beanstalkd: a simple, fast work queue.
Jack and the Beanstalkd: a web-app for basic work queue administration.
beanstalkc: a simple beanstalkd client library for Python.
queueit: a CLI interface tool which helps to integrate beanstalkd into shell scripts.

If you haven’t heard yet – stratfor.com was hacked in December 2011, leaking full information about 75k credit cards (including owner’s addresses and CVV codes) and 860k (right, almost a million) user accounts. All Stratfor email archives were also reportedly stolen (around 160-200 GB of data), but those were not made publicly available on the internet – unlike the credit cards and user accounts information, which is still relatively easy to find and download.

I do not really recollect anything that large. Well, not counting dropbox’s 4-hour window of “any password fits all accounts”, but that was different.

Here are some of the news items about this seriously large hacking incident:

• NYTimes (Dec. 25, 2011)
• WSJ (Dec. 25, 2011)
• CNN (Dec. 25, 2011)
• relatively above-average write-up from Wired (Dec. 26, 2011)
• ABCNews (Dec. 26, 2011)
• The Register (Jan. 3, 2012)

Here come more technical reports:

• short pastebin document, supposedly by the hackers
• cryptome keeps track of the data being removed from the internet
• a 1MB report by the hackers
• TheTechGerald has some analysis of the leaked stratfor passwords (Jan. 2, 2012)

TheTechGerald’s analysis linked to above got my attention. Unfortunately, a while ago I’ve subscribed to stratfor’s “free intelligence mailing list”, and was wondering if my account information is now publicly available. I was the most worried about the password I’ve used to subscribe, because of the risk of using the same password somewhere else.

Unlike TheTechGerald, I haven’t used any dictionaries – just the default configuration of a well-known tool for finding weak passwords. Within a single hour, ~100k passwords were decrypted (~12% of all). Till the end of the day, ~50k more passwords were decrypted (totalling 17.4% of 860k). At this point my password was still safe, and I’ve found a way to verify that it is not used anywhere else, so I’ve aborted further decryption.

There are a few simple conclusions:

• anybody who had a stratfor account must verify that he/she isn’t using that password anywhere else, because if 1 PC can get 17% of all the passwords in less than a day, it is only a matter of short time until all the leaked passwords will be decrypted and made publicly available in various “md5 decryption databases”
• system owners should run periodic screenings for weak passwords (and implement policies to prevent creating obviously weak passwords from the very beginning)
• md5 is very fast to decrypt/bruteforce – a much slower hashing function wouldn’t hurt; also, using a more complex hashing approach, maybe even with a closed-source shared library, could help
• single-factor authentication (password-based) is likely to get replaced with 2-factor authentication in the nearest future
• one may enjoy increased personal data safety by using throw-away passwords in conjunction with antispam mailboxes like spam.la and mailinator.com (at least 1600 users – 0.186% – did use these services).

Read the rest of this entry »

SSH Security and You – /bin/false is *not* security.

Phusion Passenger Apache users guide

Also as a PDF.

Inspired by video encoding with handbrake.

HandBrake is a very high-quality piece of software – next time you need recoding something into H.264/MPEG-4 (using MKV or MP4 containers) – try HandBrake. It easily saturated all my CPU cores – which I failed to achieve with ffmpeg, which even with threads=8 was only saturating 2 cores.

Attached to this post are 2 profiles for recoding movies for Nokia E71. The “_best” profile has exhaustive motion detection, otherwise is identical to the base profile.
E71.plist
E71_best.plist

Related:

• x264 ffmpeg mapping and options guide
• ffmpeg audio/video encoding cheat sheet

If you are a Python zealot, and Java doesn’t feel right, but the project you are working on is a Java project – try

• Jython – Python for the Java platform, compile your python scripts into Java bytecode
• Groovy – not Python, but still a scripting language which compiles to jars

Worth reading: Goodbye academia, I get a life.