Wikipedia:Reference desk/Archives/Computing/2008 May 14

Computing desk
< May 13	<< Apr | May | Jun >>	May 15 >

Welcome to the Wikipedia Computing Reference Desk Archives
The page you are currently viewing is an archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages.

May 14

Debian openssl vulnerability

Debian has announced a vulnerability in OpenSSL that apparently everyone who uses most current versions of Debian, Ubuntu, etc, should patch immediately. See here: http://www.debian.org/security/2008/dsa-1571 .

What I'd like someone to explain is just what it means to regenerate all these keys, specifically the ones that it says are used as session keys in SSL communications. Does that include logging in to secure websites? Specifically, if the client machine had the vulnerable openssl and logged into a secure website (https), would an attacker be able to view the traffic? Or would the problem arise only if the server machine had the vulnerable version? --Trovatore (talk) 08:38, 14 May 2008 (UTC)[reply]

Keys in /etc/ssh and $HOME/.ssh are vulnerable. There are 2 steps:

• In Ubuntu, the key to identify your server is regenerated automatically when the patch is applied. Run ls -l /etc/ssh to check the creation date. Anybody trying to ssh into your box will be told to update their $HOME/.ssh/known_hosts file.
• Remove (ie backup :-) $HOME/.ssh/id_*. Then regenerate those files with ssh-keygen (ssh-keygen -t dsa or ssh-keygen -t rsa)

If you log in to other machines by having a key in their authorised_keys file, you will no longer be able to. When you try to log in, you will probably be prompted for a password instead. You should email them your new public key: they will replace your key in their authorised_keys file. --h2g2bob (talk) 11:43, 14 May 2008 (UTC)[reply]

I don't think your key is important when connecting over https. It is the webserver's key which is used to encrypt data. Webservers running debian and linux would be vulnerable to MITM attacks. --h2g2bob (talk) 11:58, 14 May 2008 (UTC)[reply]

I'm not an expert on SSL, but from looking at descriptions of the handshake it appears that the only data used to derive the session key that isn't known to the attacker is the premaster key, which is generated by the client. That would mean that any SSL (including HTTPS) connection made from a vulnerable client is potentially eavesdroppable, regardless of the server. On the other hand, a connection from a properly functioning client to a vulnerable server is probably okay as long as the broken PRNG wasn't also used to generate the server's public/private key pair. In the case of SSH I think the session key is compromised if either the client or server PRNG is broken. I don't think there's any cause for panic, though, since in practice credit card and banking information are never stolen this way; they're stolen by hacking into the endpoints. -- BenRG (talk) 12:56, 14 May 2008 (UTC)[reply]

Is this premaster key regenerated every time, or should it also be regenerated after the <verbatim>apt-get update</verbatim> (and if so, how)? --Trovatore (talk) 17:11, 14 May 2008 (UTC)[reply]

It's generated on the fly for each session. I should say that I have no idea whether there's actually a vulnerability here. It depends on what was wrong with the PRNG. The premaster key uses 368 random bits from the PRNG, so there's still enough randomness there to make the connection secure if, say, half of the bits from the broken PRNG are predictable. Also, I may have misunderstood the protocol. -- BenRG (talk) 19:45, 14 May 2008 (UTC)[reply]

OK, thanks much. --20:23, 14 May 2008 (UTC)

C string scaning

What's wrong with this code:

scanf_s("%[^,] %[^,] %[^,] %d %d %c %d %c", &s.name,&s.ID,&s.address,&s.courseworkmark,&s.finalmark,&s.finalgrade,&s.overallmark,&s.overallmark); printf_s("%s %s %s %d %d %c %d %c", s.name,s.ID,s.address,s.courseworkmark,s.finalmark,s.finalgrade,s.overallmark,s.overallmark);

I want to scan from a string using the comma as a separator, and then print the values. Bastard Soap (talk) 09:36, 14 May 2008 (UTC)[reply]

scanf() doesn't "do" regexps. See scanf or your favorite man page for details.

Atlant (talk) 12:52, 14 May 2008 (UTC)[reply]

He's not trying to "do" regexps. The [^,] is a valid scanf conversion, called a scanset in the standard. I think the problem is that since s.name, s.ID, and s.address are presumably of type char * or char [], no ampersand ("address-of operator") is needed in front of them in scanf's argument list. They're already pointers. BTW, Bastard Soap, when asking questions like this, it's best to say what goes wrong. Does the code not compile? Are there warnings? Does it crash when you run it? If so, can you tell where? -- Coneslayer (talk) 13:11, 14 May 2008 (UTC)[reply]

One problem is that %[^,] won't eat the terminating comma, so it needs to be followed by a comma rather than (or in addition to) a space. If s.name and friends are pointers then the & will cause scanf to write over the pointer itself instead of the memory pointed to. If they're arrays then the & is harmless but unnecessary. (I think it's harmless, anyway. It leads to the wrong pointer type being passed to scanf, but I think the standard guarantees it'll work anyway.)

Incidentally, our scanf article also fails to mention the useful %n conversion specifier and the pretty much useless %p. Should they be added? -- BenRG (talk) 13:26, 14 May 2008 (UTC)[reply]

How they use Vmware and other virtual machines on business??

As a guy that played many emulators, used many emulators and know that just few of the consoles and arcades emulators are near complete or almost near complete and without bugs (bsnes is one of them), i ask:

How they use Vmware and other virtual machines on business??

Emulate some system correctly is a very difficult thing, and if you do this without using any hacks (things in code that make the emulator more faster in expense of accuracy).

Business is a very serious thing to use a program that will certanly will have bugs.

A example: I cant imagine someone using a nintendo 64 or sega saturn emulator to seriously aid the development of a real game (not homebrew one) to those consoles.

If the emulation of those things are near complete, how they can archieve if whithout making the program very slow.

And why consoles emulators are not so accurate, since some emulators have some very good and serious codders??? —Preceding unsigned comment added by 189.0.150.151 (talk) 19:57, 14 May 2008 (UTC)[reply]

Well they're somewhat different problems, but the simplest answer is because vmware has gooder and seriuouser coders than console emulators do. I'm sure there were plenty of bugs in vmware before it made its stable release, and I'm sure that vmware spent millions hammering them out. .froth. (talk) 21:56, 14 May 2008 (UTC)[reply]

VMWare has the advantage that they're emulating x86 on x86. There are some shortcuts you can take in that situation, such as direct execution of non-privileged instructions. --Carnildo (talk) 22:53, 14 May 2008 (UTC)[reply]

Most of the hobbyists who write game system emulators don't care about accuracy in any case, they just want the (existing) games to run. They could probably improve the accuracy of the emulation, but it would take time they have no reason to spend. There are exceptions—the MAME project is pathologically obsessed with accuracy and probably could be used to develop new games for the systems it emulates (in fact, I think it has). Another thing is that the heterogeneity of PC hardware makes emulation an easier problem. You don't have to behave exactly like the hardware on the market, just like something that could be on the market. On a game console you might be able to rely on exactly N processor cycles passing between horizontal retraces, and that kind of thing is a hassle to emulate efficiently. -- BenRG (talk) 23:12, 14 May 2008 (UTC)[reply]

And aside from all that, businesses use things like VMWare or Xen as hypervisors for virtualization, and rarely pure emulation these days. This means that the instructions are being passed straight to the CPU. Really, it's more like running more than one OS at a time on one computer than it is similar to 'console emulation'. 206.126.163.20 (talk) 23:10, 15 May 2008 (UTC)[reply]

Thank for the help.

CD player woes (reposted with updated question)

Hello, I have a Toshiba satellite with Windows XP. recently, I am having problems with my matshita dvd-ram uj-840s. It does not show up under my computer anymore. There is a generic windows file icon instead. I then used Device Manager to uninstall the driver for the device. I rebooted my computer and hoped for the best. Windows detected the cd drive; however, it was unable to correctly install drivers for it. What should I do? Please help me. --67.165.212.35 (talk) 13:18, 7 May 2008 (UTC)[reply]

Search for a driver? --LarryMac | Talk 13:26, 7 May 2008 (UTC)[reply]

Thank you for your answer. I already installed the program (.exe) given by the top hit. There was no effect. How can I find the official website from which to download the driver? --67.165.212.35 (talk) 13:48, 7 May 2008 (UTC)[reply]

Normally I'd say go to Toshiba, but trying to search for that drive on their site didn't get me anywhere. What is the specific model number of your computer? --LarryMac | Talk 17:47, 7 May 2008 (UTC)[reply]

Its a Satellite M55-S135. --Kushal (talk) 18:29, 7 May 2008 (UTC)[reply]

Thank you very much. I am downloading a file from Toshiba's website. --Kushal (talk) 18:35, 7 May 2008 (UTC)[reply]

I was about to post a link with a similar URL that looks more like an explosion in a typesetting room than a web address.... --LarryMac | Talk 18:38, 7 May 2008 (UTC)[reply]

You have been a great help, LarryMac. I don't have any good news yet, however. The software unpacked and installed. However, nothing changed. :( What could have happened? --Kushal (talk) 18:55, 7 May 2008 (UTC)[reply]

developing story: It seems that Windows does not have the drivers for any CD device. I plugged in my SanDisk Cruzr with U3 disk, and Windows showed problems with that too! Is there a way that I can force Windows to download drivers from the Microsoft website? Kushal (talk) 12:00, 13 May 2008 (UTC)[reply]

It seems your windows installation is screwed up. I'd suggest formatting and reinstalling. —Preceding unsigned comment added by 65.202.21.253 (talk) 14:29, 15 May 2008 (UTC)[reply]

That's sad. How am I supposed to reinstall when Windows does not recognize my CD drive? :( Any more takers, please? Kushal (talk) 01:24, 16 May 2008 (UTC)[reply]

That isn't a problem. When you are _installing_ Windows from a CD, you are not _running_ Windows. Instead, you are running a program from a bootable CD. So, all you really need is the Windows CD, a functioning CD drive and the base hardware that sees it.

Have you verified yet that the actual hardware is good? When you first start your laptop, can you get into the BIOS setup? Does it see the CD drive? Can you boot from it? If you can, then the drive is good. This is, indeed, a windows driver issue, and reinstalling Windows should fix it. Reinstalling is overkill, yeah, but it will fix it.

If, however, your BIOS does not see the CD drive, then this is a hardware issue -something is broken, either the drive or the controller- and reinstalling Windows won't fix that. -SandyJax (talk) 14:27, 16 May 2008 (UTC)[reply]

Thanks, SandyJax. I will check to see it asap. Kushal (talk) 19:38, 17 May 2008 (UTC)[reply]

Update: The BIOS sees the "CD/DVD" drive. When Windows is running, I can open the CD tray and close it, and the LED flashes for a bit while a little sound comes which means the CD drive is trying to read if there is a CD in it. I would love it if it were possible for me to just download the required drivers from Microsoft but the download center (both new and old interfaces) could not find what I was looking for. I could not use Mozilla Firefox to do automatic downloads (which I don't understand why) and the ActiveX warning never popped up when I tried using Internet Explorer. I am using Windows XP service pack 2 on that computer. Kushal (talk) 01:50, 18 May 2008 (UTC)[reply]

What should I do? Kushal (talk) 13:46, 19 May 2008 (UTC)[reply]

CSS to wrap text around a center image?

I'd like to do a page layout where my image was in the center and the text wrapped around it on all sides. Can this be done in just HTML/CSS? --98.217.8.46 (talk) 22:53, 14 May 2008 (UTC)[reply]

I don't know much about HTML/CSS, but it isn't possible with MediaWiki (Wikipedia) coding. flaminglawyer^c 23:09, 14 May 2008 (UTC)[reply]

Well, this isn't for Wikipedia, so that doesn't matter much. --98.217.8.46 (talk) 23:22, 14 May 2008 (UTC)[reply]

It can be done, but it is a pain to get it to look correct in all popular browsers (and you can't do it is just CSS). First, you have to deal with the issue that wrapping around a centred image implies that the text is in two columns, left and right. Otherwise, your lines of text will hop from one side of the image to the other and be nearly impossible to read. So - you have the classic "I want my text to show up in two skinny side-by-side columns like a newspaper" problem. Since the web is not a newspaper, it is not designed to do this. You must manually cut your text in half, place one half in a div on the left and one half in a div on the right. Then, you can use absolute positioning to put a picture in the middle. They won't wrap, of course, but the picture will be there. Now, the real tricky part. In the left div, you place an image that is nothing but transparency just under the image. Your transparent image will only he half the width of the main image, but it will float to the right side of the left div. The text will wrap around your transparent image - giving the appearance that it is wrapping around the main image. Repeat for the right div. Then, spend the next few years struggling with getting the text to be cut in half between the divs so that you don't get one a lot longer than the other. Struggle with font sizes that cause your transparent images to shift up and down. And, finally, ignore all the emails you get from people who hate the two-column layout. -- kainaw™ 03:02, 15 May 2008 (UTC)[reply]

I agree. It is a difficult problem. If you are serious about playing with text wrap, there are plenty of good places to look on the web. I recommend this one. It shows some interesting techniques, and it links to some other pages that are good. Leeboyge (talk) 08:05, 15 May 2008 (UTC)[reply]

Lame. For all of its "think outside the grid" approach, CSS is still all about thinking in fairly constrained grids. :-( --98.217.8.46 (talk) 14:27, 15 May 2008 (UTC)[reply]

What are you talking about? CSS has nothing to do with "think outside the grid." It is almost completely based on the box model. It is not based on the "outside the grid" model, or the multi-column model, or the floating wrap model, or the circle model... Everything is a box. -- kainaw™ 15:44, 16 May 2008 (UTC)[reply]

MediaWiki: operating system?

I noticed, while browsing the MediaWiki site, that the downloadable file was a .tar file. Does that mean that the MediaWiki software is an operating system? I think this because when I (unsuccessfully) tried to install Linux on my computer, the file I downloaded was a .tar file. flaminglawyer^c 23:08, 14 May 2008 (UTC)[reply]

No. It is just a file format for storing (an archive of) multiple smaller files together. Like a ZIP archive, but without the compression (often people compress the tar archive after creating it using a compression algorithm like gzip or bzip2, and the result would usually be stored with a hybrid extension like .tar.gz, .tgz, or .tar.bz2). You can store any kind of information in it. See Tar (file format). --Prestidigitator (talk) 23:21, 14 May 2008 (UTC)[reply]