Stripe is running a web security capture the flag - a series of increasingly difficult web security exploit challenges. I've finished it and had a lot of fun. Working on a web browser I knew the theory of these various web based attacks, but this was my first chance to put theory into practice with:
Here's a blog post on the CTF behind the scenes setup which has many impressive features including phantom users that can be XSS/CSRF'ed.
I'll have another post on my difficulties and answers for the CTF levels after the contest is over on Wed, but if you're looking for hints, try out the CTF chatroom or the level specific CTF chatroom.
A python script that d3crypt5 the input pipe’s ASCII content from ASCII garbage slowly into the correct output.
We believe Knight accidentally released the test software they used to verify that their market making software functioned properly, into NYSE’s live system.
I get chills breaking the build at work. I can’t imagine how much worse it would feel to deploy your test suite and destroy the company you work for.
Chaos Monkey randomly kills your Amazon Web Service VMs increasing the failure rate forcing your web service to deal with it.
The U.S. Census Bureau today released a new online service that makes key demographic, socio-economic and housing statistics more accessible than ever before. The Census Bureau’s first-ever public Application Programming Interface (API) allows developers to design Web and mobile apps to explore or learn more about America’s changing population and economy.
Notes on practical HTTPS security issues.
Breakdown of the bytes of a Windows executable in a big old chart!
Former FireFox developer on the switch to their continuous update cycle.
Oh no, Chrome is doing such-and-such; we’d better do something equivalent or we’ll fall behind! We thought we needed a rapid update process like Chrome. We were jealous of their rapid update capability, which let them deploy improvements to users continuously. We had to “catch up” with Chrome’s updating capability.
Dealing with servicing on IE for years had led me to some of the same thoughts when I heard FireFox was switching to continuous updates.
This specification defines a “Problem Detail” as an extensible way to carry machine-readable details of errors in a response, to avoid the need to invent new response formats.
Lookup any software license shortly summarized in plain English.
The JSON Hypermedia API Language (HAL) is a standard which establishes conventions for expressing hypermedia controls, such as links, with JSON.
During formalization of the WebFinger protocol [I-D.jones-appsawg-webfinger], much discussion occurred regarding the appropriate URI scheme to include when specifying a user’s account as a web link [RFC5988].
acctURI = “acct:” userpart “@” domainpart
“Fuck You, Pay Me” is a talk on contracts, payments, etc. for free-lance designers.
I’ve been following this advice for many years now to the extent that I find myself rewriting text to make linking my nouns easier and shorter.
The one I wasn’t following that seems obvious only after I read it is to keep links towards the end of your text to allow users to follow the link once they’re done reading.
links at the end of the sentence allow users to take action faster
But if Surface is aimed at the OEMs—telling them “we can do this just as well as you can, if we have to”—and setting them a challenge—”your tablets have to be at least this good”—then the limited availability isn’t necessarily such a big deal. As long as the OEMs heed the warning and raise their game, so that Redmond can be assured that bad hardware won’t jeopardized Windows 8’s success, Microsoft could safely keep Surface operating as a small-scale operation, playing the Nexus role without upsetting the PC market.
THE Fiddler Book straight from the source, EricLaw - the developer of Fiddler!
Fiddler is a wonderful tool with never ending extensibility. With this book I shall master it!