Posts Tagged ‘Etherpad’

Realtime collaborative writing

Saturday, February 20th, 2010

During the sixth term at ITU, me, Pontus and David wrote our thesis collaboratively, using Gobby. This was in 2008, so things are likely to have changed since, and I’m not saying Gobby didn’t do the job, it did. But it felt “unpolished”, and it was no fun making it work through firewalls etc. Gobby also required one of the clients to also act as a server. If that client went down, the other participants would need to re-establish communication for themselves.

As I said, it’s been two years since I looked at it, and we used it successfully, so it does the job. Then Etherpad came along. This, more than anything, showed me the value of the swarm, and how many people collaborating with lightning speed can put together or translate a document, a statement, whatever.

Etherpad was however different. Anonymous, public, all-access and perhaps most importantly, web-based. Google acquired Etherpad, and it will soon be shut down. Google did release the source code, so one can set up a “pad” of their own, a feat  I’ve tried and failed at. I’ll continue trying, because Etherpad really is that great.

In the meantime, however, I’ve also researched other implementations. Abiword has gotten collaborative functionality, and implementations exist for both GNU/Linux and Windows (sadly the ports to OSX seem to lag behind :(). Initially this collaboration was managed through user defined Jabber accounts (and I suspect this is still the case) but have now been replaced (or supplemented by?), a free service which sets you up with an account that can be used from inside Abiword.

All three methods have slight variations in implementation and areas of use, Gobby for instance is probably the better (although at least back then rather difficult to install/manage) choice if content security/control is key. Both Etherpad and stores your information off-site.

Etherpad on the other hand is dead simple to use, with literally NO barriers between new users and collaboration, and, for better or worse, anonymous and public, although I have a feeling this is a matter of configuration.

Abiword is not as difficult to work with as Gobby, sacrificing content control to gain user-friendliness.

The user interface leaves me wishing for a couple of things, but once I’d made a couple of tweaks to my profile and gotten the hang of how to navigate the site most, if not all, of the problems vanished.

If you want to try out (something I do recommend, it is fraking cool) keep in mind the following:

During signup it will ask you if you wish to be hidden from the user directory, or public. If you say hidden, no one will be able to add you. The only functionality (at least what I could find) on the site for adding friends is by searching for them, and if you’re hidden, you can’t be found.

Pontus, whom I tested this with tonight, also selected hidden… Yeah, we couldn’t find each other. It would be nice if there was a way to just enter an email of a friend you knew was on there, and send a friend request to him/her, but no such luck.

The link to the profile page (where you can change your visibility) was cleverly disguised in the top right corner as black non-underlined text, in such big letters that my eyes never even registered it as a potential clickable area.

Once a person has requested to friend you, you should log in and look to the right sidebar, there will be links to accept or decline the request. I missed that the first time around as well.

Once that was done however, the rest was easy as pie.

WordPress security revisited

Wednesday, December 23rd, 2009

Yesterday I decided to attempt setting up a local Etherpad of my own, for use within the network/family. That meant upgrading my local server from Ubuntu Hardy to Karmic (well, I could’ve added the Karmic repositories to my installation, but a re-install was due anyway so…). I got Etherpad up and running locally (i.e. as long as I connect to it through elinks and but that doesn’t really help me as I want it available throughout the entire network. I will have to tinker more with that later.

There were, however, other services to get back online as well, such as WordPress. And it just so happens that while I was installing and tinkering with it, I happened to notice that there have appeared some rather cool (security-wise) plugins:


The antivirus plugin simply scans your current theme for malicious code, such as base64 encoded payloads, which apparently has been added to freely downloadable themes from various sites around the net.

I use the default theme, so I don’t really worry about the source for this theme ;) but that just assures me that the theme is clean from the beginning. A security weakness could change that in a matter of seconds.

Invalidate logged out cookies

I don’t imagine I will get much use of this plugin as I normally only log on through my own computer, but should I find myself sitting in an internet café logging on, it is comforting to know that I won’t have to remember to physically destroy the auth-cookie which WordPress sets up on login.

Limit login attempts

This is a so called “speed bump”. This won’t create perfect security (there isn’t such a thing anyway) but it will slow an attacker down substantially, to the point where s/he gives up and goes after some other poor sap with more pathetic defenses.

It is a rather simple concept really: If the blog receives more than A erroneous login attempts in a row, ignore any further attempts from that IP for B minutes. If there are more than C * A attempts in a row, ignore any further attempts from that IP for D minutes/hours/days (where A, B, C and D are all fully configurable integers)

One time passwords

I will have to ask my webhost if they plan on upgrading to PHP5 any time soon, because this plugin requires it. What it does is to create a number of disposable (one time) passwords, which can be used instead of your regular password (which would be awesome to use for instance at an internet café, no risk that keyloggers or other eavesdroppers get hold of anything valuable).

Safer cookies

The original WordPress auth cookie implementation just checks that there is an authentication token in the cookie which correspond to an identical token in the database. Which opens up for man-in-the-middle attacks. Safer cookies adds your IP adress to the mix (well hash, I suppose) and thus makes it a bit harder for a session hijacking to take place.

Secure WordPress

I have to admit, this is my favorite of them all. It disables any information leakage at the login form (such as “sorry the password is incorrect”) An attacker, upon seeing that message immediately thinks “ah, so the username was correct”.

Furthermore, it removes the WordPress version from the html-source, which makes it harder for automated tools to know what attacks to apply.

(These are incidently the exact things I have been doing manually after every update, and hated every second of it since I don’t find mucking about in WordPress’ internals all that thrilling)

WordPress firewall

This one blocks a whole lot of badness which otherwise could be inserted through what the plugin calls “application parameters”. Examples of which are disallowing directory traversing (../../etc/passwd) and SQL queries.

The only thing left for me to do now is to continue to hack away at the Etherpad installation and wish you all a Merry Christmas :)

Update: Although good in theory, I all of the sudden started experiencing problems with the Invalidate logged out cookies plugin. The sort of problems which meant that I was being redirected to the login-page after a successful login… And since the plugin logs me out upon activation, I can only assume that there is some interference between that plugin and some other plugin. It is entirely possible that there is some configuration which could be done to get it all working, but since I get logged out on activation I can’t check that, and it isn’t all that important to me, I just chose to disable it instead. #HolidayLazinessFTW