RE: Duplicate matching
Hi Greg, Instead of using the filename to determine duplicate audio files have you considered using an audio fingerprint? I have used this software in the past to automatically tag my music. https://picard.musicbrainz.org/ “Picard uses AcoustID audio fingerprints, allowing files to be identified by the actual music, even if they have no metadata” Apparently it uses http://acoustid.org/ which is an open source library. Regards Adrian Halid From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Greg Keogh Sent: Saturday, 29 November 2014 6:46 AM To: ozDotNet Subject: Duplicate matching Folks, I was about this write some utility code to search through my 20,000 audio files looking for probable duplicates. I say probable because I found file names like these: Lovelock - Trumpet Concerto (SSO Concert).mp3 Trumpet Concerto (William Lovelock).mp3 There are many other duplicates with rearranged, abbreviated or misspelt words in the names. I was about to click New Project and start typing but I suddenly realised I had no idea what algorithm to use to find probable duplicates and rate them. Has anyone done this sort of thing before or know where to find a description of a suitable algorithm? Greg K
Re: Duplicate matching
Instead of using the filename to determine duplicate audio files have you considered using an audio fingerprint? ... Apparently it uses http://acoustid.org/ which is an open source library. This is an interesting lateral-thinking idea. That's an ambitious and scientifically interesting project. I can't submit 90GB of music to their web service, but if the algorithm can be run locally to generate the fingerprints then it would efficient to lookup their database -- *Greg K*
RE: Duplicate matching
I am pretty sure the fingerprints are calculated on your local machine. It would only be the finger print that you send to the web service. This is how the Picard application works. Regards Adrian Halid From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Greg Keogh Sent: Monday, 1 December 2014 8:35 AM To: ozDotNet Subject: Re: Duplicate matching Instead of using the filename to determine duplicate audio files have you considered using an audio fingerprint? ... Apparently it uses http://acoustid.org/ which is an open source library. This is an interesting lateral-thinking idea. That's an ambitious and scientifically interesting project. I can't submit 90GB of music to their web service, but if the algorithm can be run locally to generate the fingerprints then it would efficient to lookup their database -- Greg K
Re: X509 certificate and trust
Greg What it sounds like you are being asked to do is certificate based authentication. This is something that cannot be forged, unlike a 'magic number'. The server can verify the validity of the cert and identify the client. You might have individual certs to identify a user or device. I've done this before for a web app on WinMo 6 where the user's own Active Directory cert is loaded on the device and IIS requires the cert as part of the type of authN. It avoids the user having to type in creds on a PDA but the servers knows who the user is. The pfx file will contain the certificate (plus, if necessary, root CA cert and any intermediate certs needed to be loaded on the client to complete the chain to be trusted). I don't think Silverlight supports such authentication. HTH On 25 Nov 2014 21:21, Greg Keogh g...@mira.net wrote: Howdy, I've been thinking about this overnight and have had no Eureka! moment. I do have the factory ID of the phone, but I think registering the IDs on the server would be a bother (in any case, a fake client could send any ID it wanted to fool the server). The client and server both have the same confidential company certificate, but I don't know how I can leverage this. The client could send the server some secret data out of the cert, but it's just a number, any magic/secret number could be shared, which is childish. So I remain puzzled about how an arbitrary phone can prove to the service that it's calling via trusted client software without human entry of a PIN or password. The phone does have a config screen, so perhaps the human operator could be instructed to put in a 4 digit hash of the phone ID, which can only be computed and verified on the server. This would require a one-time setup process, but it might be acceptable in the form of a registration screen on the phone. *Greg K* On 25 November 2014 at 23:55, Stephen Price step...@perthprojects.com wrote: And then I read your email a second time and notice you said Silverlight PHONE app. Perhaps you could use something similar... but as it's not hosted on a web server, but instead its on the phone that might not work. Perhaps a call to a server with a login where a key is given out for that session? Or something that is harder to fake, like a phone ID (can you set up a list of authorised devices on server or is it a public facing app where anyone could be connecting?) On Tue, Nov 25, 2014 at 8:06 PM, Greg Keogh g...@mira.net wrote: Folks, I have a Silverlight Phone app that talks to a WCF service. The spec says that phones must *prove* to the service that they are legitimate and trusted. I figure therefore that I will stuff something in the message headers of each call that can't be forged to prove a phone has legitimate client software ... but what? The spec is vague and does not specify any kind of login method or handshake to establish trust. To confuse matters, I've been given a pair of X509 certificates (as cer and pfx files) without any hint about what to do with them. So I've been reading about X509's for hours, but I can't figure out if they're of any help in this situation or not. All the sample code I've found using certificates is for the full CLR and not for the Silverlight CLR where many classes are smaller or missing. I can't figure out how to use X509s for solving my problem (if they are of any use). Any suggestions from crypto protocol boffins out there? *Greg K*
Re: [OT] Windows SCHANNEL Protocol registry keys
Noonie IISCrypto is your friend. But you should really understand a little about protocols and cipher suites and the ordering thereof. Test your public site with Qualys ssllabs. You're aiming for an A. https://www.ssllabs.com/ssltest/ Using SHA1 certs will lower the score but that's not too much of a worry. You should be able to re-key and get SHA-2 (SHA256) replacement if it concerns you. Any recently issued cert expiring on or after 1/1/2017 will be SHA2 anyway. References: https://support.microsoft.com/kb/245030 https://technet.microsoft.com/en-us/library/cc766285.aspx https://technet.microsoft.com/en-us/library/security/2880823.aspx HTH On 19 Nov 2014 01:48, noonie neale.n...@gmail.com wrote: Greetings, The recent Poodle issues and Microsoft's broken patch (MS14-006) have now made it necessary for me to actually understand secure connections to our web applications because it appears that when the user can't connect to a web server it is my web application that is broken :-^ For the life of me I can't find a single definitive source as to what the registry keys actually mean. There's plenty of do it this way instructions but I don't believe in magic so I want to understand what the effects of changing the keys are likely to be. There are tantalising fragments, of the information I want, at various web sites but I haven't found a good description anywhere yet. Does anybody know of a resource I can access that explains why certain key would be needed and what the effects of the different settings are likely to be? The keys I'm interested in live at:- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ And I've read a number of articles from various sites:- https://www.nartac.com/blog/post/2013/04/19/IIS-Crypto-Explained.aspx http://support2.microsoft.com/kb/2588513 http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html http://serverfault.com/questions/637195/is-there-any-reason-why-tls-1-1-and-1-2-are-disabled-on-windows-server-2008-r2 http://books.google.com.au/books?id=fQOLBAAAQBAJpg=PA448lpg=PA448dq=schannel+registry+keys+explainedsource=blots=sFcqPREgO9sig=SUGeh2vCMkCdLOCqGlitcEt2wTwhl=ensa=Xei=IOJrVK2gPISxmwWkloHICQved=0CD0Q6AEwBTgU#v=onepageq=schannel%20registry%20keys%20explainedf=false http://www.adminhorror.com/2011/10/enable-tls-11-and-tls-12-on-windows_1853.html http://support2.microsoft.com/default.aspx?scid=kb;EN-US;245030 If there is no reasonable reference documentation could someone please answer the following questions:- What is the the real effect of DisabledByDefault on both Server and Client sub-keys? Are there any nonsense combinations of keys or key values for DisabledByDefault and Enabled? When would I need to set both Server and Client Keys? Is it good practice to explicitly set all these keys or is it OK to rely on system defaults for keys that are absent? (I know half the answer to this one because although Windows Server 2008R2 supports TLS 1.1 1.2 it will only use them if they are explicitly enabled in this registry hive!) -- Regards, noonie
Re: X509 certificate and trust
I don't think Silverlight supports such authentication. Yeah, it looks that way. Most of the important certificate classes and methods are stripped out of the mini CLR. I eventually decided that the phone must perform a one-off registration, but I'm still not sure how the phone can identify itself to the service in an unforgeable way. Perhaps a signed time-stamped token from the server which can only be used for a single session (but the details are still hazy) -- *Greg*