Core S² Software Solutions

There are a couple of SVN-to-Twitter applications out there, which tweets your SVN commit message to your followers, but I couldn’t find exactly what I was looking for: a simple Python-based version that uses the latest (and required for the past few months) security and didn’t use any heavy dependancies.

So, I spent an afternoon and made my own, as well as learned about OAuth (Open Authentication), which seems to be the “cool new” authentication system for 3rd party application developers. It has attached some pretty big names: Microsoft, Google, Facebook, and (of course) Twitter uses OAuth in some of their online services and APIs for security.

Anyways, I made my own SVN-to-Twitter package: it includes a single python file for the main interface, with command line options (documented in the top of the file) as well as an updated “auth.py” file which requests the user’s permission to allow this application to connect with Twitter.

Don’t think I wrote everything from scratch – the “auth.py” file uses a good starting source here (Author: David Busby), which really helped me understand how OAuth works in the first place.

Grab the zip package here!

Over the past year I’ve been playing Minecraft off and on. The game is pretty simple: you play in a 3D cuboid-world, where everything is a cube with a few smaller exceptions. It’s essentially a lego-like 3D world. Since I like to play with friends, I started hosting my own server which I made public and advertised on Reddit: I did not expect this many people to consistently show up on my server. After a few days I installed CraftBukkit, a more manageable server software base for Minecraft, but I still found all existing plugins not stable nor feature complete (I had to install 5+ plugins to get all the features I wanted). Since I know Java, and I like to do small side projects for a few days, I started programming BasicBukkit last week and now have a stable release version this week!

BasicBukkit: A starting point for a simple Bukkit-based (CraftBukkit) Minecraft server. Implements many of the commonly used mods into a centralized code base and unified plugin file.

My goal was to learn the Bukkit library for Minecraft and learn more about creating stand-alone jar files that load dynamically server-side. Also, I wanted to create a mod that was truly stand-alone that didn’t have any large (i.e. ProtectionMod? or SQL) dependencies. The resulting mod is a single jar file that produces all files necessary for managing a simple SMP / Creative Minecraft server.

Learn more by reading our commands list: Commands. I’ve now implemented roughly 40 commands and are still adding many more! Want to setup your own server? Read the installation notes and configuration on the Configuration page. An active test server can be found at nint22.dyndns.org:25565 (Default port)

One big learning experience I’ve had with this project is that users tend to dislike writing bug reports, or even reporting bugs: period. It’s very frustrating for me to track bugs on this project – so I’ve taken an extreme and pushed myself to do massive testing with this, much much more than I normally do. Because I’ve now seen three servers in the wild using my code, but only one non-developer writing up bug reports, I know I have to persue higher quality by doing heavy testing msyef, though this takes away quite a bit of my developer time (unless the bug is small to fix, which actually has increased by programming speed!).

I wonder how large companies with large developer groups do debugging and manage user error reports. I know from my experience at Microsoft, bugs are taken very seriously, but I’ve only worked with internal testing. I’ve never seen how managers manage incoming user-reported bugs. I know Google has this very neat crash-reporting library that I want to integrate with existing code, but I can’t imagine that gets users to write many more comments other than “it crashed”.

Security through obscurity is one of the worst approaches someone might take when it comes to computer / network security. I’ve heard in real-world situations between students and professional programers say “Sure, the passwords are saved as plaintext, but the database table names are all obfuscated; no hacker will find them!”. Though I’m sure this isn’t the average case, it bothers me enormously that many universities and companies don’t do formal security training. Giving your programmers Code Complete is a great idea, but I don’t think it’s enough – programmers have to have it beat into us that obfuscation is NOT a valid security approach!

I won’t talk about how to fix this, there’s plenty of tools, academic resources, training programs, etc. to help programmers learn and improve their designs. What I will talk about is steganography. I heard some not-so-reputable sites such as 4Chan were encoding data and adding it to meta-data in images. At first I thought it was kind of silly; everyone could just open the file and see it… but then again, we live in the golden age of media-transfer on the web: who sees images on the web and thinks “Maybe there is something hidden in here” outside of what you actually see. Stenography is a method of obscuring data transmission by adding it through mediums one wouldn’t think acceptable for data. The GIF file format has an interesting structure such that there is a single or double byte pattern that declares the end of the file. If you put text after that, most image viewers and browsers would see the image and never report a corruption because nothing changed the formal structure; yet the hidden data is there and never seen by the image viewer.

So, to learn more, I hid some data through several levels of encryption, obfuscation, and stenography. In the following steps we will be taking a funny GIF image, and we will follow the white rabbit down the hole to wonderland. (Pardon the cheesy quote, I had to, ha)

1.  Check out this funny GIF of some ninja-wrestling moves; millions must exist on the web, and such technology is nothing new, dating back from the late-80s. You wouldn’t do anything with this file other than smirk, right? Well, lets dive in…
2. Download the gif and open it in any text editor of your choice; notice at the end there is constant ASCII strings?
3. Copy this string data (it’s a GnuPG message) and decrypt; password is “png”
4. The result is a png file (change file extension if needed)
5. Open png file, it is a multi-color QR code; if you attempt to decode it, you get junk data
6. Individually process each color channel in RGB order, meaning do a QR decode on the red channel first, then green, and finally blue
7. Put the QR decoded text together, you get a new GnuPG block; password is “steganography”
8. This result is the final data, i.e. the original message that was encoded

So what I learned is there are some serious ways and methods of hiding data easily through obfuscation tied with true security (i.e. PGP encryption); though I can’t imagine any use for this and general stenography for industry-level products and services, this is 100% legitimate spy-level information transfer. Stuck in North Korea and need to send a secret message? Attach the encrypted data to an innocent picture that will get past the censures and tada! Secret 007 mission accomplished.