## 30. June 2012

### CrazyStat counting lots of hits / visits

Filed under: CrazyStat,PHP — Tags: , , , , , — Christopher Kramer @ 16:52

Lately, I got a screenshot of CrazyStat counting quite a lot of visitors and hits. With this post, I’d like to share it with you. It’s quite impressive to see that CrazyStat is able to cope with that many hits easily.

With 4 000 hits per day on average within the last month and about 17 000 visitors on 26th of June, I consider this website quite successful!

So how is your site doing? I’d love to see other screenshots of CrazyStat counting lots of hits.

Screenshot of CrazyStat counting lots of visitors

## Recommendation

Try my Open Source PHP visitor analytics script CrazyStat.

## 12. June 2012

### LaTeX: multiline comments

Filed under: Uncategorized — Tags: , , , — Christopher Kramer @ 23:26

You often want to out-comment some stuff while writing a LaTeX document very quickly, and LaTeX does only offer single-line comments out of the box:

% This is a comment
% This is the next line

Of course this can get a lot of work if you do this manually for a lot of lines. There might be editors that ease this, but I just found a very easy way to achieve multiline-comments using the verbatim package:

\usepackage{verbatim}

You can now just have multiline comments like this:

\begin{comment}
This is a comment
This is the next line
\end{comment}

Very easy. I knew there had to be a package for that. I was just too lazy to search for it up to now.

## 9. June 2012

### Typo3 and other charsets than UTF-8 (latin1 / ISO-8859-1, …)

Filed under: PHP,Server Administration,Typo3 — Tags: , , , , , , , — Christopher Kramer @ 12:30

When updating a Typo3 installation to Typo3 4.5.x, I had problems with charsets and explained the solution here.

Now updating an installation of Typo3 to 4.6.x, I ran into another charset problem: The backend now was completely UTF-8 and therefore, changing texts in the backend caused them to be stored as UTF-8. As the frontend was still ISO-8859-1, special characters (Umlaute) over there got messed up. Maybe there is a way out of this as well ($TYPO3_CONF_VARS['BE']['forceCharset'] I guess), but this clearly shows that Typo3-developers drop support for other charsets slowly and that it might be easier to switch to UTF-8. In the release notes of Typo3 4.5, I found the following passage: UTF8 by default: New installations will use UTF8 automatically. Keep in mind that we will be deprecating all other charsets in the release of 4.5, but still support those charsets. 4.7 or maybe even 4.6 will be the first “UTF-8 only” release. When upgrading from older releases to 4.5, you will have to specifically set $TYPO3_CONF_VARS['BE']['forceCharset'] and $TYPO3_CONF_VARS['BE']['setDBinit'] in your localconf.php. An Upgrade Wizard will help you with that. In the release notes of Typo3 4.6, I could not find a word about UTF-8, but in the release notes of 4.7, it is clearly stated: check you database if it is utf-8 encoded – TYPO3 4.7 only will work with utf-8. […] The forceCharset option has been deprecated in version 4.5. UTF-8 is now enforced. Even though other values than “utf-8” have not been possible anymore for some time, the option’s value has been queried at plenty of places within the whole core. These references, the option in the Install Tool, as well as many defaults with charset “iso-8859-1” in several classes have been changed, so TYPO3 now works UTF-8-only internally. So it is clearly time to make the switch. It is not that complicated – everything is described very well over here. As the official wiki is very long and explains lots of stuff you might just not care, here are the basic steps: • Backup Database and Files • Set the charset in your webserver (e.g. “AddDefaultCharset utf-8” in a .htaccess) • Adjust some settings in localconf.php: // For backend charset$TYPO3_CONF_VARS['BE']['forceCharset'] = 'utf-8';
$TYPO3_CONF_VARS['SYS']['setDBinit'] = 'SET NAMES utf8;'; // For GIFBUILDER support // Set it to 'iconv' or 'mbstring'$TYPO3_CONF_VARS['SYS']['t3lib_cs_convMethod'] = 'mbstring';
// For 'iconv' support you need at least PHP 5.
\$TYPO3_CONF_VARS['SYS']['t3lib_cs_utils'] = 'mbstring';
• Adjust your typoScript (change language to your needs):
config.locale_all = de_DE.utf-8
• Convert your templatefiles to UTF-8 (and remap them if you use TemplaVoila) – usually in fileadmin/templates
• Convert your DB to UTF-8
1. Backup it first if you have not yet (believe me!)
2. Paste this tool into fileadmin
3. Run it by opening it in the browser (http://example.com/fileadmin/db_utf8_fix.php)
4. If everything says “OK”, change the constant “SIMULATE” to false
5. Run it again
6. Clean cache of Typo3
7. Check your site (esp. special characters). If the content is messed up or parts are missing, do the following:
1. Restore the backup of the database (yes, I told you!)
2. Uncomment lines 108 – 123 in db_utf8_fix.php
3. Run it in browser againClean cache in Typo3
8. Clean all cache in Typo3 Backend

You can find more detailed information here. There are also lots of other ways described how to convert the database.

Happy converting!

Update 2014-05-05: Changed link to db_utf8_fix-script as the original site is reported to be attacked and does not host the script anymore. I cannot check if the script at snipplr is exactly the same, but it looks so.

## 6. June 2012

### The most complete Rainbow Table Lookup Site: Google!

Filed under: Security — Tags: , , , , , — Christopher Kramer @ 16:16

About three years ago, I wanted to login into an installation of CrazyStat which I had installed back in 2004 in CrazyStat’s early days. Problem was, I had forgotten the password. Of course I could simply change it, but I was curious what the password was and if I would be able to find out. The old version of CrazyStat installed on that server saved the password as an MD5 hash, but without any salt (new versions save salted passwords). So the challenge was to decrypt an MD5 hash which had not been salted before hashing.

I looked the hash up in several rainbow tables I found on the web, but did not find any match. Of course, I had not used a simple password, so rainbow tables including dictionaries and brute-force up to several characters were useless.

So I thought, well, let’s brute-force it myself. So I wrote a simple brute-force algorithm and let it run on the Hash. I included characters, German special characters (öäüßÖÄÜ), numbers and several other special characters I though I might have used in the password. So this resulted in a huge character set (>80 characters) and a very slow brute-force. I ran it on my home server for several days, but did not succeed. I think I was brute-forcing passwords of 9 characters when I stopped.

I just gave up at that time, because it was not that important and just an experiment.

Lately, I read that Google is a very good password cracker. Thinking about this, it is obvious: Google indexes the whole web, and there are several MD5 rainbow tables on there, which Google indexes as well. So just google for a hash, and if it is in one of the rainbow tables indexed by Google, you will find it. Also some pages use MD5 for page-IDs which will be indexed by google as well. So I enter the hash I had tried to decrypt three years ago, and it just gave me the password I had searched for straight away! Far more efficient than brute-force or downloading rainbow tables 😉 By the way, the password I searched for had more than 9 characters and is not included in any normal dictionary, although maybe in some password list (but not frequently).

I tried several other hashes to see how good Google is. Of course all easy ones are included. But some other more challenging ones were included as well. For example, it knows the hash of “crazystat” (“CrazyStat” is not in there so far). It knows the hash of my hometown (I will just give you the hash here, find out yourself: 97b559a3d65b95dcda14d70e49ef87fc).

So compared to most rainbow table lookups I have seen so far, Google performs very well. Of course not everything is in there, and with a good salt string, it should be useless.

One test I tried were some random characters, but not so many. I was surprised that Google does not know it. I then used a decrypt/encrypt site that stores every hash it calculates when you encrypt something in a rainbow table. Afterwards, this site was able to decrypt it of course. Now I am waiting how long it takes for Google to index that hash as well.

Now let’s see whether you are faster: Here is the hash:

f533abf87579c6ccc8de45c4d81e9e39

A simple brute-force or a good rainbow table should do to decrypt that. Please leave a  comment if you decrypted it. There is at least one md5-decrypt site now that knows this hash, so you might also be able to find this one.

Have fun!

And of course, never be the bad guy who uses stuff like this meaning ill 😉

Update 2012-09-22: It seems so many people google the hash I posted here that Google suggests it automatically when searching for f533:

But MD5this did not crack it yet and it seems Google is not able to index the md5lookup site I fed with the hash. Well, probably the hash is a bit more difficult to crack than I thought. But somebody must be able to decrypt that. Come on!