[10137] in Perl-Users-Digest
Perl-Users Digest, Issue: 3730 Volume: 8
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Wed Sep 16 16:07:19 1998
Date: Wed, 16 Sep 98 13:00:28 -0700
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Wed, 16 Sep 1998 Volume: 8 Number: 3730
Today's topics:
Building perl5.005_02 with Cygwin32 b19.1 <dpf@umr.edu>
Re: Building perl5.005_02 with Cygwin32 b19.1 (Nathan V. Patwardhan)
Re: Can I foreach multiple arrays? (Abigail)
Re: ch(mod/own) and links (Andreas Karrer)
Re: Creating users under Win32 <JKRY3025@comenius.ms.mff.cuni.cz>
Re: Determine NT Logon Server? <JKRY3025@comenius.ms.mff.cuni.cz>
Re: Dumping to Printer (Win32) <JKRY3025@comenius.ms.mff.cuni.cz>
Re: Edit in place problem with ActivePerl 5.005_002 <JKRY3025@comenius.ms.mff.cuni.cz>
Extract email address from user profile? (Bill Krahmer)
Re: Extract email address from user profile? (Nathan V. Patwardhan)
Re: how safe is xor encryption ? (Snowhare)
Re: how safe is xor encryption ? beyret@my-dejanews.com
Re: how safe is xor encryption ? (Mark-Jason Dominus)
Re: how safe is xor encryption ? beyret@my-dejanews.com
Re: how safe is xor encryption ? beyret@my-dejanews.com
Re: how safe is xor encryption ? <eashton@bbnplanet.com>
Re: how safe is xor encryption ? beyret@my-dejanews.com
Re: line breaks in Perl for win32 <JKRY3025@comenius.ms.mff.cuni.cz>
Re: milliseconds? miho21@yahoo.com
Re: Perl Test or Questionare? (Alex Barilo)
Re: Sending E-mail from Prel CGI in on NT4 <JKRY3025@comenius.ms.mff.cuni.cz>
Re: to greg bacon (Nathan V. Patwardhan)
Re: Who posts original posts on CLPM? <eashton@bbnplanet.com>
Re: Y2K date in Perl (Abigail)
Special: Digest Administrivia (Last modified: 12 Mar 98 (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Wed, 16 Sep 1998 14:08:19 -0500
From: "David Fannin" <dpf@umr.edu>
Subject: Building perl5.005_02 with Cygwin32 b19.1
Message-Id: <36000ca4.0@news.cc.umr.edu>
Has anyone been able to successfully build perl5.005_02 with the Cygnus
tools version b19.1 under Windows NT 4.0 with SP3? I've tried this a couple
of times and given up because Configure only stops at every other line when
asking for input. Is there a fix for this behavior besides copying the
hints file and not running in interactive mode? I'm not afraid of reading
an FAQ if there's one that addresses this issue. I just haven't been able
to find it yet. I'm really not an idiot, but this is starting to make me
feel like one.
Thanks!
-dpf-
-----------------------
David P. Fannin
Scientific Programmer/Analyst I dpf@umr.edu
UM-Rolla Computing and Information Services FAX (573) 341-4216
URL http://www.umr.edu/~dpf PHONE (573) 341-4841
-----------------------
------------------------------
Date: Wed, 16 Sep 1998 19:38:57 GMT
From: nvp@shore.net (Nathan V. Patwardhan)
Subject: Re: Building perl5.005_02 with Cygwin32 b19.1
Message-Id: <ltUL1.36$_c5.312201@news.shore.net>
David Fannin (dpf@umr.edu) wrote:
: Has anyone been able to successfully build perl5.005_02 with the Cygnus
: tools version b19.1 under Windows NT 4.0 with SP3? I've tried this a couple
: of times and given up because Configure only stops at every other line when
Yes, I've been successful (no Threads, no 'B' modules).
: asking for input. Is there a fix for this behavior besides copying the
: hints file and not running in interactive mode? I'm not afraid of reading
The Cygnus FAQ does address the "every other line" issue, and you'll
likely need to install the "coolview" package from Sergei (there's a
pointer to his site on the Cygnus _Related Sites_ link) to fix this
problem.
But you can copy hints/cygwin.sh to ./config.sh. Edit config.sh for
the correct paths to your Cygnus tools and libs. Then run Configure
with the -ders flags from the command line. This might take awhile to
complete (like 15-20 minutes), but it worked for me.
--
Nate Patwardhan|root@localhost
"Fortunately, I prefer to believe that we're all really just trapped in a
P.K. Dick book laced with Lovecraft, and this awful Terror Out of Cambridge
shall by the light of day evaporate, leaving nothing but good intentions in
its stead." Tom Christiansen in <6k02ha$hq6$3@csnews.cs.colorado.edu>
------------------------------
Date: 16 Sep 1998 18:56:04 GMT
From: abigail@fnx.com (Abigail)
Subject: Re: Can I foreach multiple arrays?
Message-Id: <6tp1k4$hkt$4@client3.news.psi.net>
Colin Kuskie (ckuskie@cadence.com) wrote on MDCCCXLII September MCMXCIII
in <URL: news:Pine.GSO.3.96.980916095515.20066A-100000@pdxue150.cadence.com>:
++ On 15 Sep 1998, Abigail wrote:
++
++ > Tom Christiansen (tchrist@mox.perl.com) wrote on MDCCCXLI September
++ > MCMXCIII in <URL: news:6tmlgd$hbp$2@csnews.cs.colorado.edu>:
++ > ++
++ > ++ Destructively:
++ > ++
++ > ++ while (($foo, $bar) = (shift @foos, shift @bars)) { }
++ >
++ > That will never terminate. (undef, undef) is *TRUE*.
++
++ How about:
++
++ while ($foo = shift @foos and $bar = shift @bars) { }
++
That would terminate too early. Any '0' in @foos or @bars will do that.
$foo and $bar will tell you *nothing* about termination. The result
C<shift @foos> is the same for C<@foos = ()> and C<@foos = (undef, 1, 2)>.
Why complicated while conditions if you can do it in a simple way:
while (@foos && @bars) {
$foo = shift @foos;
$bar = shift @bars;
...
}
Abigail
--
perl5.004 -wMMath::BigInt -e'$^V=new Math::BigInt+qq;$^F$^W783$[$%9889$^F47$|88768$^W596577669$%$^W5$^F3364$[$^W$^F$|838747$[8889739$%$|$^F673$%$^W98$^F76777$=56;;$^U=substr($]=>$|=>5)*(q.25..($^W=@^V))=>do{print+chr$^V%$^U;$^V/=$^U}while$^V!=$^W'
------------------------------
Date: 16 Sep 1998 21:24:16 +0100
From: karrer@iis.ee.ethz.ch (Andreas Karrer)
Subject: Re: ch(mod/own) and links
Message-Id: <slrn700430.5o1.karrer@kuru.ee.ethz.ch>
In article <6tlrba$7qk$1@lochaber.rutgers.edu>, Vladimir Gabrielescu wrote:
>The perl chmod and chown functions seem to always operate on the real
>file and not on a link pointing to it. For example if "foo" is a link to
>"bar" ( foo -> bar ) and I chown "foo", foo retains its ownership and bar
>changes. Same stands true for chmod.
That is because it is the way the corresponding system calls work.
The ownership and mode of the link itself rarely matter, unless you
have an application that explicitly checks the ownership of symlinks
and uses it for some special purpose.
Perl does not have a lchown command, because only few systems have
the corresponding system call.
You can use Solaris' lchown(2) system call thru Perls syscall command,
however:
$link = '/tmp/1+1' # link name
symlink '42', $link # creates /tmp/1+1 -> 42
$SYS_lchown = 130; # Solaris-specific, from /usr/include/sys/syscall.h
$uid = 123; # some user ID
$gid = 456;
$ret = syscall($SYS_lchown, $link, $uid, $gid);
if ($ret) { warn "..." }
- Andi
------------------------------
Date: Wed, 16 Sep 1998 21:10:44 -0700
From: Jan Krynicky <JKRY3025@comenius.ms.mff.cuni.cz>
Subject: Re: Creating users under Win32
Message-Id: <36008BC4.511@comenius.ms.mff.cuni.cz>
bob laflamme wrote:
>
> I have a script which does some basic administration tasks under NT.
> The problem I'm up aginst right now is how to fill in all the fields when I
> create a new user. I'm able to get everything except the 'User Profile Path'
> set. So far I have been unable to locate a function the let me set it
> (AdminMisc or NetAdmin).
>
> Can anybody help?
>
> tia
>
> bob laflamme
<DIV mode=angly level=slightly>
I wonder why is Elaine here. Bitching all it gets on everyone who dares
to
use something s?he didn't approve.
</DIV>
You want to look at Win32::NetAdmin and maybe also Win32::AdminMisc
modules.
http://www.roth.net/perl/adminmisc/
This page would also be of help to you:
http://www.inforoute.cgs.fr/leberre1/main.htm
HTH, Jenda
mailto:Jenda@Krynicky.cz http://Jenda.Krynicky.cz :-)
------------------------------
Date: Wed, 16 Sep 1998 21:28:11 -0700
From: Jan Krynicky <JKRY3025@comenius.ms.mff.cuni.cz>
Subject: Re: Determine NT Logon Server?
Message-Id: <36008FDB.2091@comenius.ms.mff.cuni.cz>
Willie Wanker wrote:
>
> The logon server is in the enviroment. Open a dos window and type set.
>
> LOGONSERVER=\\xxxxxxxxxxx
>
> Should be easy to grab it.
Works only in WinNT. Win95 do not give such info that way.
Jenda
------------------------------
Date: Wed, 16 Sep 1998 21:31:43 -0700
From: Jan Krynicky <JKRY3025@comenius.ms.mff.cuni.cz>
Subject: Re: Dumping to Printer (Win32)
Message-Id: <360090AF.5266@comenius.ms.mff.cuni.cz>
Nick Landry wrote:
>
> This sounds really basic but I'm wondering how to dump text to the
> printer in Perl for Win32. I know in C you can use STDPRN, and under
> Unix Perl uses something like open (PRINTER, "|lpr");
> But I'm not sure how or what to use for Perl under Win32.
>
> Thanks in advance.
>
> Nick
open PRINTER, '>\\\\servername\printername';
...
Yuo may look into registry to see what is the default printer.
I do not remember the path just now.
HTH, Jenda
------------------------------
Date: Wed, 16 Sep 1998 21:05:13 -0700
From: Jan Krynicky <JKRY3025@comenius.ms.mff.cuni.cz>
Subject: Re: Edit in place problem with ActivePerl 5.005_002
Message-Id: <36008A79.64F5@comenius.ms.mff.cuni.cz>
A lot of words on top, a few lines of (I hope) helpfull code bellow ;-)
dave@mag-sol.com wrote:
>
> In article <6tjvrv$p4o$1@nnrp1.dejanews.com>,
> benday@c-bridge.com wrote:
> > I've used the following command a billion times but never with ActivePerl
> > for NT.
> >
> > perl -p -i.bak -e "s/foo/bar/g;" *.htm
> >
> > It says "Can't open *.htm: Invalid argument"
> >
> > I'm baffled.
> >
> > Does anyone what what I'm doing wrong?
>
> Ben,
>
> This isn't a Perl problem. You're using a shell that doesn't do automatic
> wildcard expansion before passing the command line to a program. This is a
> *bad* thing.
Actualy it would be a good think if Unix had been working this way.
It's much better if the program may choose itself between it's own
processing of
the wildcard expansion and calling a system function for that.
Most usualy the program doesn't need all the files that matched the
specification
at once, but sequentialy. One by one. It could search the directory and
process
the files one by one.
Which is exactly the same affair as with the difference between
open IN, "<$file";
@lines = <IN>;
close IN;
foreach $line (@lines) {
...
}
and
open IN, "<$file";
while (defined($line = <IN>)) {
...
}
close IN;
Sometimes the first is better sometimes the later.
Of course if every program would treat the wildcards differently it
would be a mess.
But I think that if system provided both all-at-once and one-by-one
wildcard expansions as a system call, everybody would be happy.
> Use Unix.
Not very constructive suggestion. While I would not recomend run a
webserver
on a WinNT (much less Win95) - Unix is much better - there are uses for
Windoze
and people will use then no matter how loud you scream.
We'd rather give as much of Unix to windows as posible instead of
hushing all Windozers.
> hth,
>
> Dave...
Anyway there is quite a reasonable solution :
#======================G.pm=======================
use File::DosGlob;
{
my @argv;
foreach (@ARGV) {
if (!/[*?]/) {
push @argv, $_;
} elsif (/^'(.*)'$/){
push @argv, $1;
} else {
push @argv, File::DosGlob::glob $_;
}
}
@ARGV = @argv;
}
1;
#=================================================
Save this as G.pm into you library directory and run
add -MG to PERL5OPT system variable.
It will use() this module before all your scripts and glob the
parameters.
Of course only if they contain some wildcards and are not enclosed in
single quotes.
HTH, Jenda
mailto:Jenda@Krynicky.cz http://Jenda.Krynicky.cz :-)
------------------------------
Date: Wed, 16 Sep 1998 20:12:50 GMT
From: FaxMail@ElectraSoft.com (Bill Krahmer)
Subject: Extract email address from user profile?
Message-Id: <36000cb6.3984408@news.insync.net>
Hello, I was wondering if there is a way using Perl or some kind of
CGI to extract information like an email address from a Netscape or IE
user profile. Thank you.
Kind Regards,
Bill Krahmer, ElectraSoft
Get newest version of [FaxMail for Windows], [FaxMail Network for Windows]
or [32bit Fax], free trial: http://www.ElectraSoft.com/
To read what users are saying about ElectraSoft's fax software, go to
http://www.ElectraSoft.com/10GoodReasons/
------------------------------
Date: Wed, 16 Sep 1998 19:39:44 GMT
From: nvp@shore.net (Nathan V. Patwardhan)
Subject: Re: Extract email address from user profile?
Message-Id: <4uUL1.37$_c5.312201@news.shore.net>
Bill Krahmer (FaxMail@ElectraSoft.com) wrote:
: Hello, I was wondering if there is a way using Perl or some kind of
: CGI to extract information like an email address from a Netscape or IE
>From a CGI program? Gosh, I hope not.
--
Nate Patwardhan|root@localhost
"Fortunately, I prefer to believe that we're all really just trapped in a
P.K. Dick book laced with Lovecraft, and this awful Terror Out of Cambridge
shall by the light of day evaporate, leaving nothing but good intentions in
its stead." Tom Christiansen in <6k02ha$hq6$3@csnews.cs.colorado.edu>
------------------------------
Date: 16 Sep 1998 18:59:00 GMT
From: snowhare@devilbunnies.org (Snowhare)
Subject: Re: how safe is xor encryption ?
Message-Id: <6tp1pk$aom$1@supernews.com>
Nothing above this line is part of the signed message.
In article <6tovnr$5pb$1@monet.op.net>, Mark-Jason Dominus <mjd@op.net> wrote:
>In article <6toodk$lnb@mozo.cc.purdue.edu>,
>Michael J Gebis <gebis@fee.ecn.purdue.edu> wrote:
>>It appears to me that your method is vulnerable (at least) to a
>>dictionary attack.
>
>I don't think it is. Let's make it easy on you: I give you a list of
>25,000 words, and I guarantee that one of these words is the key
>phrase.
>
>If you were trying to decrypt a message, you would try every word in
>the list, and get 24,999 gibberish messages and one message that was
>obviously correct. But you are not trying to decrypt a messaage; you
>are trying to decrypt a 53-bit number. So the result of your brute
>force search is a list of 25,000 random-looking numbers. Even if you
>can throw away 97% of them because they have the wrong form for credit
>card numbers (Wrong check digit, fail to begin with 3, 4, 5, or 6,
>etc.) you still have 750 random numbers, only one of which is
>actually a valid credit card number.
This is a code fragment from a number validator I wrote.
# Check if it passes the Mod10 Checksum
if (($cardtype ne "enroute") && (&LUHNFormula($cardnumber))) {
return 0;
}
# Verify correct length and prefix for each card type
if (($cardtype eq "visa") &&
(! ($cardnumber =~ m#^4(\d{12}|\d{15})$#o))) {
return 0;
} elsif (($cardtype eq "mastercard") &&
(! ($cardnumber =~ m#^5[1-5]\d{14}$#o))) {
return 0;
} elsif (($cardtype eq "amex") &&
(! ($cardnumber =~ m#^3[47]\d{13}$#o))) {
return 0;
} elsif (($cardtype eq "diners-club") &&
(! ($cardnumber =~ m#^3(0[0-5]|[68]\d)\d{11}$#o))) {
return 0;
} elsif (($cardtype eq "carte-blanche") &&
(! ($cardnumber =~ m#^3(0[0-5]|[68]\d)\d{11}$#o))) {
return 0;
} elsif (($cardtype eq "discover") &&
(! ($cardnumber =~ m#^6011\d{12}$#o))) {
return 0;
} elsif (($cardtype eq "enroute") &&
(! ($cardnumber =~ m#^(2014|2149)\d{11}$#o))) {
return 0;
} elsif (($cardtype eq "jcb") &&
(!(($cardnumber =~ m#^(2131|1800)\d{11}$#o) ||
($cardnumber=~m#^3(088|096|112|158|337|528)\d{12}$#o)))){
return 0;
} elsif (($cardtype eq "novus") && (length($cardnumber) != 16)) {
return 0;
}
Depending on the specific card used, the possibilites range from 25,000
to unique.
Benjamin Franz
Version: 2.6.2
iQCVAwUBNgALJOjpikN3V52xAQE7xwQAoZD442FSV2AgEsPNRTlYVSGSv0olVzK2
3RY9Mmz80c3xDIATWXwM4hNF0r8eZBo8E7q1kQiH1ViiBFwjd+T0w+Vtt0VHemC3
UQs7ngVqdltfMaj6fnAb33JmNsY/GalIDZjgZR6KLfgQLI8vEpGEr0XNHhyfwssb
+Sq3sTdArCU=
=pYkH
-----END PGP SIGNATURE-----
------------------------------
Date: Wed, 16 Sep 1998 19:01:24 GMT
From: beyret@my-dejanews.com
Subject: Re: how safe is xor encryption ?
Message-Id: <6tp1u4$kpp$1@nnrp1.dejanews.com>
In article <6tncvm$1j7$1@monet.op.net>,
mjd@op.net (Mark-Jason Dominus) wrote:
>
> >say, a cracker has somehow reached to the database, full of credit card
> >numbers encrypted in that manner.
>
> 1. If the cracker knows any one entire credit card number, perhaps
> because they inserted it themselves, they can easily figure out
> what your secret pad is, and decrypt all the other numbers.
hi,
one thing i could not emphisize may be is that, there will not be "one" key
for all credit card numbers. each credit card number will have a unique key
that will be supplied by the owner. this key will not be stored in anywhere,
the key is not generated from credit card number but entered by the owner, so
there is no way to figure out what the key is by just looking at the credit
card number (say they inserted it themselves and now what the number is..).
again, the key is not a hard coded key in anywhere.
> 2. A cracker who has gotten into the database has probably also gotten
> into your source code.
sure! but the secret key is not stored anywhere, neither in database nor in
source code.. that's why even the programmer or the system admin will be able
to now what the secret key is and decrypt the credit card number. the credit
card owner determines the secret key of his/her CC number and in each
transaction, s/he enters that key and decryption occurs only at that moment.
> >well, do all what i've talked about make sense? anything wrong you see?
>
> The whole exercise seems rather futile.
thanks anyway
ersin
-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum
------------------------------
Date: 16 Sep 1998 15:22:10 -0400
From: mjd@op.net (Mark-Jason Dominus)
Subject: Re: how safe is xor encryption ?
Message-Id: <6tp352$67p$1@monet.op.net>
In article <360000B8.259600FD@bbnplanet.com>,
Elaine -HappyFunBall- Ashton <eashton@bbnplanet.com> wrote:
>Mark-Jason Dominus wrote:
>
>> If the key is intercepted, it is not very useful to the snooper. They
>> can use it to authorize purchases from you, but not from anyone else.
>
>How so? If I can get the key, I can get the CC# and then I can make
>purchases anywhere I want.
No, you can't. The encrypted CC# is on my disk behind the firewall.
You have to get the key, and *then* you have to break into the machine
where the database is kept. Either one alone is not enough.
>You presume that the key length is sufficient to render the decryption
>impractical or impossible. Also, too, that the customer has chosen a
>totally random key which, in my experience at least, is all too rare an
>occurance.
Please see my followup to Mike Gebis.
Also, note that guessing the key does not compromise the credit card number.
>If I could get one, I'm sure I could get the other.
I don't think this is true. I can protect the transmission of they
key by exchanging it over an encrypted channel. Extracting such a key
is difficult and time-consuming.
I can protect the database the same way I protect any other sensitive
material resource: With system security protocols, a secure location,
and a well-designed firewall. Breaking into such a system is also
difficult and time-consuming.
>It's not rocket science.
You seem to be arguing that there is no point in taking any
precautions at all because all security is just going to be broken
anyway.
But rocket science or not, it can't be easier to steal the key *and*
break into the database than it is to just steal the key, and your
saying so doesn't make it true.
>If e-commerce is to survive and thrive people must have
>confidence that their cards are protected.
Only time will tell; I believe you are mistaken. The precautions
we're discussing in this thread are much stronger than the precautions
taken by conventional merchants. Nobody thinks twice about calling up
Eddie Bauer and giving their credit card number over the phone (which
is easy to tap) to a clerk who makes minimum wage doing data entry,
who might take the number home, and who might save the number in
plaintext form in a database.
But to you, an electronic security system is not secure enough even
when it requires that the thief break into a secure computer to steal
the database *and* tap the customer's transaction data from an
encrypted network connection.
Oh well, so much for online commerce.
------------------------------
Date: Wed, 16 Sep 1998 19:24:00 GMT
From: beyret@my-dejanews.com
Subject: Re: how safe is xor encryption ?
Message-Id: <6tp38f$mk1$1@nnrp1.dejanews.com>
> Thanks; I missed that. It sounds a lot more useful to me now. For
> example, suppose you collected the CC#s out of band, perhaps over the
> phone. Then the users would never need to send CC#s over the
> internet, only their pad keys. Even if sent insecurely, a snooper is
> unlikely to get any value from the pad key; to do so, they must
> intercept a pad key *and* acquire your database.
one thing, that makes a system attractive for crackers is the existence of
chunks of credit card numbers. having different pad keys for each CC#, the
sistem will not be so attractive to deal with and spend time for a cracker. so
psycologically system will be safer. just a thought :)
> >However, CC#s have a common beginning number sequence which
> >identifies the CC type (MC, Visa, etc.), do they not?
>
> Yes, but I think it's only one digit long. Perhaps someone can confirm?
yeah, in CreditCard.pm module the code reveals that:
Visa: 4xxxxxxxxxxxxxxxxx
MasterCard : 5xxxxxxxxxxxx
Discover:6xxxxxxxxxxxxxx
Amex: 37xxxxxxxxxxxxxxxx
knowing one digit will reduce possibilities by a factor of 10. one thing that
can be done is: in database, i can also encrypt the entry for the type of the
card so that it cracker will not now what type of a card that number belongs
to. that will increase the possibility by a factor of 3 or 4 maybe.
> In any event, stronger encryption is probably more useful here.
> For example, you might use the user-supplied phrase as a key for
> DES-encrypting the credit card number. This is less likely to be
> subject to this sort of attack.
I need to check that.
> Yes, a malevolent person on your machine probably has several paths
> of access to the information.
yes, actually i am assuming that cracker knows every bit of my system. paths,
source codes, etc etc.
> Encrypting the numbers in the database, and transmitting only the
> decryption key, rather than the actual number, seems prudent to me.
> Is there some problem I'm overlooking?
another thing is its convenience for the user, in each buying you do not have
to write all the digits of CC# but an easily remembered phrase.
thanks
ersin beyret
-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum
------------------------------
Date: Wed, 16 Sep 1998 19:33:27 GMT
From: beyret@my-dejanews.com
Subject: Re: how safe is xor encryption ?
Message-Id: <6tp3q7$nbv$1@nnrp1.dejanews.com>
>
> However, what do you gain by encrypting each CC# with a different key?
> Instead of stealing the CC#, all they have to do is steal the CC#, key
> combo. A task which isn't significantly harder than just stealing the
> CC#. Unless you somehow have a way to store keys in a more secure way
> than CC#.
>
> Abigail
there is no way to steal the key unless the credit card owner supplies it by
himself/herself. because key is not stored in "anywhere" but the memory of the
CC owner.
the key is used only during a final checkout of a shopping. and CC owner
enters his key in a https, a secure server environment (which is supposed to
be secure) then a CGI takes that key, gets the encrypted number from
database, use that key to decrypt it and send immediately to a bank account
via a merchant account agent (again a script). all the process takes let's
say 8-10 seconds. this transaction happens in a SSL secured environment. so
assume cracker free. (at least according to SSL people)
again, i do not (and do not want to) store the keys anywhere in the system.
that is the main point.
ersin beyret
-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum
------------------------------
Date: Wed, 16 Sep 1998 19:44:27 GMT
From: Elaine -HappyFunBall- Ashton <eashton@bbnplanet.com>
Subject: Re: how safe is xor encryption ?
Message-Id: <360012B8.2BE81C9D@bbnplanet.com>
Mark-Jason Dominus wrote:
> No, you can't. The encrypted CC# is on my disk behind the firewall.
> You have to get the key, and *then* you have to break into the machine
> where the database is kept. Either one alone is not enough.
So you are saying that if I can get the key, I can't get behind your
firewall? Hrm. I find that a bit tenuous.
> I don't think this is true. I can protect the transmission of they
> key by exchanging it over an encrypted channel. Extracting such a key
> is difficult and time-consuming.
So much faith in SSL?
> I can protect the database the same way I protect any other sensitive
> material resource: With system security protocols, a secure location,
> and a well-designed firewall. Breaking into such a system is also
> difficult and time-consuming.
But not out of the question. Look, I'm merely trying to point out that
there are people who would be able to do it just for the fun factor.
System security in many places is weak or like Fort Knox with a
twist-tie lock on the back gate.
> You seem to be arguing that there is no point in taking any
> precautions at all because all security is just going to be broken
> anyway.
No, take my point. Security has many facets. To merely encrypt the data
behind a firewall doesn't give me that warm and fuzzy feeling.
> But rocket science or not, it can't be easier to steal the key *and*
> break into the database than it is to just steal the key, and your
> saying so doesn't make it true.
No, but if I can get the key (the hard part), breaking into the system
is probably going to be trivial. Of course, I wouldn't know anything
about that :)
> Only time will tell; I believe you are mistaken. The precautions
> we're discussing in this thread are much stronger than the precautions
> taken by conventional merchants. Nobody thinks twice about calling up
> Eddie Bauer and giving their credit card number over the phone (which
> is easy to tap) to a clerk who makes minimum wage doing data entry,
> who might take the number home, and who might save the number in
> plaintext form in a database.
There are risks to our security everywhere. One nice, though somewhat
invasive, tactic CC are doing now is spending pattern correlation. I get
a phone call when I go on my annual jeans and turtleneck spending spree
since I so rarely buy clothes. But in the electronic universe there is
no clerk to check your signature, no camera to take your picture and
sometimes little way to track the transaction back to the point of
origin. And I'm not mistaken about some of the e-commerce solutions that
I have seen lately that have no regard for security. All written in some
really wicked ugly Perl I might add.
> But to you, an electronic security system is not secure enough even
> when it requires that the thief break into a secure computer to steal
> the database *and* tap the customer's transaction data from an
> encrypted network connection.
Everything is possible and with a will there is a way. Never say
anything is impossible as it will more than likely prove you wrong.
> Oh well, so much for online commerce.
e-commerce is great. I buy books and my groceries on-line. I even have
my take-out chinese waiting for me when I go home. I need to get them to
buy better fortunes for their cookies though.
e.
"All of us, all of us, all of us trying to save our immortal souls, some
ways seemingly more round-about and mysterious than others. We're having
a good time here. But hope all will be revealed soon." R. Carver
------------------------------
Date: Wed, 16 Sep 1998 19:42:21 GMT
From: beyret@my-dejanews.com
Subject: Re: how safe is xor encryption ?
Message-Id: <6tp4at$o5u$1@nnrp1.dejanews.com>
> Why are you home-brewing your own encryption when there is so much
> good code available? It's HARD to get this stuff right--a lot of very
> smart people have gotten it wrong in the past. Use proven
> techniques.
any advice ? for commercial usage? I checked out PGP 5.0 for unix but its
licencing is rather expensive for us. (at least for a few months)
and i wanted to understand the issues embedded with encryption, to get some
feeling of it.
> }10*10*10....10 (16 10's multiplied)
> }that number looks pretty safe??
>
> It appears to me that your method is vulnerable (at least) to a
> dictionary attack.
yes, this is the part i could not yet find a solution.
ersin beyret
-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum
------------------------------
Date: Wed, 16 Sep 1998 21:14:52 -0700
From: Jan Krynicky <JKRY3025@comenius.ms.mff.cuni.cz>
Subject: Re: line breaks in Perl for win32
Message-Id: <36008CBC.4D43@comenius.ms.mff.cuni.cz>
davesnader@my-dejanews.com wrote:
>
> It seems that whenever I print a line feed character in perl for win32 it
> automatically puts a carriage return in front of it no matter how I do it.
> For example: print OUTFILE sprintf ("%c", 10); print OUTFILE "\x0A"; print
> OUTFILE pack("h1", A); all print '0D0A' to OUTFILE. Does anyone know of a
> way I can just print the line break character in a way that will work with
> UNIX and NT? I'm trying to write some portable code to create a specific
> type of file.
>
> Thanks,
> Dave
>
> -----== Posted via Deja News, The Leader in Internet Discussion ==-----
> http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum
binmode OUTFILE;
see perlfunc.html somewhere on your disk.
Or maybe "perldoc -f binmode", if you have GS perl or ActivePerl.
HTH, Jenda
------------------------------
Date: Wed, 16 Sep 1998 19:28:14 GMT
From: miho21@yahoo.com
Subject: Re: milliseconds?
Message-Id: <6tp3ge$mvf$1@nnrp1.dejanews.com>
OUCH! no need to bite, tom :) If you look, youll see a question mark at the
end of every sentence in the post since i do not claim to really know perl
that much. how bout an explanation instead?
mihoko.
In article <6tlu80$r9$3@csnews.cs.colorado.edu>,
tchrist@mox.perl.com (Tom Christiansen) wrote:
> [courtesy cc of this posting sent to cited author via email]
>
> In comp.lang.perl.misc, miho21@yahoo.com writes:
> :Huh? can anyone explain that please? what does qw has to do with anything???
> :qw is a built in function? how come i never heard of it?
>
> Because you haven't checked the manpages or read much Perl code?
>
> --tom
> --
> Pointers are sharp tools, and like any such tool, used well they can
> be delightfully productive, but used badly they can do great damage
> (I sunk a wood chisel into my thumb a few days before writing this).
> --Rob Pike
>
-----== Posted via Deja News, The Leader in Internet Discussion ==-----
http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum
------------------------------
Date: Mon, 14 Sep 1998 18:34:35 GMT
From: hash@email.infotrade.co.uk (Alex Barilo)
Subject: Re: Perl Test or Questionare?
Message-Id: <35fd5dfa.1018238@news.force9.net>
> that was floating around. I was wondering if someone had a list of Perl
> questions that I could give to them before I even went as far as do a
If you fail to find such a list you can easily create it using Perl's
FAQ. Among others it can prove that this guy is used to read the FAQ
at least ;)
Cheers,
Alex
---------
All you need is Perl
------------------------------
Date: Wed, 16 Sep 1998 21:44:16 -0700
From: Jan Krynicky <JKRY3025@comenius.ms.mff.cuni.cz>
Subject: Re: Sending E-mail from Prel CGI in on NT4
Message-Id: <360093A0.6B57@comenius.ms.mff.cuni.cz>
yair schaffer wrote:
>
> Hi,
>
> Does anyone know how to
>
> send mail from Perl CGI on NT4 ?
>
> tanx,
>
> yair.
Conversely to what Chirs and Dough seem to think, you may send e-mails
from Perl without use of any external program.
See CPAN for Net::SMTP or
http://Jenda.Krynicky.cz for Mail::Sender
With the later you may easily attach files to your mails :-)
Jenda
------------------------------
Date: Wed, 16 Sep 1998 19:16:35 GMT
From: nvp@shore.net (Nathan V. Patwardhan)
Subject: Re: to greg bacon
Message-Id: <n8UL1.33$_c5.312201@news.shore.net>
MercuryZ (sf@sf.com) wrote:
: I appreciate your response greg, but I am more curious at this point
: to make Perl automatically press "D" for me...I do know Perl quite well,
???
Do you mean `lynx -dump <whatever_url>`
or
`lynx -source <whatever_url>`
--
Nate Patwardhan|root@localhost
"Fortunately, I prefer to believe that we're all really just trapped in a
P.K. Dick book laced with Lovecraft, and this awful Terror Out of Cambridge
shall by the light of day evaporate, leaving nothing but good intentions in
its stead." Tom Christiansen in <6k02ha$hq6$3@csnews.cs.colorado.edu>
------------------------------
Date: Wed, 16 Sep 1998 19:19:34 GMT
From: Elaine -HappyFunBall- Ashton <eashton@bbnplanet.com>
Subject: Re: Who posts original posts on CLPM?
Message-Id: <36000CE3.69A4D125@bbnplanet.com>
Paul J. Adams wrote:
> I'm not entirely sure of what you're objecting to. Let me try to simplify
> the issue. For the moment, let's assume that we've determined that Windows
> users are more likely to post root messages than *nix users. (Asher's
> statistics indicate that when comparing Windows to *nix users, disregarding
> other operating systems, 68% of the root messages come from Windows users,
> and 32% come from *nix users).
STATISTICS?!?! You may be reading but you aren't comprehending.
> You seem to want to "deconstruct" this statistic and undermine it's
> validity. Okay, that's fine. Perhaps you believe that there may be
> underlying factors which might account for this discrepancy. Here's the
> one clear objection you have raised:
Deconstruct that which has no foundation? Raw data that draws
dangerously inaccurate conclusions. Nothing more.
> You should be able to see that this does not diminish the relevance of
> Asher's statistic unless you've changed your posting behavior in the
> process of changing software.
Again, you glorify raw data as 'statistics'. If he was, indeed, trying
to show that, where is the correlation?
> Again, lets keep it simple and consider only the Windows vs. *nix
> discrepancy regardless of the news reader used on a particular platform.
> If a significant number of users jump back and forth from one platform to
> another, without significantly modifying their posting behavior, then this
> will be a normalizing influence on the statistics. The more people switch
> platforms, the more the users of the two platforms will come to resemble
> one another. If the platform used by each poster was randomized every time
> they posted, then the statistics would gravitate to a 50%/50% split of root
> messages distributed by platform. Therefore, your objection seems to
> indicate that Asher's statistic may be somewhat understated, rather than
> overstated. In other words, the fact that he has "assumed out" the random
> migration from one platform to another can not result in an inflated
> discrepancy.
*sigh* I use whatever computer is available to me at any given time,
regardless of OS. I also have a pseudonym that posts reqularly on a
single platform. Now, if the 'statistics' were taking that into
consideration I would imagine it would be somewhere in the standard
error. Oh, wait, there wasn't one was there?
I'm just having fun here so don't take this too seriously. But I do
cringe when raw data is called 'statistics'.
> The only exception I can imagine would be if there was a sudden massive
> migration of a particular "type" of poster from one platform to another.
> Do you have any evidence that such a migration has taken place? If so, it
> would be interesting to analyze the causes of such a migration. Such a
> phenomenon would certainly suggest, if not prove, that the different
> platforms attract different types of users.
Well, that would, indeed, be an interesting phenomenon to track, but
this is far from being able to do that.
> The fact that despite random migration there remains a greater than 2 to 1
> discrepancy in the root message posting behavior between Windows and *nix
> users seems to indicate that this is a statistic worthy of attention. You
> may object that the several hundred messages analyzed don't constitute a
> large enough sample. If so, then you should feel free to present contrary
> evidence or at least suggest what size sample ought to be used.
There you go again calling raw data 'statistics'.
I am neither a statistician or a demographer, so I will refrain from
suggesting how one might go about the study of this. It is entirely
possible someone has already done this with the help of both.
> Well, these objections don't seem to merit quite so deep an analysis, so
> I'll simply let them stand for now.
Nope. That was the Scotsman who took me prisoner and made me write that.
He didn't make me write 'Krap' with a K though. :)
e.
"All of us, all of us, all of us trying to save our immortal souls, some
ways seemingly more round-about and mysterious than others. We're having
a good time here. But hope all will be revealed soon." R. Carver
------------------------------
Date: 16 Sep 1998 18:58:10 GMT
From: abigail@fnx.com (Abigail)
Subject: Re: Y2K date in Perl
Message-Id: <6tp1o2$hkt$5@client3.news.psi.net>
Milan Spingl (mspring@nortel.com) wrote on MDCCCXLII September MCMXCIII
in <URL: news:01bde191$14cf9d60$a86b412f@PBPDB857.ca.nortel.com>:
++ Hi there.
++ What is the best way to get the system date? my $sdate=`date`; does not
++ always work and localtime(time) does not include century. Prefixing the
++ year with '19' is not an option as a Y2K comlpliancy is an issue. BTW, we
++ run Perl 5.002 on a HP-UX 9.05 on a HP9000/735 box.
Just get a new job. Programming means the ability to read manuals.
You don't seem to have that ability.
Abigail
--
sub _'_{$_'_=~s/$a/$_/}map{$$_=$Z++}Y,a..z,A..X;*{($_::_=sprintf+q=%X==>"$A$Y".
"$b$r$T$u")=~s~0~O~g;map+_::_,U=>T=>L=>$Z;$_::_}=*_;sub _{print+/.*::(.*)/s}
*_'_=*{chr($b*$e)};*__=*{chr(1<<$e)};
_::_(r(e(k(c(a(H(__(l(r(e(P(__(r(e(h(t(o(n(a(__(t(us(J())))))))))))))))))))))))
------------------------------
Date: 12 Jul 98 21:33:47 GMT (Last modified)
From: Perl-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Special: Digest Administrivia (Last modified: 12 Mar 98)
Message-Id: <null>
Administrivia:
Special notice: in a few days, the new group comp.lang.perl.moderated
should be formed. I would rather not support two different groups, and I
know of no other plans to create a digested moderated group. This leaves
me with two options: 1) keep on with this group 2) change to the
moderated one.
If you have opinions on this, send them to
perl-users-request@ruby.oce.orst.edu.
The Perl-Users Digest is a retransmission of the USENET newsgroup
comp.lang.perl.misc. For subscription or unsubscription requests, send
the single line:
subscribe perl-users
or:
unsubscribe perl-users
to almanac@ruby.oce.orst.edu.
To submit articles to comp.lang.perl.misc (and this Digest), send your
article to perl-users@ruby.oce.orst.edu.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
To request back copies (available for a week or so), send your request
to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
where x is the volume number and y is the issue number.
The Meta-FAQ, an article containing information about the FAQ, is
available by requesting "send perl-users meta-faq". The real FAQ, as it
appeared last in the newsgroup, can be retrieved with the request "send
perl-users FAQ". Due to their sizes, neither the Meta-FAQ nor the FAQ
are included in the digest.
The "mini-FAQ", which is an updated version of the Meta-FAQ, is
available by requesting "send perl-users mini-faq". It appears twice
weekly in the group, but is not distributed in the digest.
For other requests pertaining to the digest, send mail to
perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
sending perl questions to the -request address, I don't have time to
answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V8 Issue 3730
**************************************