fed - Dave's Blog

Search
My timeline on Mastodon

Retweet of f4grx

2016 Jan 26, 7:43
@FakeUnicode also UNICODE CONSORTIUM FACE REVIEWING EMOJI CODEPOINT REQUESTS
PermalinkComments

Retweet of TheNardvark

2015 Oct 9, 2:21
“Can I get 2 boxes of Sudafed?” “Sorry, by law you can only buy one at a time.” “Okay then just the one box of Sudafed and these 7 guns.”
PermalinkComments

Retweet of adamakraft

2015 Jul 5, 12:52
@samplereality The @ConfederateBot is a new protest bot that retweets pro-Confederate tweets as if they were pro-Nazi.
PermalinkComments

Retweet of 18F

2015 Mar 16, 9:48
Today the White House is proposing an HTTPS-only standard for the entire federal government: https://https.cio.gov  Public comment welcome!
PermalinkComments

Retweet of mrlacey

2015 Mar 1, 6:42
Chrome is not one browser pic.twitter.com/nZaZgRidjC
PermalinkComments

FCC planning new Internet rules that will gut Net Neutrality. Get ready to pay more for the stuff you love online.

2014 Apr 24, 3:29
PermalinkCommentstechnical net-neutrality fcc bullshit

Stripe CTF - Level 5

2012 Sep 11, 5:00

Level 5 of the Stripe CTF revolved around a design issue in an OpenID like protocol.

Code

    def authenticated?(body)
body =~ /[^\w]AUTHENTICATED[^\w]*$/
end

...

if authenticated?(body)
session[:auth_user] = username
session[:auth_host] = host
return "Remote server responded with: #{body}." \
" Authenticated as #{username}@#{host}!"

Issue

This level is an implementation of a federated identity protocol. You give it an endpoint URI and a username and password, it posts the username and password to the endpoint URI, and if the response is 'AUTHENTICATED' then access is allowed. It is easy to be authenticated on a server you control, but this level requires you to authenticate from the server running the level. This level only talks to stripe CTF servers so the first step is to upload a document to the level 2 server containing the text 'AUTHENTICATED' and we can now authenticate on a level 2 server. Notice that the level 5 server will dump out the content of the endpoint URI and that the regexp it uses to detect the text 'AUTHENTICATED' can match on that dump. Accordingly I uploaded an authenticated file to

https://level02-2.stripe-ctf.com/user-ajvivlehdt/uploads/authenticated
Using that as my endpoint URI means authenticating as level 2. I can then choose the following endpoint URI to authenticate as level 5.
https://level05-1.stripe-ctf.com/user-qtoyekwrod/?pingback=https%3A%2F%2Flevel02-2.stripe-ctf.com%2Fuser-ajvivlehdt%2Fuploads%2Fauthenticated&username=a&password=a
Navigating to that URI results in the level 5 server telling me I'm authenticated as level 2 and lists the text of the level 2 file 'AUTHENTICATED'. Feeding this back into the level 5 server as my endpoint URI means level 5 seeing 'AUTHENTICATED' coming back from a level 5 URI.

Notes

I didn't see any particular code review red flags, really the issue here is that the regular expression testing for 'AUTHENTICATED' is too permisive and the protocol itself doesn't do enough. The protocol requires only a set piece of common literal text to be returned which makes it easy for a server to accidentally fall into authenticating. Having the endpoint URI have to return variable text based on the input would make it much harder for a server to accidentally authenticate.

PermalinkCommentsinternet openid security stripe-ctf technical web

Seized shirt! For the feds, it’s not enough to simply seize...

2012 Aug 17, 8:40


Seized shirt!

For the feds, it’s not enough to simply seize domain names without warning or due process—they want to make sure everyone knows the website operators were breaking the law, even if that has yet to be proven in court. That’s why every domain that gets seized ends up redirecting to one of these dramatic warning pages, replete with the eagle-emblazoned badges of the federal agencies involved.

PermalinkCommentshumor law ip fbi legal shirt tshirt

ifc: This week on Comedy Bang! Bang! - Michael Cera!

2012 Jun 27, 3:38


ifc:

This week on Comedy Bang! Bang! - Michael Cera!

PermalinkCommentshumor comedy-bang-bang michael-cera video

Feds Seized Hip-Hop Site for a Year, Waiting for Proof of Infringement (wired.com)

2012 May 4, 1:57PermalinkCommentscopyright technical legal wired politics government music riaa

Another Comedy Bang Bang preview clip this time with Zach...

2012 Apr 18, 6:02


Another Comedy Bang Bang preview clip this time with Zach Galifianakis.

PermalinkCommentszach-galifianakis comedy-bang-bang video humor preview scott-aukerman tv clip

(via Taxi-window sticker: our security stinks and your credit...

2012 Feb 15, 5:14


(via Taxi-window sticker: our security stinks and your credit card will be sniffed)

Don’t you have to meet some minimum security requirements to process credit card transactions?

PermalinkCommentshumor credit-card security

Feds Mistakenly Shut Down Popular Blog For Over A Year (techdirt.com)

2011 Dec 8, 10:57PermalinkCommentstechnical censorship government internet riaa copyright

Replacing Delicious with Google Reader

2011 Nov 17, 11:00

I had previously replaced my use of Delicious with Google Reader. Delicious had a number of issues during their switch over from Yahoo to the new owners and I was eventually fed up enough to remove it from daily use. I used Delicious to do the following things:

  • Create a list of things to read later
  • Save things to read again in the future
  • Search through things I read and enjoyed (esp via tags)
  • Annotate and share things on my blog
I realized that since I did most of my web browsing in Google Reader now anyway I may as well make use of its features. I star things to note I want to read it later or save to read again later. I can annotate with notes in Google Reader and I can share items to my web site by way of the shared items feed. Additionally for when I'm not in Google Reader there's a bookmarklet to add an arbitrary web site as a shared item in Google Reader.

Of course I wrote this and switched over about 1 week before Google removed the sharing feature from Google Reader. I'm irritated but in practice it forced me to find a different option which has worked out mostly better. New blog post coming soon about that...

PermalinkCommentsblog delicious me technical google-reader google feed

NYTimes Sues US For Refusing To Reveal Secret Interpretation Of Patriot Act (techdirt.com)

2011 Oct 20, 6:52
Wow, FTA: "Given all of this, reporter Charlie Savage of the NY Times filed a Freedom of Information Act request to find out the federal government's interpretation of its own law... and had it refused. According to the federal government, its own interpretation of the law is classified."
PermalinkCommentstechnical

Emanuel Derman's Blog: Trading Places

2009 Dec 31, 1:50Har har: "I had a fantasy in which the Fed and the TSA (Transportation Security Administration) switched roles. If a bank failed at 9 a.m. one morning and shut its doors, the TSA would announce that all banks henceforth begin their business day at 10 a.m. And, if a terrorist managed to get on board a plane between Stockholm and Washington, the Fed would increase the number of flights between the cities."PermalinkCommentseconomics humor airplane emanuel-derman tsa fed government

Sprint fed customer GPS data to cops over 8 million times

2009 Dec 1, 9:40Wow: 'The fact that federal, state, and local law enforcement can obtain communications "metadata"—URLs of sites visited, e-mail message headers, numbers dialed, GPS locations, etc.—without any real oversight or reporting requirements should be shocking, but it isn't. The courts ruled in 2005 that law enforcement doesn't need to show probable cause to obtain your physical location via the cell phone grid. All of the aforementioned metadata can be accessed with an easy-to-obtain pen register/trap & trace order. But given the volume of requests, it's hard to imagine that the courts are involved in all of these.'PermalinkCommentsprivacy security gps phone cellphone government politics

Stuffed Bunny on Bunny

2009 Sep 27, 11:28

sequelguy posted a photo:

Stuffed Bunny on Bunny

PermalinkCommentscute bunny

Engineering Windows 7 : Federating Windows Search with Enterprise Data Sources

2009 Jul 17, 4:36"For Windows 7, we’ve added support for Federated Search using OpenSearch v1.1 and worked to make the experience a seamless one." Explorer in Win7 supports OpenSearch descriptions (that use RSS)PermalinkCommentsopensearch search windows win7 technical

Data.gov: Unlocking the Federal Filing Cabinets - Bits Blog - NYTimes.com

2009 May 26, 11:28"But Data.gov is different. It is primarily for machines, not people, at least as a first step. It is a catalog of various sets of data from government agencies. And the idea is to offer the data in one of several standardized formats, ranging from a simple text file that can be read by a spreadsheet program to the XML format widely used these days for the exchange of information between Web services. Other data is presented in formats that are meant to feed into mapping programs."PermalinkCommentsdata nytimes xml government
Older Entries Creative Commons License Some rights reserved.