hp - Dave's Blog


Search

honeysweetsugaricklepie: Uhh has anyone notice Garry Marshall’s...

Feb 24, 11:57


honeysweetsugaricklepie:

Uhh has anyone notice Garry Marshall’s Wikipedia page?

Hahaha

Wiki user ‘Gillian Marshal’ (http://en.wikipedia.org/w/index.php?title=Garry_Marshall&diff=prev&oldid=596787114) updated his page yesterday. Nice and subtle only editing the summary section on the right.

PermalinkCommentsgary-marshal humor wikipedia gillian-jacobs gillian-marshal comedy-bang-bang

laughingsquid: Arrested Development Season 4 Trailer Brings...

2013 May 13, 2:47


laughingsquid:

Arrested Development Season 4 Trailer Brings Back the Dysfunctional Bluth Family

Come on!

PermalinkCommentshumor trailer arrested-development awesome

 “The disc itself is about 5 inches in diameter. It can record...

2012 Oct 1, 8:21


 “The disc itself is about 5 inches in diameter. It can record one hour of stereo music on one side — and it is only a one-sided disc, it’s not meant to be played on two sides…”

Sony demos the CD at TED in 1984 (by TEDBlogVideo)

PermalinkCommentsvideo cd ted music

Ben Goldacre’s TED talk on publication bias, drug...

2012 Sep 28, 3:55


drug companies hiding the results of clinical trials.

(via I did a new talk at TED, on drug companies and hidden data.)

PermalinkCommentsscience video ted

Stripe CTF - Input validation (Levels 1 & 2)

2012 Sep 6, 5:00

Stripe's web security CTF's Level 1 and level 2 of the Stripe CTF had issues with missing input validation solutions described below.

Level 1

Code

          $filename = 'secret-combination.txt';
extract($_GET);
if (isset($attempt)) {
$combination = trim(file_get_contents($filename));
if ($attempt === $combination) {

Issue

The issue here is the usage of the extract php method which extracts name value pairs from the map input parameter and creates corresponding local variables. However this code uses $_GET which contains a map of name value pairs passed in the query of the URI. The expected behavior is to get an attempt variable out, but since no input validation is done I can provide a filename variable and overwrite the value of $filename. Providing an empty string gives an empty string $combination which I can match with an empty string $attempt. So without knowing the combination I can get past the combination check.

Notes

Code review red flag in this case was the direct use of $_GET with no validation. Instead of using extract the developer could try to extract specifically the attempt variable manually without using extract.

Level 2

Code

    $dest_dir = "uploads/";
$dest = $dest_dir . basename($_FILES["dispic"]["name"]);
$src = $_FILES["dispic"]["tmp_name"];
if (move_uploaded_file($src, $dest)) {
$_SESSION["dispic_url"] = $dest;
chmod($dest, 0644);
echo "

Successfully uploaded your display picture.

";
}

Issue

This code accepts POST uploads of images but with no validation to ensure it is not an arbitrary file. And even though it uses chmod to ensure the file is not executable, things like PHP don't require a file to be executable in order to run them. Accordingly, one can upload a PHP script, then navigate to that script to run it. My PHP script dumped out the contents of the file we're interested in for this level:


Notes

Code review red flags include manual file management, chmod, and use of file and filename inputs without any kind of validation. If this code controlled the filename and ensured that the extension was one of a set of image extensions, this would solve this issue. Due to browser mime sniffing its additionally a good idea to serve a content-type that starts with "image/" for these uploads to ensure browsers treat these as images and not sniff for script or HTML.

PermalinkCommentsinput-validation php security technical

Stripe Web Security CTF Summary

2012 Aug 30, 5:00

I was the 546th person to complete Stripe's web security CTF and again had a ton of fun applying my theoretical knowledge of web security issues to the (semi-)real world. As I went through the levels I thought about what red flags jumped out at me (or should have) that I could apply to future code reviews:

Level Issue Code Review Red Flags
0 Simple SQL injection No encoding when constructing SQL command strings. Constructing SQL command strings instead of SQL API
1 extract($_GET); No input validation.
2 Arbitrary PHP execution No input validation. Allow file uploads. File permissions modification.
3 Advanced SQL injection Constructing SQL command strings instead of SQL API.
4 HTML injection, XSS and CSRF No encoding when constructing HTML. No CSRF counter measures. Passwords stored in plain text. Password displayed on site.
5 Pingback server doesn't need to opt-in n/a - By design protocol issue.
6 Script injection and XSS No encoding while constructing script. Deny list (of dangerous characters). Passwords stored in plain text. Password displayed on site.
7 Length extension attack Custom crypto code. Constructing SQL command string instead of SQL API.
8 Side channel attack Password handling code. Timing attack mitigation too clever.

More about each level in the future.

PermalinkCommentscode-review coding csrf html internet programming script security sql stripe technical web xss

Gangnam Style looks like he’s riding a horse but actually...

2012 Aug 24, 1:29


Gangnam Style looks like he’s riding a horse but actually its satire.

Also, the making of video: http://youtu.be/9HPiBJBCOq8

PermalinkCommentshumor music music-video video psy south-korea

“Hey Pass Me a Beer” in the same vein as the...

2012 Jun 21, 2:55


“Hey Pass Me a Beer” in the same vein as the HIGH-FIVE! montages.

PermalinkCommentshumor video beer

Awesome faux trailer for Psychonauts as Inception. Wish I had...

2012 Feb 14, 8:58


Awesome faux trailer for Psychonauts as Inception. Wish I had made the connection before - there’s a ton of overlap.

INCEPTIONAUTS (by FineLeatherJackets)

PermalinkCommentshumor video inception video-game psychonauts tim-schafer

(via Defend our freedom to share (or why SOPA is a bad idea):...

2012 Jan 18, 3:21


(via Defend our freedom to share (or why SOPA is a bad idea): Clay Shirky on TED.com)

PermalinkCommentsvideo copyright clay-shirky sopa pipa legal politics mpaa ted

(via please reblog and remove all attribution (3 Comments))

2011 Nov 17, 2:22


(via please reblog and remove all attribution (3 Comments))

PermalinkComments

[whatwg] Proposal for IsSearchProviderInstalled / AddSearchProvider

2011 Feb 23, 2:17Proposal to standardize on the function to add search providers in user agents.PermalinkCommentstechnical search-provider browser webbrowser web whatwg

DVD Ripping and Viewing in Windows Media Center

2010 Aug 17, 3:05

I've just got a new media center PC connected directly to my television with lots of HD space and so I'm ripping a bunch of my DVDs to the PC so I don't have to fuss with the physical media. I'm ripping with DVD Rip, viewing the results in Windows 7's Windows Media Center after turning on the WMC DVD Library, and using a powershell script I wrote to copy over cover art and metadata.

My powershell script follows. To use it you must do the following:

  1. Run Windows Media Center with the DVD in the drive and view the disc's metadata info.
  2. Rip each DVD to its own subdirectory of a common directory.
  3. The name of the subdirectory to which the DVD is ripped must have the same name as the DVD name in the metadata. An exception to this are characters that aren't allowed in Windows paths (e.g. <, >, ?, *, etc)
  4. Run the script and pass the path to the common directory containing the DVD rips as the first parameter.
Running WMC and viewing the DVD's metadata forces WMC to copy the metadata off the Internet and cache it locally. After playing with Fiddler and reading this blog post on WMC metadata I made the following script that copies metadata and cover art from the WMC cache to the corresponding DVD rip directory.

Download copydvdinfo.ps1

PermalinkCommentspowershell wmc technical tv dvd windows-media-center

I'm Married!

2010 Jun 12, 2:18

2010_05_Dave and Sarah Wedding_Sarah and Dave Married WalkDid I mention that I got married two weeks ago today on May 29th? Its true! Our wedding was a kind of planning singularity -- all of my planning efforts would get sucked into that day and I couldn't make any plans past that date. But the actual wedding itself was lovely and I didn't feel nearly as stressed out or nervous during the wedding as I did trying to plan for it. I've been gathering wedding photos on our wedding website photos page.

PermalinkCommentswedding photo personal marriage

The Hitchhiker's Guide to the Galaxy (film) - Wikipedia, the free encyclopedia

2010 Mar 12, 11:11"All of the sculpted noses on the planet Viltvodle VI were fashioned after Douglas Adams' own. The creators used a 3D model he had created for the game Starship Titanic." The noses mentioned in the previous sentence were depicted in the movie in a church. The religion of this church maintains that the universe was created by their god sneezing out the universe and so they have statues of their god's nose throughout the church. Of course this is intended to seem absurd, however based on the previous sentence -- that the nose belonged to Douglas Adams -- then they really were worshping the nose of their creator.PermalinkCommentsdouglas-adams book hhgttg movie religion nose

YouTube - Charlie Brooker - How To Report The News

2010 Jan 30, 2:26Similar to the "This is the title of a typical incendiary blog post" (http://faultline.org/index.php/site/item/incendiary/) except this is a typical news report. "...and this is a lighthouse keeper being beheaded by a lighthouse beam."PermalinkCommentsbbc humor video via:waxy satire journalism tv news

Android eBook Reader And Makers

2009 Dec 13, 1:27

I was reading Makers, Cory Doctorow's latest novel, as it was serialized on Tor's website but with no ability to save my place within a page I set out to find a book reading app for my G1 Android phone. I stopped looking once I found Aldiko. Its got bookmarks within chapters, configurable fonts, you can look-up words in a dictionary, and has an easy method to download public domain and creative common books. I was able to take advantage of Aldiko's in-app book download system to get Makers onto my phone so I didn't have to bother with any conversion programs etc, and I didn't have to worry about spacing or layout, the book had the correct cover art, and chapter delimiters. I'm very happy with this app and finished reading Makers on it.

Makers is set in the near future and features teams of inventors, networked 3d printers, IP contention, body modifications, and Disney -- just the sort of thing you'd expect from a Cory Doctorow novel. The tale seems to be an allegory for the Internet including displacing existing businesses and the conflict between the existing big entertainment IP owners and the plethora of fans and minor content producers. The story is engaging and the characters filled out and believable. I recommend Makers and as always its Creative Commons so go take a look right now.

PermalinkCommentstor aldiko cory doctorow g1 makers ebook android book

Time/Date Conversion Tool

2009 Aug 28, 3:39

I built timestamp.exe, a Windows command line tool to convert between computer and human readable date/time formats mostly for working on the first run wizard for IE8. We commonly write out our dates in binary form to the registry and in order to test and debug my work it became useful to be able to determine to what date the binary value of a FILETIME or SYSTEMTIME corresponded or to produce my own binary value of a FILETIME and insert it into the registry.

For instance, to convert to a binary value:

[PS C:\] timestamp -inString 2009/08/28:10:18 -outHexValue -convert filetime
2009/08/28:10:18 as FILETIME: 00 7c c8 d1 c8 27 ca 01

Converting in the other direction, if you don't know what format the bytes are in, just feed them in and timestamp will try all conversions and list only the valid ones:

[PS C:\] timestamp -inHexValue  "40 52 1c 3b"
40 52 1c 3b as FILETIME: 1601-01-01:00:01:39.171
40 52 1c 3b as Unix Time: 2001-06-05:03:30:08.000
40 52 1c 3b as DOS Time: 2009-08-28:10:18:00.000
(it also supports OLE Dates, and SYSTEMTIME which aren't listed there because the hex value isn't valid for those types). Or use the guess option to get timestamp's best guess:
[PS C:\] timestamp -inHexValue  "40 52 1c 3b" -convert guess
40 52 1c 3b as DOS Time: 2009-08-28:10:18:00.000

When I first wrote this I had a bug in my function that parses the date-time value string in which I could parse 2009-07-02:10:18 just fine, but I wouldn't be able to parse 2009-09-02:10:18 correctly. This was my code:

success = swscanf_s(timeString, L"%hi%*[\\/- ,]%hi%*[\\/- ,]%hi%*[\\/- ,Tt:.]%hi%*[:.]%hi%*[:.]%hi%*[:.]%hi", 
&systemTime->wYear,
&systemTime->wMonth,
&systemTime->wDay,
&systemTime->wHour,
&systemTime->wMinute,
&systemTime->wSecond,
&systemTime->wMilliseconds) > 1;

See the problem?

To convert between these various forms yourself read The Old New Thing date conversion article or Josh Poley's date time article. I previously wrote about date formats I like and dislike.

PermalinkCommentsdate date-time technical time windows tool

Blog Layout and Implementation Improvements

2009 Jul 19, 11:44

Monticello, home of Thomas Jefferson, Charlottesville, Va. (LOC) from Flickr CommonsI've redone my blog's layout to remind myself how terrible CSS is -- err I mean to play with the more advanced features of CSS 2.1 which are all now available in IE8. As part of the new layout I've included my Delicious links by default but at a smaller size and I've replaced the navigation list options with Technical, Personal and Everything as I've heard from folks that that would actually be useful. Besides the layout I've also updated the back-end, switching from my handmade PHP+XSLT+RSS/Atom monster to a slightly less horrible PHP+DB solution. As a result everything should be much much faster including search which, incidentally, is so much easier to implement outside of XSLT.

PermalinkCommentsblog database redisgn xslt mysql homepage

The Music of Erich Zann

2009 Jun 29, 1:20"The Music of Erich Zann is a short film based on the story by H.P. Lovecraft. Though conditions inside the abandoned Savoy Hotel made this a very challenging project (Sub-freezing temperatures; cramped quarters; enough dust to suffocate Cthulhu himself), I was thrilled with the opportunity to work in such a haunting location, with such a talented and dedicated group of filmmakers."PermalinkCommentschris-shelton hp-lovecraft video movie
Older Entries Creative Commons License Some rights reserved.