Secure over http

So I implemented my ideas for secure login over http. Here’s the actual client-side code:

function(){
	$.getJSON(
		edu.ua.lib.inferRelative('./u/logon/' + document.log_on.name.value + '/'
		+ MD5( edu.ua.lib.salt + MD5(document.log_on.password.value) ) ),
		function(data){
			if( data.error != '0' ){
				$('#log_on_feedback').slideDown( 1000 ).text('Log on FAILED');
			} else {
				$('#log_on_feedback').slideUp( 1000 );
				$('#logged_on_as').text('Logged on as ' + data.user);
				$('#log_on_ui').slideUp( 1000 );
				$('#log_off_ui').slideDown( 1000 );
				if( data.admin == 'yes' ){
					$('#admin_menu').slideDown( 1000 );
				} else {
					$('#admin_menu').hide();
				}
			}
		}
	);
}

The dependencies are jQuery 1.3+ and an MD5 function written in JavaScript (of which I found several). Note that the code above implements an AJAX (well AJAjson) login with in-page feedback and modeless UI rebuild after successful login. It could be even simpler. Of the code above, exactly one line handles the security portion, the rest is UI. Also note that the server-side is even simpler, since it doesn’t do any UI stuff. The key bit is:

$user = $db->simple_search('user', 'name', strtolower($params[2]));

if( count( $user ) != 1 ){
	echo $bad_login_attempt; // always give identical feedback for failed attempts
} elseif( md5( $_SESSION['salt'] . $user[0]['password_hash'] ) == $params[3] ){
	$_SESSION['logged_in'] = true;
	... // snip highly specific stuff
} else {
	echo $bad_login_attempt;
}

The server provides the same feedback for all failure modes, and generates a random salt per session which is included inside the master JavaScript object (edu.ua.lib) which handles the UI (it’s probably not a very good random salt, but this isn’t intended or expected to stop the NSA).

Is Blu-ray a failure? Duh.

“Is Blu-ray a failure?” is an interesting article by Cringely which essentially makes some of the points I made late last year, but fails to really provide a firm answer to the question.┬áHere’s a simple way of looking at it:

When CD-ROM burners first became available to normal people, blank CD media cost around $10 a disk at a time when a 600MB hard disk cost well over $1000 (the Quadra 840AV — a very well-specced and pricey computer of the time — came with a 230MB hard disk). Over the next ten years, CD media got about 10-20x cheaper while hard disks got about 100x cheaper.

Today, a blank BD-R DL disk (50GB capacity) costs about $20, which is more expensive than using 1TB hard disks as a storage medium. A burner will set you back around $150. And it’s slower, and probably less reliable than a hard disk or USB stick. (Consumer hard disks have a MTBF of what … two years of normal use? Anyone ever tried using a CD-R or DVD-R for two years? Any reason to expect BD-R to be better?) So to get your first 100GB of Blu-ray storage will cost you the same amount as a high quality 1TB hard disk, or 200-400GB of USB sticks, but don’t worry it also costs more per extra GB, and — if history is any guide — its competitors go on to get better and cheaper much, much faster.

Blu-ray also lacks all the other ancillary advantages that allowed CD and DVD to succeed in their respective niches. Each was replacing a less reliable, less versatile format which lacked random access (DVD managed to screw this up by forcing us to watch trailers anyway). Blu-ray is competing with hard disks, USB sticks, and cloud repositories, which are actually more reliable, more versatile, and provide better access.

Oh, right. The answer is “yes”.