19): yeah, but the time to find another string that hashes > the same... requires much more time due to y ram and x cpu cycles, right ? > cjdelisle - (14:20): Well the main attack vector is password guessing with > word lists. > cjdelisle - (14:20): so it’s not really a collision but the real password > that is most likely to be found. > sburjan - (14:20): hmmm > sburjan - (14:21): dictionary attack ? :) > cjdelisle - (14:21): This makes it difficult because it occupies 1MB of ram > for about 100milliseconds. > sburjan - (14:21): i see > cjdelisle - (14:21): These numbers are configurable. > sburjan - (14:21): but the actual auth mechanism is comparing the hash from > db with the hash(typed password), right ? > cjdelisle - (14:21): The default scrypt takes 200MB for 5 seconds. > sburjan - (14:22): like md5 is still used > cjdelisle - (14:22): It’s a little more complicated than that, but that’s > the idea. > sburjan - (14:22): I see > cjdelisle - (14:22): You have a PasswordVerificationFunction which is > Serializable and includes all of the information to recreate the same output > given the same password. > cjdelisle - (14:23): that is the salt, the memory cost number, and the > processor cost number. > sburjan - (14:23): yeah.. > sburjan - (14:23): intresting > cjdelisle - (14:24): So you load the code from the database, deserialize, > and feed it the password to validate. > cjdelisle - (14:24): If we decide in the future to change the function, all > we need to do is create a new function and start using it for all new > passwords. > sburjan - (14:24): so each password is serialized in an object that is > stored in the db ? > cjdelisle - (14:25): the ourtput from hashing the password is a byte[] in > the object yes. > sburjan - (14:25): I see > sburjan - (14:25): pretty cool > cjdelisle - (14:26): > http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-crypto/src/main/java/org/xwiki/crypto/passwd/internal/ScryptMemoryHardKeyDerivationFunction.java > sburjan - (14:26): and what is the memory and cpu cost going in the > ecuation? > sburjan - (14:26): when "hashing" the inputed password in order to compare > it from the serialized object ? > cjdelisle - (14:27): Configurable, but I have it set to 1Mb for 100ms by > default. > sburjan - (14:28): yeas, but what operation is slowed down intensionally > with the ram and CPU thing ? > cjdelisle - (14:28): indeed, you can’t have everything :) > boscop_ is now known as boscop ([email protected] > sburjan - (14:30): no no .. where is the slow down come in place ? > sburjan - (14:30): this this slows down .. you wanted this.. cpu cycles, > etc > cjdelisle - (14:31): ? > sburjan - (14:32): you force the system to work in time. to be limited by > ram and CPU > sburjan - (14:32): not to take advance of the full computational powers of > a possible attacker > cjdelisle - (14:32): If the system is under heavy load when the user > registers, then their crypted password will be weaker. > cjdelisle - (14:33): decrypting the password will always take the same > amount of cpu cycles. > sburjan - (14:33): oh > sburjan - (14:33): so decrypting is the operation that takes advantage of > the intentional slowness > sburjan - (14:33): got it > cjdelisle - (14:34): When crypting the password, It does a test run to get > the desired number of cycles from the desired time to crypt. > cjdelisle - (14:34): It’s not all that accurate but within 100% according > to the tests. > sburjan - (14:35): I see > cjdelisle - (14:35): I noticed it usually takes a little more time than it > is asked to take. > sburjan - (14:36): and isnt there a disk if someone tries a dictionary > attack to block the server (DDOS) due to heavy platform load in order to > decrypt the passwd ? > sburjan - (14:36): *risk, not disk > cjdelisle - (14:37): Well if you’re trying to ddos the server then you can > use infinite loops etc. if you are trying to guess the password, then you > want a graphics processor. > cjdelisle - (14:37): Anyway if you have a botnet (DDoS) then you can get > thousands of windows boxes to try passwords locally. > cjdelisle - (14:39): However I think you can cease up an xwiki installation > just by trying to log in with a million threads right now. > cjdelisle - (14:41): bbiab... > tmortagne left at 14:43 (Read error: Connection reset by peer > tmortagne joined #xwiki at 14:43 > sburjan - (14:46): wait, you lost me :) > sburjan - (14:47): the decrypt function is GPU dependant ? > MartinCleaver joined #xwiki at 14:57 > abusenius - (14:59): sburjan: he is talking about using GPGPU to speedup > breaking hashes > sburjan - (15:01): so it uses graphics card to break hashes ? > abusenius - (15:01): the bad guys use them > sburjan - (15:01): I;m a little bit confused > sburjan - (15:01): yeah, the bad guys > abusenius - (15:01): yes, 1000 threads are better than 4 > sburjan - (15:02): a gpu has 1000 threads ? > abusenius - (15:02): new ones yes > sburjan - (15:02): I see > abusenius - (15:02): light-weight threads > sburjan - (15:02): and the other thing I didn’t understand > sburjan - (15:02): Anyway if you have a botnet (DDoS) then you can get > thousands of windows boxes to try passwords locally. > sburjan - (15:03): but how do you get locally the serialized objects that > contain the passwdz ? > abusenius - (15:03): well, assuming you have DB dump or something > sburjan - (15:03): but for that you already need privileges > abusenius - (15:03): sure > abusenius - (15:04): the idea is, if the attacker can get access to the > server, he still can’t find out your password > abusenius - (15:05): otherwise you might as well just sleep(10) on the > server side > abusenius - (15:06): having a password in cleartext is bad, because people > reuse them for example > cjdelisle - (15:06): privileges lol. All you need for database dumps is > bobby tables. > cjdelisle - (15:06): we’re better than some but never trust the db. > cjdelisle - (15:07): Actually, the password hashes are right in the > XWikiUsers object. > sburjan - (15:07): bobby tables ? > cjdelisle - (15:08): http://xkcd.com/327/ > cjdelisle - (15:09): It’s a dumb joke but it has sort of turned into a > meme. > sburjan - (15:09): yea :)) > sburjan - (15:09): but we’re still vulnerable to sql injection ? > cjdelisle - (15:10): hmmmmmmm yes. > mflorea left at 15:11 (Quit: Leaving. > lucaa left at 15:13 (Quit: Leaving. > cjdelisle - (15:13): We’re looking into a way to use encryption to make it > so sql injection is pointless. > sburjan - (15:14): parameterization doesnt work in our case ? > cjdelisle - (15:14): If everything used it then it would work. I’m talking > about cases where there is a registered user and he has access to > searchDocuments etc. > sburjan - (15:15): and making them be used everywhere is hard ? > cjdelisle - (15:16): Well even if they are used everywhere all the > adversary has to do is register and write their own vulnerable queries. > cjdelisle - (15:19): We have been talking about having a root "superadmin" > certificate stored in a file on the hard disk. That cert signs the admin’s > permissions and the admin signs the user permissions. > cjdelisle - (15:20): you can dump (or alter) the database but all you get > is certificates and password encrypted private keys > cjdelisle - (15:20): change a cert, break the cert chain, change a key, > then it doesn’t match the cert. > cjdelisle - (15:38): oh sburjan Cryptography (at least public key RSA) > works because it’s fast to raise something to the 65537th power and slow to > get the 65537th root. > cjdelisle - (15:39): that’s the "one way trap function" > sylviarusu left at 15:40 (Quit: Leaving. > sburjan - (15:43): I see > sburjan - (15:43): I started to read more about sql injection > sburjan - (15:43): too bad that htere isn;t a "training" site :) > sburjan - (15:43): so I can actually see it work > abusenius - (15:44): try xwiki.org ^^ > cjdelisle - (15:45): lol > sburjan - (15:45): i’m sure it’s not vulnerable :)) > sburjan - (15:45): you guys fixed it > sburjan - (15:45): :D > sburjan - (15:45): at least the most vital places > cjdelisle - (15:45): actually yea, you’d just end up spamming zipe’s logs > with your attempts. > cjdelisle - (15:45): *xipe > cjdelisle - (15:46): Do you have a local installation on your computer? > sburjan - (15:46): of XWiki ? > cjdelisle - (15:46): yea. > sburjan - (15:46): of course > sburjan - (15:46): I’m writing automatic tests, so i have to test them :P > cjdelisle - (15:47): Well you can play with that. Try using websecurity > against it, just run it over night and see what you get > abusenius - (15:47): sburjan, there are training apps actually, > http://insecurewebapp.sourceforge.net/main/index.html > sburjan - (15:48): hmmm > sburjan - (15:48): I’ll take a look > cjdelisle - (15:49): > http://labs.oracle.com/projects/crypto/HowECCWorks-USLetter.pdf > cjdelisle - (15:50): McEllice is a bit more interesting because it can’t be > parallelized (quantum computer proof) but it’s also a lot more complicated. > sburjan - (15:50): lots of math :) > sburjan - (15:50): so this is what your srypto implementation use ? > cjdelisle - (15:51): it doesn’t use any public key (not for password > derivation.) > sburjan - (15:52): cjdelisle, : do you have some masters in computer > security ? :) > sburjan - (15:52): I know abusenius has > cjdelisle - (15:52): xwiki-crypto does have a public key component, it just > uses rsa. > cjdelisle - (15:52): haha masters in what? > sburjan - (15:52): information security :) > sburjan - (15:53): computer security > cjdelisle - (15:53): I took like 2 semesters of programming in college. > abusenius - (15:53): there are no special security degrees afaik > sburjan - (15:54): abusenius, : There are masters in all the europe on > Information/Computer Security > abusenius - (15:54): not in my university :) one can just specialize on > that > cjdelisle - (15:54): My professors were all ex-nsa, one recommended I apply > there. > sburjan - (15:54): they teach you the algebra behind the cryptosystems > abusenius - (15:54): it is still called "computer science" > sburjan - (15:55): things like chinese remainder theorem > cjdelisle - (15:55): Yea, I read about it a little, I’m sure I’ll learn it > sooner or later. > abusenius - (15:56): we got this in the introduction lecture to crypto > sburjan - (15:56): abusenius, : but your internship is in Security here at > X, right ? > abusenius - (15:56): yes > cjdelisle - (15:57): hey, I have a masters in breakeology. > sburjan - (15:57): so you learned the security stuff all by yourself ? > abusenius - (15:57): me? > sburjan - (15:57): yes, you abusenius :) > cjdelisle - (15:57): breakeology, when you learn by breaking stuff. > sburjan - (15:57): breakeology is like .. sociology, antropology ? :)) > sburjan - (15:58): so you do have a masters in that :D > abusenius - (15:58): no, I’ve learned everything I could find, but I also > took all lectures on crypto/security we have > abusenius - (15:58): if you’re interested in something, it happens > naturally :) > sburjan - (15:59): true > sburjan - (15:59): but that math is pretty hard :)) > sburjan - (15:59): all the modulo stuff > sburjan - (15:59): remainders, etc > cjdelisle - (15:59): I have 5 pdfs in my system tray. > sburjan - (15:59): about ? > sburjan - (16:00): security ? > cjdelisle - (16:00): How to get ips, DDoS defense, anycast, conficker, and > ecc. > sburjan - (16:00): they should make a book on crypto. Computer Security for > retards. and they should dedicate it to me :)) > sburjan - (16:01): Well known idiot’s guide is too high level .. I need > something lower > abusenius - (16:01): :D > cjdelisle - (16:01): hah, I noticed that the math all just looks hard with > the weird symbols, read the implementation if you want to understand. > cjdelisle - (16:01): Look at this: http://cr.yp.to/salsa20.html > abusenius - (16:02): I find probability theory harder, groups are not that > bad > cjdelisle - (16:02): salsa20 is a full cipher implementation in 22 lines. > that is why Bernstein is full of win. > cjdelisle - (16:03): no stupid s-boxes, no obfuscation. it’s either secure > or it’s not and that doesn’t really depend on how hard it is to understand. > abusenius - (16:04): thats just because it doesn’t include the > implementation of the hash function ;) > cjdelisle - (16:04): yea well it’s actually a cipher. Converting it to a > hash which is collision resistant and such is a bigger task. > cjdelisle - (16:05): but that function placed well in the eurocrypt > contest. > abusenius - (16:09): in any case, understanding what you can do (and what > not) with some type of encryption is more important than implementation > details > cjdelisle - (16:10): Yea, the devil really is in the details. > cjdelisle - (16:12): I remember reading that people were surprised when > joanna rutkowska showed that a computer with full disk encryption can still > be attacked by putting malware in the mbr. > abusenius - (16:12): less related question, how can I change log4j settings > of xwiki instance I use for escaping-tests/ > abusenius - (16:12): ? > abusenius - (16:13): it seems to use debug logging level > cjdelisle - (16:14): take a look at start-wiki and start-wiki-debug.sh > there might be something there about it. > abusenius - (16:15): hm, not really > cjdelisle - (16:16): I don’t know, you could google log4j "-D" > cjdelisle - (16:17): I’m sure there is a -Dsomething which will change it. > abusenius - (16:18): googling... > mflorea joined #xwiki at 16:20 > sburjan - (16:21): in java a char is 2 bytes, right ? so a 64 bytes string > is actually a 32 char string ? > cjdelisle - (16:22): yes a char is two bytes :/ > sburjan - (16:23): in the link you gave me , it says that it takes a 64 > bytes strin. about salsa20 > cjdelisle - (16:23): String has a few other components which occupy some > space but you’re pretty much correct. > sburjan - (16:23): but if the input string is less than 64 bytes/32 chars ? > it’s getting padded ? > cjdelisle - (16:24): Well the function will run on much larger pieces of > data by breaking them up, and yes it pads at the end. > cjdelisle - (16:26): The neat thing about salsa is it’s auto seeking. You > give it a key and say block 1000, then you input 1000 along with the key and > salt, and it generates some output which you can use to decrypt the data. > cjdelisle - (16:27): salsa20 doesn’t actually decrypt your data, it > generates psudorandom which you then xor against your data. > lucaa joined #xwiki at 16:28 > sburjan - (16:28): hmmm > sburjan - (16:28): so it can be decrypted > sburjan - (16:29): afaik md5 is one way hash > sburjan - (16:29): alsa is reversible ? > cjdelisle - (16:29): yea. > cjdelisle - (16:29): Imagine you take a key and md5 it. > sburjan - (16:29): oh... big diffrence > cjdelisle - (16:30): Actually imagine you take a key, append a number (0) > then md5 it. > cjdelisle - (16:30): then you take your plain text and xor it against the > output from md5. > sburjan - (16:31): this is how you decrypt it ? > > _______________________________________________ > notifications mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/notifications > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
