distro machine (with multi-download protection)

Well, it seems my last devblog pissed *someone* off!

It's been on my mind for a while, to add this facility to the distro machine; but after some fool, a couple of days ago, downloaded three thousand copies of my ffmpeg front-end, I decided to move it up the list. Hey, ffe is sweet, but not THAT sweet!

I had noticed that on occasion, folk would download the same file two or more times. I guess this is because the distro machine, unlike many web download facilities, sends the correct mime types and attachment headers, and the download is most likely being dumped straight into their download folder, automatically, as it should be. So automatically, in fact, that they don't even realize it has happened.

The distro machine will now thoughtfully inform users that they have already downloaded that file, and ask them to check their downloads folder. A back button and a mail link is provided, in case the user feels there has been an error.

I figured other distro machine users might not have a T3 and unlimited bandwidth*, so this will prevent some halfwit from eating up your monthly allowance.

Latest ßeta download available in the usual place.

;o) Cor

You blew it!

Or should I say, "u fUxD Up!". I'm talking to all you so-called "hackerz" (aka. h4x0rZ) out there. Note I don't say "hackers", a group one should feel a swell of pride to be among. No, I mean those script-kiddies who trawl around the internet; teen vandals, looking for some place to dump their meaningless, pre-made web-hacks. You suck, the lot of you. And you still haven't managed to "hack" the org!

When I was a kid, I mean your age, thirteen or so, we didn't have supercomputers and php, or any of that. We had, at best, an Apple ][, or maybe a BBC Micro, BASIC and assembler, and access to the school's (oh man! soo slow) modems. If you wanted to peek inside restricted stuff, you had to know your shit, which you simply don't.

Do you remember waaaay back, oh, over a year ago, I did a blog about how I was shoring up a couple of security "holes" in the site, and how there was one more hole that I knew about, but was gonna leave as-is, for now. Of course, I didn't say exactly what it was, which spoils all the fun. Oh, you don't read the devblog. Serves you right, then! Research, Boy!

The M.O. of these script-kiddies is to scan for available "common known vulnerabilities", or else just hit them all in the hope one might exist. These kinds of vulnerabilities are highly unlikely to occur here at corz.org, because I wrote the back-end myself, and it's anything but common.

However, most of the source is available for download, and even for pretty syntax-highlighted viewing online. I've made it as easy as possible for any reasonably intelligent person to find and exploit potential vulnerabilities; my logic being that this is the best way to get your code secure - users will complain, you see; send security notices. Only one so far, but still, that's the value of releasing your code - peer testing. But I'm straying..

Usually, it's semi-automated hits, looking for Microsoft IIs or Front Page security flaws. Considering I don't run Front Page (*eew*), and this is a Linux server, these individuals are clearly fools of the lowest order. vti what? However, occasionally, a script-kiddie rises, just slightly, above the pack, and arrives here via some google search for a "potentially insecure web app", a much more logical approach. The usual target is, of course, upload.php.

Now, me being a clever bastard, I'm not going to have the most sought after possibly-vulnerable script as my gaping security hole, am I ?!?

Yup. And for years, too. Okay, the upload area contains nothing but other uploads, but judging by the thousands of attempts to hack into there, I KNOW you wanted to see those files, but couldn't. I really thought someone might figure it out. Nope.

Hiding things in plain sight often works well, because most people don't actually look. Even though the highlighted source for upload.php is right there for viewing and downloading, still you missed it. You uploaded hundreds of index.php, quite a few index.html*, and all the rest if it, even though it's clear by glancing at the code of upload.php, that these things get a .txt extension added to them, and no way are they gonna parse as php!

I have a massive collection of interesting php $hell scripts, too, many in highly fascinating Eastern European languages. All converted to something.php.txt, and also never parsed by the server. Even if your scripts hadn't been neutered by the .txt extension, you couldn't get access to the private/ folder to run them. I remember failed hacks of my youth, and I feel for you.

Today, I realized that I need the upload script for something more important than improving my php shell scripts collection, and decided to finally fix the security hole; I've basically given up waiting for one of you h4x0rZ to get a working brain.

So, now you're fucked. You had you chance, and you blew it. And once you've wiped all that cum off your sleeve, you can kick yourself while I tell you what you had to do to "hack the site", at least get to all my golden uploads, was..

upload an .htaccess file

Easy when you know how!

;o) Cor

Inbox Threads..

An idea for a Thunderbird add-on came to me today. I was going to call it "Threads", or perhaps "Inbox Threads"; not that I plan on writing any such thing; hoping instead to persuade someone else that it is a Very Good Idea, and leave it at that.

However, it seems it's not my idea; not that one can own ideas; rather, it seems somone else has not only thought of it, but imlemented it, though sadly not on Thunderbird. A quick Google brought up this..

http://wiki.mozilla.org/Thunderbird:Collected_User_Requests

The item is entitled "Search over all folders", and describes some of what Opera M2 Mail can do, which is, in fact, a lot more than what I'm after.

What I want, is simply to have my inbox linked to my Sent box, so that I can view both sides of a conversation, threaded, in one place; i.e. my inbox; the outgoing mails from my Sent box forming "ghost" entries in the tree.

It would be very, very nifty, and handy, of course.
I know this, because I already have it.

*Splutter* WHAT?

Yes, I know I said that Thunderbird doesn't have this, but it is, in fact, quite simple to achieve a similar, even better effect with any old inbox. I'd wager your current email client can do it right now. It's called..

Automatic bcc!

I enabled this on a Thunderbird mail account a couple of years ago for some particular test, and when I realized how handy it was, I left it enabled. bcc, as you will probably know, means "Blind Carbon Copy", and enables you to cc messages to someone without anyone else (either the original To: or cc: recipients) knowing about it. Bcc gets used inside organizations during covert political manoueverings, and now has another use!

This yet-to-be-written plugin will also allow you to make a multiple selection encompassing the entire thread (regardless of the sent mail's physical existence in a separate folder) and drop the whole lot into another folder, job done.

I'm not certain if Opera Mail can do this, because I've not seen it, but my current Thunderbird setup certainly does, and I regularly archive whole conversations this way; my Sent folder isn't opened from one month to the next, unused.

Those bcc's automatically form the sent half of my email archive, and always land exactly where they are supposed to; inside the threaded conversation, and at least structurally, everything makes sense.

Now, I hear you saying, "Haha! cor! You obviously don't realize that you can place a copy of outgoing mails in whatever folder you want, even the inbox!". Ahh, but I do. It's a trick that you can pull off in quite a few mail clients. But there is one crucial difference between all these other approaches, and mine..

With my system, I get to know if the mail was ACTUALLY SENT!*

By the way, if you write plugins for Thunderbird/Firefox, mail me; I've got loads of plugin ideas I'd rather not code.

for now..

;o) Cor