Firefox Sync logo

Firefox Sync server hosting

0

The last weeks demonstrate how personal information are sensitive and valuable. Companies like Ebay, Spotify, AVAST have been hacked and stolen of their client databases. Those facts motivate me to host my own Firefox Sync server instead of uploading my data to another big cloud company.

Firefox sync banner

Firefox Sync is a solution to store and keep synchronize Firefox data like bookmarks, history, passwords or preferences. Since Firefox 29, a new version of Sync is available (version 1.5). It uses the new Firefox accounts as authentication mechanism. The service definition and separation between authentication, token and storage allow to change and plug new servers on the fly. So you could host your own Sync server without having to worry about auth. Auth will be provided by Mozilla servers, which don’t store your plain text passwords or encryption keys. You may check the source code of the authentication server on Github or the Sync protocol for more details.

The Sync server installation procedure is quite well described by Mozilla. It explains how to get, build and run and test a custom Sync server on the built-in server (some git and make commands). Once everything works, you could set up your Firefox browser to point at your own server and test with your account and data. For production use, you could bind it on your Apache on Ngnix server throw WSGI or Gunicorn module (the built-in server is not intended to be use in production context).

In conclusion, I run my own Sync server to store my personal data. The server is lightweight and data takes less than 10 mo of storage. I enforced the security with requested client certificate and IP filtering and I could have a look to all access done with the Apache logs. So even if Firefox accounts are leaked (and we should consider they will be), attacker needs to know location of the server, get a certificate, find a valid IP address before getting access to my Sync server. According the interest of my data, the risk is very low.

I encourage your to host as often as possible your data. Nowadays, it is the real people value. So take care of it and thanks the Mozilla company to allow us to do it (hey Google, what about Chrome ?).

Firefox Sync test

Bonus: Testing server and account synchronization

PHP logo

Security conferences by AFUP

0

Early in the week, I was to the security conferences led by the AFUP about the software security. The main goals of those conferences was to make developers aware of the real dangers of security breaches. The first conference was given by the OWASP organization, a non-profit organization focused on improving security. The main key points of its talk was:

  • If your application wasn’t attacked yet, it will be,
  • If your are aware of the most critic security risks and you choose to handle them, you could prevent the bigger part of coming attacks,
  • You could handle security risk easily with theirs documentations and tools freely available.

The second conference was made by an AFUP member, Christophe Villeneuve, the creator of the elephpant. The talk focused on how to secure you PHP applications. It tooks the most common security risks previously described and explains how to prevent it with PHP language. He deals with subjects like database request escapement, user input cleaning or risky specific language features (PHP-SELF, global, …).

The third and last conference was made by a security engineer of Mozilla to present security solutions added to Firefox OS. She explained last additions like application signature and installation source, permission system or content security policy (CSP). It also was also opportunity to demonstrate the last version of Firefox OS 2.0 and a static JavaScript code analyzer ScanJS.

To conclude, the conferences were interesting and networking very pleasant. I would like to thanks talkers for their time and Mozilla for their premises and I end with some picture of the night and the video will be soon online.

PopcornTime logo

Time4Popcorn for Android

0

This week was released an Android version of Popcorn Time. For those who don’t know the project, it’s similar to Netflix: you select the movie or serie you want to watch and could instantly play it. Unlike Netflix, it’s free, based on user torrent seed and illegal in almost all countries. So don’t use it and go buy you DVD instead !

Existing versions still confine to desktop releases until now. So be happy mobile users, you day is coming ! Except one thing (or two, which career will allow you to download 1080p movie with p2p ?), it’s not the official / legacy team of Popcorn Time which releases the application. What does it means ? An alternative team is releasing the same software under an alternate name « Time4Popcorn ». But what for ? (more…)

Subversion logo

Update Subversion commit authors

0

This week I faced the need to edit commit authors. Thanks to the new LDAP authentication, I need to change the way users log on the server. The side effect is the manually declared users differ from the LDAP user names. To keep consistent, I updated the previous commit authors with their new LDAP names. For those who have the same need, I share my script below:

#
# Subject: Bash script to update commit authors.
# Author: Bruce BUJON (bruce.bujon@gmail.com)
# Description: This script use a dictionary (AUTHORS) to replace a Subversion repository commit authors.
# Usage: Edit REPOSITORY_PATH and AUTHORS variables then run the script.
#

# The repository path
REPOSITORY_PATH="http://my-repository-url/"
# Get the repository head revision
HEAD=`svn info $REPOSITORY_PATH | grep Revision: | cut -c11-`
# The authors (keys are original authors, values are replaced authors)
declare -A AUTHORS
AUTHORS=( ["olduser1"]="newuser1" ["olduser2"]="newuser2")

# Process each revision up to head
for revision in $(seq 1 $HEAD)
do
  echo -n "Processing revision $revision: "
  # Get revision author
  author=`svn propget --revprop svn:author -r $revision $REPOSITORY_PATH`
  # Check if replacement author is available
  newauthor=${AUTHORS[$author]}
  if [[ ! -z "$newauthor" ]]; then
    # Update commit author
    output=$(svn propset --revprop svn:author $newauthor -r $revision $REPOSITORY_PATH 2>&1)
    result=$?
    # Check update status
    if [ $result != 0 ]; then
      # An error occurred
      echo "an error occurred!"
      echo $output
      exit -1
    else
      # Author replaced
      echo "author replaced ($author > $newauthor)."
    fi
  else
    # Author kept
    echo "author kept."
  fi
done
# End of script
echo "$HEAD revisions successfully proceed."

Note that you will the server allows revision property changes. To do that, ensure the pre-revprop-change hook return 0, at least the time of the maintenance. You don’t want your users editing the commit authors and logs to make you a joke.

svnbook

Svnbook in epub

0

If like me you use Play Book to store books and manuals, you will be sad to read the great Subversion book: svnbook. PDF format import fails to parse table of content and its navigation links. So I make the epub build of the book and everything works well now.

So for everyone who need it, I share the svnbook under the epub format:

svnbook

The Subversion book epub

Please note svnbook is maintained by svnbook.red-bean.com under open source licence.

Flash player

Why Flash is still alive ?

0

Flash playerI post today to ask an open question : « Why Flash is still alive ? ». Some days ago I was raging again Flash on some website when I wondered why Flash is always used ? In my computer user life, I lost several hours trying to get Flash work properly. Bad Linux support, browser freezes, oh wait, making a list !

Cons:

  • CPU and memory consumptions (for the player itself and browser sandbox),
  • Security leaks and intrusion vector (see Adobe security bulletins numbers and date),
  • Bad support for OS other than Windows (only old and vulnerable versions for Linux),
  • No multiple screens support (start player from one screen, move it to a second one and go fullscreen: player displays content on full first screen),
  • Freezes and BSOD (under Windows at least),
  • Invasive updater (does not take care of user update preferences, no proxy settings, deletes itself if download fails, offline installer well hidden in Adobe site),
  • No more supported on mobile devices (Android, iOS, WP8).

Pros:

  • Advanced features for video player (stream quality switch, ads overlay),
  • Fast and cheap indy game development.

For the video player advanced features, I think web standard evolutions will quickly offer equivalent features (including standard adoption in browsers). Technologies like WebRTC show how browsers evolved into natively supported multimedia platforms. For the Flash browser game, how long could they fight against full web games when you see that Unreal Engine 3 works with JS and WebGL ? Or against the Chrome gamepad API ?

And how long browser developers will let Flash ruin their hard work of speeding up and responsibility increase ? Remember the other Adobe software plugged in browser, Reader, was brushed aside by some lines of fast JS.

Definitely Flash belongs to the past. But for how long will it remain in the present ?

Android

Air Playit and IPv6

0

Air PlayitI was looking for a way to stream my desktop videos to my N7 when I discovered Air Playit.

Dispite it well well finished website, the Android application is really painful. From the first steps, the app forces close. Don’t think to use auto discovery to find your airplay server without crash. And add manually a server ? Crash also.

I grabbed an USB plug to check logcat and I saw NullPointerException on String manipulation. A NPE causing app crash ? The start of pain… A quick look into smali code confirmed my thoughs: the app tried to split an IPv6 with  « . » (dot) separator… Quick fixing (in smali), recompilating and packing to skip IPv6 allowed me to add manually a server. I have at last listed my movies on my N7.

Hopeful, I tried to read a stream a content. No way. Still blank screen with audio. And without app source, I don’t have the courage to fix the software decoder… (and why the app does not use Intent to use my media reader instead of the crappy embedded one ?). Damn.

The pain continues with the ugly GUI (why use so many resources to get iOS look and feel on Android ?), the crash when failing the SD card detection (whereas Google discourage manufactors to add them to new device) and the developper team which does not answer to the fourteen pages of users complaining about app crash.

Finally, I use Windows sharings, Solid Explorer (with Samba) and MX player (with hardware stream decoder). It works, does not load my computer with encoding and save my batery. What else ?

Go to Top