Friday, June 28, 2013

Ongoing open-source Rails secret_token vulnerability

Today I was re-alerted to a somewhat dangerous insecurity for open-source Rails apps if their Application.config.secret_token is kept under version control. The relevant file:


Rails itself generates this file in this way (without an entry in .gitignore) but it's still dangerous. There's lots of discussion here.

Presumably easily an environment variable could be set in config/application.yml (often kept out of version control) and retrieved at run time into config/initializers/secret_token.rb.

Remembering this would seem the only way to solve the problem and protect one's apps into the future from this known security vulnerability.

Here are Ruby on Rails Security Guide's recommendations:

'[P]lease secure your database configuration, e.g. config/database.yml, and your server-side secret, e.g. stored in config/initializers/secret_token.rb. You may want to further restrict access, using environment-specific versions of these files and any others that may contain sensitive information.' — per its Environmental Security section.

'If you have received an application where the secret was exposed (e.g. an application whose source was shared), strongly consider changing the secret.' — per its Session Storage section.

BTW, newly, Rails 4 has added Application.config.secret_key_base (described in the previous link and Guide for Upgrading Ruby on Rails' section, Action Pack).

'If you happen to share your code publicly, make sure your secret_key_base value is kept private.' — per this blog post.

Presumably, however, this new variable name setting does not remove the current security vulnerability either in Rails 3 or 4 since the Rails secret_token still is under version control.

Copyright (c) 2013 Mark D. Blackwell.

Wednesday, June 19, 2013

Raspberry Pi hobbyist computer

Just now (albeit belatedly) I came across a small, fun $35 computer for hobbyists: the Raspberry Pi.

Have you heard of it?

This recalls _why and others' passionate advocacy of "The Little Coder's Predicament" with projects such as hackety-hack that provide hackable computers again for children.

BTW, Raspberry Pi runs Debian Linux (wheezy).

Copyright (c) 2013 Mark D. Blackwell.

Tuesday, June 4, 2013

Blog posts' date position

Just now I was reading a blog to avoid emailing its author with questions they already blogged about. Like others with this purpose, I read it reverse-chronologically (i.e. from the top).

While reading a blog purposefully to learn the current status of a fast-changing software system it seems important to gather a quick sense of time context for each post.

Inevitably I observe myself sliding my browser window downward to the bottom of each post to get a sense of how long prior to the post above it each was released—just in case the time interval is much, much longer than those above.

Then I slide the window back, indeed with resulting uncertainty that I have recovered the proper beginning of the proper post.

Some blogs may never have a delay of more than two weeks between posts.

If I knew this were the case always I wouldn't even look. But since I am not sure, I find myself looking at the dates.

Viewing a blog's archive helps somewhat (and furthermore I can read a whole blog by clicking its posts in an archive list; but this seems less natural).

So the minor suggestion here, for blog formatters' consideration, comprises the usefulness of placing the date of each post immediately below its title.

Copyright (c) 2013 Mark D. Blackwell.