Yearly Archives: 2012

Vegetarian Chili

December 15, 2012 » Life

This Thursday was the first Mastercraft Chili Cook Off put together by the crew at Big Ink. I made a chili on behalf of the What Cheer team, and Becca made corn bread. We didn’t win (Big Ink’s delicious chili did) but we were the best vegetarian chili! Also the only one.

I based my recipe off of the Ultimate Vegan Chili from Vegetarian Times, but made a few tweaks. Here is my rendition.

My Chili

Ingredients

Spice Mix

  • 2 tsp. smoked paprika
  • 2 tsp. dried oregano
  • 1 ½ tsp. chili powder
  • ¾ tsp. celery salt
  • 1 tsp. cayenne pepper
  • 2 tsp. ancho pepper powder
  • 2 chile de árbol, seeded and minced

Chili

  • 1 large onion, chopped
  • ~2 Tbs. olive oil
  • 3 cloves garlic, minced
  • 1 chipotle chile in adobo sauce, drained and minced
  • 8 oz. baby bella mushrooms, finely chopped
  • 2 12-oz. pkgs. soy ground, chopped
  • 3 Tbs. tomato paste
  • 1 15-oz. can black beans, partially drained
  • 1 15-oz. can light red kidney beans, partially drained
  • 1 15-oz. can dark red kidney beans, partially drained
  • 1 15-oz. can pinto beans, partially drained
  • 2 large carrots, chopped
  • 2 Tbs. soy sauce
  • 1 Tbs. Worcestershire sauce

Directions

Heat the olive oil in a large pot over medium-high heat, add onion, and sauté 7 to 10 minutes, or until beginning to brown.

Add garlic, chipotle chile, and mushrooms, cook 5 minutes until softened.

Add soy ground, tomato paste, spice mix and 1 cup water; cook 5 minutes, stirring occasionally.

Add beans, carrots, soy sauce, and Worcestershire sauce.

Cover, and reduce heat to medium-low.

Simmer 1 hour, or until carrots are tender.

Serve with crumbled Queso Blanco on top.

What I will do differently next time.

My chili was too thick, so next time I will greatly reduce the amount I drain from my beans, and I may add stock at the end if it still looks to thick.

I’d like to increase the amount of ancho chili, I love that smoky flavor. I’d also like to try adding in a bit of dark chocolate and cinnamon, something that the Big Ink team did to great success.

I really enjoyed the toothiness of the carrots, so next time I might add in a stalk or two of celery as well. The Burns & McDonnell chili had celery in it, and I liked that.

Lastly, this chili needed more heat. I like the back end burn of cayenne, so I think I’ll add more of that. Another chile de árbol couldn’t hurt either.

Tags: ,

Black Bean Chorizo Soup

November 4, 2012 » Life

For a soup party at the Gates’ house I made a black bean chorizo soup. I wanted to make this because of a soup I had at The Drover, and I loved it.

My Soup!

I didn’t find an exact recipe to use, but I found one I thought would be a good starting point and went from there.

Here is the version I made, and at the end I’ll add some comments about what I will be trying next time.

  • 2 tablespoons olive oil
  • 2 (4-ounce) fresh, raw Mexican Chorizo
  • 1 medium yellow onion, finely chopped
  • 3 cloves garlic, finely chopped
  • 1 dried Chile de árbol, seeded
  • 1 dried Poblano chile (chile ancho), seeded
  • 3 (15-ounce) cans black beans
  • 1 canned chipotle chile, diced
  • 1 quart chicken broth
  • 1/2 tablespoon ground cumin
  • Grated sharp cheddar cheese, for serving
  • Sliced green onions, for serving

Make a few small cuts in the chorizo with a knife. Place in your soup pot over high heat in 1/2 an inch of water.

Bring to a boil, then cover with a lid and lower head to medium-low. When sausages are firm (about 10 minutes) uncover and raise the heat to medium.

While they are boiling, place the chile de árbol and chile ancho in a food processor and break them up. They don’t have to turn to powder, but you don’t want any large chunks.

Let the water boil off, then brown the sausages a bit in their own oil. Remove the sausages and set aside.

Pour in a very little water, maybe a 1/4 of a cup to deglaze the pan, then add the olive oil. Turn the heat up to medium-high and add the garlic, ground up dried peppers, and half of the onions.

Saute until the onions are translucent, about 5 minutes. At the same time, cut your chorizo into 1/2″ slices, then halve those slices and add to the onions as you go.

Add the black beans, diced chipotle pepper and broth. Simmer for 20 minutes.

Blend half the soup as smooth as you can, then stir in the other half of the onions and simmer for another 5 minutes.

Dish it up, top with the cheddar and sliced green onions.

What I will do differently next time.

For texture, it came out thinner than I envisioned, so I would cut the chicken stock in half and replace it with equivalent puréed black beans. I might also consider adding some heavy cream to it, but I’m not sure.

I don’t think I would add the canned chipotle chile next time. I’m not sure that flavor was right for where I wanted to go with the soup.

Also, I might only use half of a chile de árbol, since it came out pretty spicy and Darcy can’t handle the heat.

Impromptu logging from a socket.io connection

October 27, 2012 » Geek

I recently participated in a live streamed event that provided a “watching now” counter usin socket.io. Basically it was a super simple node.js script which incremented or decremented a variable when users joined and left the channel, and broadcasted the count to it’s subscribers. What I didn’t realize until right before the event that we might want to have a record for users on page at a given point in the broadcast. With so little time before the broadcast, I didn’t want to tinker with the server and break it, so I did the next best thing, I logged from the subscriber side.

I put up a quick PHP script on my laptop that allowed cross-domain access from the origin server and logged the incoming counter.

Then, in Chrome’s JavaScript console, I just hooked updates from socket.io into an XHR to provide the values to my PHP.

It worked like a charm, I didn’t have to mess with the server at a crucial point, and we got the data we needed.

Let the Facebook Object Debugger Into Staging

October 27, 2012 » Geek

One often important, and often overlooked aspect of modern web development is Open Graph tags. You know, those meta tags with weird attributes that break your page validation? That’s a whole other topic though.

Today, I want to talk about the Facebook Object Debugger, and giving it access to an HTTP Auth protected environment, such as a staging or pre-launch production site. This is Apache specific, so nginx fans will have to look elsewhere.

Assume you have this setup in your Apache config or htaccess;

The easiest way that I’ve found to make this work is to accept based on user agent. I originally tried allowing it based on IP address, but the debugger uses many IP addresses, and after I had added a half dozen I gave up and switched to user agent.

Be aware, that because of this, it’s quite easy for someone to fake their UA and gain access, so I recommend only using this code while you actively use the debugger, and turning it off afterwards. This also prevents leaks if someone pastes the URL into an actual Facebook comment.

Pretty easy!

Check out this page at AskApache for a nice guide to SetEnvIfNoCase.

Hashes Are Not *$&%@! Magic

September 27, 2012 » Geek

I’m going to get on a programming soapbox real quick and cover a topic that seems to confuse some people.

Hashes Are Not *$&%@! Magic

Some people seem to think that swapping out a secret with a hashed version of that secret makes it all safe and cozy, but that’s simply not true.

Yes, cryptographic hashes are a very important part of digital security, for a number of good reasons, but they have to be applied in a manner which takes the whole system into account.

The impetus for this work was a login integration I recently updated, because some other developer foolishly applied hashes.

Essentially, we were cross-posting a login form on one website to another. Nothing fancy. Ignore the lack of CSRF control.

The New Form

But the new form would need a change. Instead of sending the username and password, we would send the username, and an MD5 hash of the concatenation of username and password.

Now, I’m sure when this idea was implemented, it was sold as a way to authenticate the user, without exposing their password in plaintext (note that they don’t use SSL). Brilliant!

Yes, it does obscure the plaintext password, but it is not any more secure.

You see, they didn’t think about the system as a whole, they were just focused on obscuring the password.

All that happened here is a substitution of shared secrets.

Previously the server compared the username and password it has on file to what was sent in. Now it compares the username and the hashed password to what it has on file. Do you see what we did? We’ve simply swapped the secret of the plaintext password for the secret of the hashed password. I can still intercept your form submission over the wire and steal your credentials.

I don’t have to prove I know the password, I have to prove I know the secret.

Zero gain, and you’ve added complexity.

MD5, lol

As a bonus, they picked MD5, probably because it’s been implemented many times, there is a JavaScript version readily available, and it tends to be one of the first hashes people learn about, due to it’s age.

But MD5 is weak. And we have the salt, if you can call it that, in the username. An old 2Ghz P4 can try about 20 Million hashes a second, and throwing a modern GPU at it you can test several billion hashes a second. If we want the plaintext password, we can get it unless it is reasonably large (7+ characters) and fairly complex (at least one non-alphanumeric character).

(╯°□°)╯︵ ┻━┻

For an extra thought, consider how they must be storing these passwords. Either there scheme has always been MD5(CONCAT(username,password)) or they are storing them in plaintext and are (hopefully) migrating to hashed.