Advogato blog for muks

Simple open source WinZix extractor program

Mon, 17 Aug 2009 05:08:46 GMT

Today I wanted to extract a WinZix file. The WinZix software is known to be adware infested and is only available for Windows. Someone fortunately documented the WinZix file format, but only released another adware-free extractor written in Visual Basic which I couldn’t run on Linux or under Wine, even after struggling with Visual Basic’s runtime dependencies. And I really wanted to extract my WinZix file.

Here is unzix, a simple program to extract the contents of those .zix files. Compile and link against zlib.

My bookshelf

Sat, 25 Jul 2009 11:27:46 GMT

The other day, I got a bookshelf and today I filled it with books that were in boxes. This is what’s on my bookshelf. I’m late to the bookshelf meme, but though I had books, I didn’t have a proper bookshelf and a digital camera before.

Photos from recent days

Thu, 23 Jul 2009 17:09:02 GMT

Bookshelf which was delivered yesterday. Now I have to fill it with books

AC power surge caused the power strip to burn out. Thankfully, nothing on it was affected.

Where the mind is without fear

Sat, 4 Jul 2009 19:09:37 GMT

The world seems to be a very clouded place today. One day, when India was facing its struggles, Tagore wrote this:

Where the mind is without fear and the head is held high;
Where knowledge is free;
Where the world has not been broken up into fragments by narrow domestic walls;
Where words come out from the depth of truth;
Where tireless striving stretches its arms towards perfection;
Where the clear stream of reason has not lost its way into the dreary desert sand of dead habit;
Where the mind is led forward by thee into ever-widening thought and action…
Into that heaven of freedom, my father, let my country awake.

It’s easy to take freedom for granted, when a person has had it all his life. Some sit by and watch it fade away. Others manipulate it and make it fade away. Some struggle to hold on to it, or to get it back for everyone.

History shows that when you lose freedom, it is very difficult to get it back.

Tiramisu and omelette

Mon, 8 Dec 2008 20:09:07 GMT

Was bragging to someone recently about cooking skills. So here’s proof from a couple of days ago

Tiramisu

Onion omelette made for Kiran

Tinyproxy developer list membership lost

Wed, 17 Sep 2008 19:08:48 GMT

With a brown paper bag over my head, I’m sorry to announce that the Tinyproxy developer mailing list’s membership information has been lost. The list was deleted by mistake today. The list archives were backed up and these were restored to a freshly created list, but unfortunately, the list’s membership wasn’t backed up (this didn’t make the list of things to backup!). I don’t know how else to announce to all the list members that they have to re-subscribe.

Tinyproxy 1.6.4 released

Fri, 12 Sep 2008 12:12:00 GMT

Tinyproxy 1.6.4 was released recently, after a gap of nearly 4 years since the last release. It contains several bug fixes and current users are encouraged to upgrade to it.

For those who haven’t heard of Tinyproxy, it is a light-weight HTTP proxy daemon for POSIX operating systems, written with special consideration for users with low resources such as embedded applications. It can be modified easily too.

State of Transmission on Windows

Thu, 11 Sep 2008 12:12:54 GMT

I’ve been working on getting Transmission up and running on Windows. After a ton of patching, it now builds and works to an extent under Wine. There are still some bugs in the libevent and I/O code which need to be ironed out. However, I don’t have the mojo to complete it in a hurry. Debugging issues under Windows sucks. And doing things differently for Windows sucks.

On a related note, it’s easy to build a GCC cross compiler under Linux to build win32 apps. One can build GTK+ apps and make installers for them, all from the comfort and elegance of Linux. However, an up-to-date document of the process and some gotchas to help the programmer would be helpful and I’ll post a link to such a document shortly.

New Banu logo

Fri, 25 Jul 2008 06:06:59 GMT

Hylke Bons drew a new logo for Banu yesterday. I had requested him for a cuddly brown bear, and adapting Linus's words for Tux, said the bear should look contented and happy, as if it's just had a lot of honey :) Hylke replied within 2 hours with this logo image which is the sweetest bear I've ever seen. It even seems to be hiding a jar of honey behind it :) It's amazing he created it in so little time. Thank you Hylke!

Firefox 3 and SSL certificates

Wed, 16 Jul 2008 14:10:45 GMT

I should not single out only Firefox 3 for this issue, but because it's the browser I use, it gets criticised. Recent UI usability changes in web browsers towards handling self-signed and other “invalid” SSL certificates leave a lot to be desired.

Take my use-case. I want to use a HTTPS secured connection for bugzilla.banu.com (which is a website I setup for my projects). I don't have the dough to get my wildcard certificate for *.banu.com signed by a CA. So I use a self-signed certificate. This self-signed certificate does not mean that the bugzilla website accessible via HTTPS is any more malicious to any end-user than the main Banu website at www.banu.com accessible via HTTP.

I want new visitors who use my Bugzilla to be able to use it as any other plain-old website without suggestion that it's somehow malicious. Google or Wikipedia for example wouldn't like it if the browser screamed “This host uses an invalid security certificate” when someone visited http://www.google.com/ or http://en.wikipedia.org/.

HTTPS is simply an access protocol here. It can serve both authenticated and unauthenticated sessions. This whole issue would seem even more stupid if we didn't have HTTPS but something like STARTTLS for HTTP. Most web surfers do not know the difference between HTTP and HTTPS. They would go by what their browser shows them about whether a website is to be trusted or not. Current browser wording for messages that are displayed when a certificate is not signed by a known CA leans towards suggesting that somehow the remote website is malicious. A website using a self-signed certificate may not be malicious. In fact, statistics lean towards the fact that most websites are not malicious. Browsers would gladly present any content using HTTP, but when an unknown certificate is reached, it's now a stopping point and you now need to do a lot of actions in a browser such as Firefox 3 to get past to the website.

A more usable UI would be to simply indicate that the session was protected when the certificate is deemed as valid (via any padlock icons, or the green/blue Extended Validation info, or the yellow URL bar), and allow a user to simply browse the website otherwise without indicating in the UI that there is any secure connection, without having to go through any extra steps to accept a self-signed certificate.

This would raise some questions. What about forms which post to HTTPS URLs? Would having the browser stop you when it reaches an “invalid” certificate be correct to stop the browser posting to such URLs? No, this won't serve any purpose, as users hardly ever check the action URL of a form to see if it's SSL protected or not before submitting form information. They would look to trust the page which contains the form in the first place, to do the right thing.

With the change suggested above, a user visiting my bugzilla website would not see any icons or other UI indicators in her browser to say that her connection is authenticated even though she's using HTTPS. Nothing would discourage her from using my website. On the other hand, if I add my self-signed wildcard certificate to my list of personal certificates in Firefox, I can have an indiciation that my session is authenticated.

Update: In response to my own post, it occured to me that someone could hijack and force a renegotiation with a malicious server and get posted form fields if the above was implemented, i.e., if your form was served by an authenticated website, but when you submitted it, a MITM attack directed the posted form to a different webserver. So this is probably a bad idea.