Dear mathowie, your plans? April 11, 2006 7:39 PM Subscribe
What is your project/plan of features on mefi matt?
[mi]
[mi]
I want my pony back. Really. The Jabber server.
And the ability to watch a given thread (outside of my comments...maybe as an RSS feed). Etc.
I'm not trying to be nosyish...I just wanna know what you're trying to implement. Is it based on what you find easy?
With GUI/software development, they always talk about ease vs. ability to deliver.
Is there some sort of list you're following?
I like testing Mefi's new features and making sure they work, etc.
Nah, I just want the jabber server back.
posted by filmgeek at 7:41 PM on April 11, 2006
And the ability to watch a given thread (outside of my comments...maybe as an RSS feed). Etc.
I'm not trying to be nosyish...I just wanna know what you're trying to implement. Is it based on what you find easy?
With GUI/software development, they always talk about ease vs. ability to deliver.
Is there some sort of list you're following?
I like testing Mefi's new features and making sure they work, etc.
Nah, I just want the jabber server back.
posted by filmgeek at 7:41 PM on April 11, 2006
I seem to recall Matt unequivocally stating that jabber wasn't coming back because of server gremlins it introduced. But I may have dreamed that.
posted by stavrosthewonderchicken at 7:47 PM on April 11, 2006
posted by stavrosthewonderchicken at 7:47 PM on April 11, 2006
I went and checked - at least one person offered to host it on their server.
posted by filmgeek at 7:49 PM on April 11, 2006
posted by filmgeek at 7:49 PM on April 11, 2006
Serving it from another machine doesn't really work since the logins interacted with the database directly. So sorry, but no jabber server using the software I tried out earlier. I may consider it at a future date.
I'm currently working on the MeFi Projects site and I have to migrate to a new database server this week. After that, I will go back to work on the favorites system.
posted by mathowie (staff) at 7:56 PM on April 11, 2006
I'm currently working on the MeFi Projects site and I have to migrate to a new database server this week. After that, I will go back to work on the favorites system.
posted by mathowie (staff) at 7:56 PM on April 11, 2006
Serving it from another machine doesn't really work since the logins interacted with the database directly. So sorry, but no jabber server using the software I tried out earlier. I may consider it at a future date.
I can see a couple easy technical solutions to this (basically having the server post to the remote server with IP/login of leaving/return users). You could argue that this exposes the IPs of Jabber users, but this would happen anyway if they're being hosted off-site.
If somebody wants to host a Jabber server, they just should. I don't see this coming back onto the Metafilter plate any time soon.
posted by onalark at 8:37 PM on April 11, 2006
Was the interaction just login and "joe is online" on the userpage?
Another person could host it. Mathowie could hash the current passwords with a jabber-specific salt and hand it out for those wanting to provide a jabber host. It'd be fairly safe to hand that around providing you used something like SHA-512.
There are bookmarklet implementations of SHA512 so that the user would never be directly providing their password to these 3rd party jabber machines. For non-techies the mefiuser page could show them their jabber password.
So far as mefi userpage "joe is online" type info, you could either not do that, or have some web service interface for these jabber services posting notifications to mefi. Not sure whether this part would cause strain on mefi but at least now it's the only part that could cause any db strain.
posted by holloway at 8:46 PM on April 11, 2006
Another person could host it. Mathowie could hash the current passwords with a jabber-specific salt and hand it out for those wanting to provide a jabber host. It'd be fairly safe to hand that around providing you used something like SHA-512.
There are bookmarklet implementations of SHA512 so that the user would never be directly providing their password to these 3rd party jabber machines. For non-techies the mefiuser page could show them their jabber password.
So far as mefi userpage "joe is online" type info, you could either not do that, or have some web service interface for these jabber services posting notifications to mefi. Not sure whether this part would cause strain on mefi but at least now it's the only part that could cause any db strain.
posted by holloway at 8:46 PM on April 11, 2006
SA has an system called authdb. You create an authdb account by changing your userpage to include a string and that proves you're that user.
With the authdb login you can access several 3rd party sites, eg, a Jabber Server. It does mean more than 1 mefi password but it wouldn't require any effort on the part of matt.
posted by holloway at 8:56 PM on April 11, 2006
With the authdb login you can access several 3rd party sites, eg, a Jabber Server. It does mean more than 1 mefi password but it wouldn't require any effort on the part of matt.
posted by holloway at 8:56 PM on April 11, 2006
What is a jabber-specific salt? The salt must be different for every user. But even with salt, a dictionary attack should be pretty easy. A VIA mini-itx system can compute SHA-256 for all [0-9a-z]{6} in 5 minutes.
posted by ryanrs at 12:34 AM on April 12, 2006
posted by ryanrs at 12:34 AM on April 12, 2006
Assuming the normal increase in time required for additional bits, if you can do all 6-character SHA-256 passwords in 5 minutes, you should be able to do all 6-character SHA-512 passwords in 1.10 * 10^72 years.
The universe will have mostly cooled by then, so if you do finally crack that password file, there's probably not much you'll be able to do with it. :)
And you'll have to stand there, all alone at the end of the universe, shaking your fist at those horrible people who used SEVEN character passwords.
posted by Malor at 3:39 AM on April 12, 2006
The universe will have mostly cooled by then, so if you do finally crack that password file, there's probably not much you'll be able to do with it. :)
And you'll have to stand there, all alone at the end of the universe, shaking your fist at those horrible people who used SEVEN character passwords.
posted by Malor at 3:39 AM on April 12, 2006
I'm glad we got this sorted, thanks guys.
posted by NinjaTadpole at 4:14 AM on April 12, 2006
posted by NinjaTadpole at 4:14 AM on April 12, 2006
Well a salt, for Jabber, combined with existing passwords which is hashed.
A dictionary attack is quite possible... you're handing a list out that can be attacked (it's like the scenario where mefi gets hacked and someone grabs the list of passwords, only now you're trusting that to someone else).
What a jabber-specific salt gets you is how it makes it more difficult to get all the salts. Eg, store hash(originalPassword + userSalt) in the database and upon login/logout apply an additional applicationSalt at the application layer. It's just obfuscation but if they don't find it means they have to do a lot more than 36^6 hashes.
posted by holloway at 4:16 AM on April 12, 2006
A dictionary attack is quite possible... you're handing a list out that can be attacked (it's like the scenario where mefi gets hacked and someone grabs the list of passwords, only now you're trusting that to someone else).
What a jabber-specific salt gets you is how it makes it more difficult to get all the salts. Eg, store hash(originalPassword + userSalt) in the database and upon login/logout apply an additional applicationSalt at the application layer. It's just obfuscation but if they don't find it means they have to do a lot more than 36^6 hashes.
posted by holloway at 4:16 AM on April 12, 2006
Damnit crunchland... we're not supposed to be solving problems. This is a tech jerkoff thread. I'm so mad at you.
posted by holloway at 5:08 AM on April 12, 2006
posted by holloway at 5:08 AM on April 12, 2006
Malor, regardless of which hash algorithm you use, the search space is still 36^6. In other words, you are dealing with a 31 bit key. If you want a longer key you must force users to pick longer, stronger passwords. Also, SHA-256 is only 30% slower than SHA-1 on VIA crypto hardware. Crypto hash algorithms are designed to be very fast and easily implemented in hardware.
holloway, is that applicationSalt the same for every user? If it's a per-user secret, then it's just a longer, uglier password to memorize. If it's a global secret, then it's not very secret at all. Please don't assume the attacker is stupid and careless ('cause I'm not).
: This is a tech jerkoff thread.
Actually, this is a couple of jokers pretending they understand crypto. Maybe that's what you meant.
posted by ryanrs at 5:41 AM on April 12, 2006
holloway, is that applicationSalt the same for every user? If it's a per-user secret, then it's just a longer, uglier password to memorize. If it's a global secret, then it's not very secret at all. Please don't assume the attacker is stupid and careless ('cause I'm not).
: This is a tech jerkoff thread.
Actually, this is a couple of jokers pretending they understand crypto. Maybe that's what you meant.
posted by ryanrs at 5:41 AM on April 12, 2006
If this is where we're tying up our My Little Ponies, I have one that's all sparklypoo pink and bubble gum scented.
I'd really love a member note box. Over on Deviant Art and greatest journal, users can leave a message for another in a inbox right there on the site, without having to share e-mails or whatever. Then when you log in, there's a check by your login that lets you know you have a message waiting.
I get that you don't want to host hidden conversations. But it would be handy to share links, or clear up the answer to a question without derailing threads. And it would solve the problem of people not checking their e-mail or having no e-mail listed.
Maybe if you put a character cap on the notes, you could avoid long discussions.
posted by FunkyHelix at 9:19 AM on April 12, 2006
I'd really love a member note box. Over on Deviant Art and greatest journal, users can leave a message for another in a inbox right there on the site, without having to share e-mails or whatever. Then when you log in, there's a check by your login that lets you know you have a message waiting.
I get that you don't want to host hidden conversations. But it would be handy to share links, or clear up the answer to a question without derailing threads. And it would solve the problem of people not checking their e-mail or having no e-mail listed.
Maybe if you put a character cap on the notes, you could avoid long discussions.
posted by FunkyHelix at 9:19 AM on April 12, 2006
just to help ryanrs get final release:
salt is per-site. the idea isn't to slow down an attack on a single site/password file, but to make sure that no-one can construct a single, universal dictionary that works for every password file in the world.
while you're right about the hash space, increasing a password by one letter does give you an extra factor of 2^n where n is the number of bits in a character. now for a typical luser and an intelligent attacker n is much less than 7, but even so, a few extra characters are enough to get you away from "trivial to crack".
posted by andrew cooke at 10:06 AM on April 12, 2006
salt is per-site. the idea isn't to slow down an attack on a single site/password file, but to make sure that no-one can construct a single, universal dictionary that works for every password file in the world.
while you're right about the hash space, increasing a password by one letter does give you an extra factor of 2^n where n is the number of bits in a character. now for a typical luser and an intelligent attacker n is much less than 7, but even so, a few extra characters are enough to get you away from "trivial to crack".
posted by andrew cooke at 10:06 AM on April 12, 2006
Assuming the normal increase in time required for additional bits, if you can do all 6-character SHA-256 passwords in 5 minutes, you should be able to do all 6-character SHA-512 passwords in 1.10 * 10^72 years.
Huh? I assume this might be true if you had a salt, but if you don't have a salt the time increase will be linear because cracking one password doesn't make cracking another password any easier. Each password attempt is independent, you just try hashing each and every one.
I think it's something you just said without thinking about it at all.
posted by delmoi at 10:24 AM on April 12, 2006
Huh? I assume this might be true if you had a salt, but if you don't have a salt the time increase will be linear because cracking one password doesn't make cracking another password any easier. Each password attempt is independent, you just try hashing each and every one.
I think it's something you just said without thinking about it at all.
posted by delmoi at 10:24 AM on April 12, 2006
What is needed is a script on MeFi's server that, given a username and a password hashed with a salt specific to the caller, validates a user and returns either "Yea" or "Nay." Developers would have to contact Matt for a salt specific to their application. For extra security this could be restricted to specific known caller IPs. Jabber server being open-source, it should be pretty simple to adapt it to work with this authentication method, if that's not already modularized.
The Jabber machine could then have a script that returns an image indicating a user's Jabber status, and the profile page on MeFi could embed an IMG tag linking to this script (only for display to logged-in users, presumably).
Pretty simple, really, but Matt has many other things on his plate right now which are more useful. Matt, if you ever get interested in this again, I'm still willing to host.
posted by kindall at 10:59 AM on April 12, 2006
The Jabber machine could then have a script that returns an image indicating a user's Jabber status, and the profile page on MeFi could embed an IMG tag linking to this script (only for display to logged-in users, presumably).
Pretty simple, really, but Matt has many other things on his plate right now which are more useful. Matt, if you ever get interested in this again, I'm still willing to host.
posted by kindall at 10:59 AM on April 12, 2006
kindall's got it :)
But after some talks to mathowie about this kind of stuff I'm really confused as to what he plans around here. I suggested a plan for metafilter but after some initial interest he didn't seem to want to do it any time soon. Ah well, no point pushing it.
posted by holloway at 2:58 PM on April 12, 2006
But after some talks to mathowie about this kind of stuff I'm really confused as to what he plans around here. I suggested a plan for metafilter but after some initial interest he didn't seem to want to do it any time soon. Ah well, no point pushing it.
posted by holloway at 2:58 PM on April 12, 2006
Well, realistically,
We all want the community to be better, cooler, nearter, etc.
One of the rules of dealing with people - is tha if you le them know about a planned delay....they're more patient.
I quite liked the jabber server, on the idea, that if someone wanted to be available to other MEFI users, they could. VS. the idea of just an IM address.
posted by filmgeek at 9:11 PM on April 12, 2006
We all want the community to be better, cooler, nearter, etc.
One of the rules of dealing with people - is tha if you le them know about a planned delay....they're more patient.
I quite liked the jabber server, on the idea, that if someone wanted to be available to other MEFI users, they could. VS. the idea of just an IM address.
posted by filmgeek at 9:11 PM on April 12, 2006
You are not logged in, either login or create an account to post comments
posted by LarryC at 7:41 PM on April 11, 2006