www.stottmeister.com is dead

By stotti | Published: March 17, 2010

I buried my personal website tonight. It was too old, too static to be of good use to me anymore.

R.I.P. www.stottmeister.com 2005-2010:

www.stottmeister.com Screenshot dated 2010/03/17

From now on there is only this blog. All queries will be redirected to here.

Posted in hands off! this is my stuff | Leave a comment

Boards.ie Forums have been hacked – don’t panic!

By stotti | Published: January 21, 2010

Though i’m not Irish it has come to my attention that one of the largest bulletin boards in Ireland, boards.ie, has been hacked today. The attackers gained access to parts of the database ” [..] which includes our members usernames, email addresses and obfuscated passwords [..] ” as stated on the official landing page that replaced the usual forums today.

Boards.ie landing page after attack, screenshot taken on 2010-01-21 6:25 pm

The team of boards.ie reset all user passwords and advises all their users to change the password on all other sites where they might have used it as well. In my opinion this is a good step but not absolutely necessary. And i tell you why: boards.ie uses an uptodate version of the bulletin board software vBulletin. That uses the MD5 algorithm to “obfuscate” the users’ password. As written earlier the MD5 algorithm is known to be unsecure and should not be used to encrypt user passwords – except it has been salted. Salting means that there is an additional “secret” (technically: an additional set of bits) used to hash the obfuscated string. This increases the so called entropy of the hashsum. And this, in return, makes it very hard to “crack” the hash using traditional methods like brute-forcing or using rainbow tables. That means it’s very hard for hackers of boards.ie to get access to other systems using the gained user data. So relax and don’t panic! :)

Anyway the team of boards.ie has done good resetting all the user passwords as an additional security mechanism. If you want to know more about cracking MD5 hashsums I’ll suggest you to have a look on my more in-depth articles regarding this topic:

[UPDATE]
The boards.ie team states on Twitter (@boards_ie) that they will not send out new passwords but require users to set a new password when the site is back up:

We are not sending out new passwords. Once the site is back, you will be invited to change your password yourself.

I guess that’s fine as well.
[/UPDATE]

[UPDATE2]
@john_ruddy has made a good point. In his opinon it might be possible that the hackers will send E-Mails to the users of boards.ie containing false instructions to set a new password or enter other sensitive data. So please be aware of phishing attacks!
[/UPDATE2]

Posted in security & privacy | Tagged , , , , , | 5 Comments

The origins of Cross Site Scripting

By stotti | Published: December 21, 2009

Cross Site Scripting (XSS) celebrates its 10th birthday this december. Well, it is not exactly definable when the first XSS hack popped up, but at least the term originates in mid-December of 1999. David Ross, security engineer at Microsoft, just shared this short anecdote and wrote which terms were in discussion for the thing we now know as XSS as well:

Unauthorized Site Scripting
Unofficial Site Scripting
URL Parameter Script Insertion
Cross Site Scripting
Synthesized Scripting
Fraudulent Scripting

I think i like “Fraudulent Scripting.” ;) Anyway, i absolutely agree to Davids conclusion to his post:

Let’s hope that ten years from now we’ll be celebrating the death, not the birth, of Cross-Site Scripting!

Exactly, Cross Site Scripting has to vanish. Keep your code clean, validate every input and adopt common security principles!

Posted in security & privacy, world wide webtech | Tagged , , , | Leave a comment

How to create test files of any length

By stotti | Published: December 18, 2009

Every now and then my fellow coworkers and me are faced with clients that mention problems uploading files of a specific size to web content management systems (CMS). While we are trying to solve the problem we need to test the upload ourselves. Now the filesize differs with every inquiry and we have to come up with files that extend this size. What to do in this case? Browsing the web for files of a specific length? Crawling through our media asset management system to fetch a file that fits in? No, there’s a better solution to that: the file generation tools of the operating system!

Files
Creative Commons License photo credit: Velo Steve

Microsoft Windows, Linux and Mac OS come with standard tools that allow file generation and manipulation. This article tells you how to use them to generate files of any length.

Read More »

Posted in the operating system and you | Tagged , , , | Leave a comment

Jurgen Appelo on agile project management and software development

By stotti | Published: December 9, 2009

Some of you readers may already know that i work as an interface between the competent departments and the development teams. I act as the lead of these teams and communicate the functional requirements of the clients and the internal departments to the technical personnel such as developers, system engineers etc. Vice-versa i communicate the open questions of the technical teams to all other parties and enforce problem solving remedies to keep the development on track. My function is called “Technical Project Manager.” In this role i constantly try to adopt new project management principles and further my knowledge of software development practices.

One common method to stumble about when you’re faced with software project management is the agile management principle. Some of its well known instances are Scrum (which i use) and Extreme Programming (which i don’t). But agile management is not just about a specific implementation, its about the way we work. Jurgen Appelo of NOOP.nl embraced most of the agile paradigms and how they might influence our work into one well done presentation. Here’s the video of his talk at the Agile Eastern Europe Conference in Kiev:

Read More »

Posted in management issues | 1 Comment