viernes, 19 de octubre de 2012

Sleeping with the enemy

Today I have been at the monthly meeting of the Python Madrid group where I did a keynote about HTML5 and what benefits can offer to the Python web developers, and also showed ShareIt! as a proof of the technology potential. Althought some technical problems with the projector, finally I was able to show it and was a sucess :-)

They liked so much the idea behind of ShareIt! and were very interested on the technology behind it, specially about how I'm using WebSockets for the DataChannel-polyfill and if the final native implementations will support high estress use like the one ShareIt will so or maybe bigger ones (I believe someone is thinking about highly masive videochats... :-D ) but also they asked me a very interesting question that I didn't thought about: the most important building blocks on ShareIt! are annonimity and confidentiality, being the users identified by a random UID at load and with encrypted communications (both WebSockets with TLS and DataChannels by the specification), but since I'm not a security expert, there is an important security hole regarding to annonimity, so it's critical: to be able to do the PeerConnection, you need to transfer your SDP to the other peer to be able to do the connection, but the fact is that it has your public IP on the origin field (just the ID used by DataChannel-polyfill, by the way...), so this way the other end can be able to connect to you... but also know where you are. And it's done both ways. If at one of the ends there is a men in black listening (here at Spain we have La Innombrable, that it's scarier) and send him your shared files list, you have a problem.

They suggested me to use some type of friends white list based on public key for authenticity of the other pair, but since you can connect to anyone to fetch the data in a distributed way and not end having a lot of limited, private networks, this in unfeasable. Anyway, I got the idea banging on my head and think found a solution: just ask for authentification when you query a files list. This way, since for tranfering chunks you look for the files by their hash, you don't know what is being requested except if you have already the file with that hash, so you'll need to ask for all the combinations of the hash (on Tiger TTH, 2^192 combinations, bigger than the ZFS address space), and something similar would happen if you do a fulltext search over the network, so it's impracticable. The only attack point would be ask directly to a specific peer for its files list, and since this is something that you'll not do too much frequently (you want to fetch a file, doesn't matter where he comes), this can be easily filtered only allowing to do it if you have exchange a public key with the other peer (something you should do only if you know who is at the other end...), so you know the request is legit and also you can send the files list data cyphered with that key. Easy and unobstrusive :-)

Another option would be just to remove entirelly the files list request mechanism and only allow searching for files. This would limit the functionality of the protocol, but would be fairly more simple and secure, so maybe it's a good option for a future version...

sábado, 13 de octubre de 2012

How to develop a SVG logo

Although some days later, here you have the promised tutorial about how I did the ShareIt! logo fully with free software :-)

First of all, I wanted to develop it fully with Inkscape using an own font developed with FontForge like it's explained on this Inkscape tutorial (that showing an style similar to the one I wanted, it was a good starting point), but being a totally noob with this app, I decided to start with a vectorial app whom I'm more familiar: Dia. With it I could be able to anchor the lines to the grid so it's was faily easier to develop the text.

I created the grid on the left as a guide for the letters... Working with a 800% zoom becames the background grid a little useless :-P
Originally I only wanted to create the font to export it and follow the tutorial as originally intended, but being a vectorial app, why I would like to do this if at the end I'll convert it back to vectorial paths? It was no sense, so finally I exported it directly as SVG and imported it on Inkscape. Dia exported it as a lot of independent paths and objects so first I needed to convert all the objects to paths (select all the objects and later Path > Object to path) and later join all the independent paths ends between them to create some closed ones (select one path, click on the end node, select the other path and the other end node holding the shift key and later join the selected nodes on the toolbar).

With the 'a', the 'r' and the 'e' characters it needed one more step: use booleans operations with the objects. This way I would add the vertical line to the body of the 'a' and the vertical line to the head of the 'r' (select both paths and later Path > Union), and later remove the central hole of the 'a' and the 'e' (select the character path, later the hole one and finally apply Path > Difference). This way I have a single path for each characted (except the exclamation, that I just only group them because I wanted to do some independent effects).

Finally having created the text characters as paths, it was time to apply the color and the effects. The downside is that the tutorial of the beginning was not so specified as wanted (and in fact a lot of the comments were requesting a video tutorial), so looking on YouTube I found this two step-by-step ones about how to get the same effect :-)

I couldn't be able to apply the PathDinamic Offset but could be able to solve it with Path > Increase instead. Basically, it's just to select all the objects and apply the fill color that you want and remove the path color, and later duplicate the objects (Second click > Duplicate, they will appear the new ones over the originals so don't click anywhere or you'll lost the focus), move the duplicated ones to the bottom (Object > Move to the bottom), change the fill color and increase them. Et voilá! You have just created a text offset :-D Now repeat it with a different color, without the bar of the exclamation and a little bigger and you have the final result :-)

Just as a side note, say that being able to see and edit the XML tree directly on Inkscape it's VERY useful, not only to see the hierarchy of the objects but also to be able to clean them up if you have hidden duplicates or to change the nodes IDs to something with more sense that just a name (I just put the character names for each one to identify them easily).

As a finally drawback of Inkscape, the fact that it store the working area status data inside the SVG, so each time you open a SVG file it gets modified, but being an illness that also happen on Flash and other applications that don't have an independent workplace concept, I think it should be so important...

domingo, 7 de octubre de 2012

Class 101

Some days ago I finally was able to finish the problems that I got with DataChannel-polyfill and published a version using them so the guys from the WebP2P group could be able to test it. The fact was that regarding this, the first feedback I received* was about don't know how to use it, so I put my "plain user hat" on and got where was the problem.

Althought I was developing ShareIt! with usability and accesibility in mind, the fact was that being at a development stage I was thinking more about the developer (the guy that will go to GitHub and download the code) instead of the final user or just the curious, so the demo that I have uploaded to 5Apps didn't make a sense to them. This is the reason why in the last days I have been developing a "Start here" div that will be showed when there's no active sharings or downloads, with the tabs disabled and a big arrow pointing to the main menu, and also some links to the starting points of the app. This way also it could be used as a presentation page, so finally I developed the app logo and favicon (just a pretext to learn to use Inkscape... :-P), so now the app at 5Apps will looks prettier with a custom logo instead of the default one :-)

Tomorrow I'll put a little tutorial about how I did it ;-)

* the second one was about requesting collaborate in the project to integrate it in AtomOS as a FTP-like communications layer :-)

sábado, 6 de octubre de 2012

Si pagas en cacahuetes tendras monos

Oferta de trabajo que he recibido en el correo de una consultora:

Urge Programador C/unix
Requisitos: OBLIGATORIO:
- Experiencia REAL en lenguaje C sobre Unix (al menos 6 meses).
Requisitos deseados:
- Experiencia trabajando alguna de las siguientes tecnologías: C++, ProC, SQL contra Oracle, Tuxedo, Webservices.
Salario mínimo: 12.000 Euro
Salario máximo: 18.000 Euro
Por favor ,necesitamos perfiles ADECUADOS al salario de la oferta.

¿Mande? ¿"Urge" un programador C con experiencia en ProC, Tuxedo y Oracle (que siendo algo tan especializado y que requiere de alguien experto entiendo que si les corre prisa es porque se les ha echado el tiempo encima por una mala gestion) y aun asi solo ofrecen como maximo 18k y piden "por favor" que los perfiles sean "adecuados" al salario de la oferta?

Lo dicho: si pagas en cacahuetes tendras monos ¬¬

viernes, 5 de octubre de 2012

ShareIt! working over DataChannel-polyfill

I could be able to finish it two days ago (after an entire week -and weekend- going to sleep after 3:00 AM :-P) but I have been busy this two days with university. Anyway, I have finished to debug the code and now ShareIt! is using DataChannel-polyfill to do the communications between the peers. Also, I needed to develop an IndexedDB polyfill to by-pass the Chrome bug related to storing Blob objects, so there's no persistence but I could be able to continue with the experiments :-)

The only drawback I have seen is that communications were really slow (about 25-30 seconds just for a 500KB image) until I got on the fact i have a 10Mbps/1Mbps ADSL line, so I tested it using a DataChannel-polyfill backend server on localhost and it downloaded in just 2 seconds, so maybe it was a problem with my limited line upload. The good part is that for the tests i used Chrome SpeedTracer and didn't look any unusual (except comunication peaks were about each 5 seconds), so the app is very responsible :-) Also i have developed the code on a library way, so it could be exported to other projects (althought previously it needs some documentation and port the original, simple interface to it as a proof-of-concept).

Finally, you can test it (currently only on Chrome, DataChannel-polyfill is giving me problems on Firefox) at http://shareit.piranna.5apps.com, running against a handshake server and a datachannel backend server that I have hosted on two Nodejitsu testing sandboxes.

And obviously, you can get the code on GitHub :-D Things were I would need some help from now are related with the Kademlia implementation for searches (I was thinking about using KadOH), and file hashes where I would like to use Tiger TTH, but currently there's no JavaScript implementation. Another point I have been thinking about this days is just use the SDP IDs to do the handshake directly over the DataChannels, so there will be no need to use handshake or backend servers at all, but this need some investigation (a friend of mine told me that SDP IDs would expire in a few minutes so I can't be able to have a PeerConnection object ready to accept incoming connections just to do the handshake, any clue about this?).

And this is all for now. As usual, any comments or suggestions are welcome :-)

Online Python Tutor

Online Python Tutor, un tutor online de Python, que no solo permite hacer pequeños programas para aprender sino que ademas te muestra paso a paso todo lo que sucede internamente con una animacion: asignacion de variables, llamada a funciones, datos en la pila de programas... El unico pero que le veo es la reasignacion de variables que queda un poco confusa (un paso intermedio para mostrar el recolector de basura funcionando seria mucho mas claro y realista), pero si algo asi se usara en primero de carrera se prevendrian despues muchos dolores de cabeza... :-D