owl - Dave's Blog


Search

wilwheaton: owlturdcomix: Thoughts I have instead of smart...

2013 May 13, 2:31




wilwheaton:

owlturdcomix:

Thoughts I have instead of smart thoughts.

http://i.imgur.com/b9h1rc5.png

Owl Turd is rapidly becoming one of my favourite webcomics.

This may have been a Serial Experiments Lain episode synopsis.

PermalinkCommentshumor map

Stripe Web Security CTF Summary

2012 Aug 30, 5:00

I was the 546th person to complete Stripe's web security CTF and again had a ton of fun applying my theoretical knowledge of web security issues to the (semi-)real world. As I went through the levels I thought about what red flags jumped out at me (or should have) that I could apply to future code reviews:

Level Issue Code Review Red Flags
0 Simple SQL injection No encoding when constructing SQL command strings. Constructing SQL command strings instead of SQL API
1 extract($_GET); No input validation.
2 Arbitrary PHP execution No input validation. Allow file uploads. File permissions modification.
3 Advanced SQL injection Constructing SQL command strings instead of SQL API.
4 HTML injection, XSS and CSRF No encoding when constructing HTML. No CSRF counter measures. Passwords stored in plain text. Password displayed on site.
5 Pingback server doesn't need to opt-in n/a - By design protocol issue.
6 Script injection and XSS No encoding while constructing script. Deny list (of dangerous characters). Passwords stored in plain text. Password displayed on site.
7 Length extension attack Custom crypto code. Constructing SQL command string instead of SQL API.
8 Side channel attack Password handling code. Timing attack mitigation too clever.

More about each level in the future.

PermalinkCommentscode-review coding csrf html internet programming script security sql stripe technical web xss

Web Security Contest - Stripe CTF

2012 Aug 27, 4:18

Stripe is running a web security capture the flag - a series of increasingly difficult web security exploit challenges. I've finished it and had a lot of fun. Working on a web browser I knew the theory of these various web based attacks, but this was my first chance to put theory into practice with:

  • No adverse consequences
  • Knowledge that there is a fun security exploit to find
  • Access to the server side source code

Here's a blog post on the CTF behind the scenes setup which has many impressive features including phantom users that can be XSS/CSRF'ed.

I'll have another post on my difficulties and answers for the CTF levels after the contest is over on Wed, but if you're looking for hints, try out the CTF chatroom or the level specific CTF chatroom.

PermalinkCommentscontest security technical

Decrypt.py: Act like a decrypting hacker on tv (github.com)

2012 Aug 8, 3:34

A python script that d3crypt5 the input pipe’s ASCII content from ASCII garbage slowly into the correct output.

PermalinkCommentstechnical humor hack decrypt

(via Pareidoloop) “Phil McCarthy’s Pareidoloop...

2012 Aug 6, 4:11


(via Pareidoloop)

“Phil McCarthy’s Pareidoloop overlays randomly generated polygons on top of one another until facial recognition software recognizes a human face. Can’t sleep, at SIGGRAPH! [via @Brandonn]”

PermalinkCommentstechnical images facial-recognition siggraph

URI Percent Encoding Ignorance Level 2 - There is no Unencoded URI

2012 Feb 20, 4:00

As a professional URI aficionado I deal with various levels of ignorance on URI percent-encoding (aka URI encoding, or URL escaping).

Getting into the more subtle levels of URI percent-encoding ignorance, folks try to apply their knowledge of percent-encoding to URIs as a whole producing the concepts escaped URIs and unescaped URIs. However there are no such things - URIs themselves aren't percent-encoded or decoded but rather contain characters that are percent-encoded or decoded. Applying percent-encoding or decoding to a URI as a whole produces a new and non-equivalent URI.

Instead of lingering on the incorrect concepts we'll just cover the correct ones: there's raw unencoded data, non-normal form URIs and normal form URIs. For example:

  1. http://example.com/%74%68%65%3F%70%61%74%68?query
  2. http://example.com/the%3Fpath?query
  3. "http", "example.com", "the?path", "query"

In the above (A) is not an 'encoded URI' but rather a non-normal form URI. The characters of 'the' and 'path' are percent-encoded but as unreserved characters specific in the RFC should not be encoded. In the normal form of the URI (B) the characters are decoded. But (B) is not a 'decoded URI' -- it still has an encoded '?' in it because that's a reserved character which by the RFC holds different meaning when appearing decoded versus encoded. Specifically in this case, it appears encoded which means it is data -- a literal '?' that appears as part of the path segment. This is as opposed to the decoded '?' that appears in the URI which is not part of the path but rather the delimiter to the query.

Usually when developers talk about decoding the URI what they really want is the raw data from the URI. The raw decoded data is (C) above. The only thing to note beyond what's covered already is that to obtain the decoded data one must parse the URI before percent decoding all percent-encoded octets.

Of course the exception here is when a URI is the raw data. In this case you must percent-encode the URI to have it appear in another URI. More on percent-encoding while constructing URIs later.

PermalinkCommentsurl encoding uri technical percent-encoding

(via Ferris Bueller, Film & Super Bowl Commercial...

2012 Feb 7, 11:53


(via Ferris Bueller, Film & Super Bowl Commercial Side-by-Side Comparison)

PermalinkCommentshumor video ferris-bueller ad

Indicating Character Encoding and Language for HTTP Header Field Parameters

2011 Nov 24, 7:45

From the document: ‘Appendix B. Implementation Report: The encoding defined in this document currently is used for two different HTTP header fields: “Content-Disposition”, defined in [RFC6266], and “Link”, defined in [RFC5988]. As the encoding is a profile/clarification of the one defined in [RFC2231] in 1997, many user agents already supported it for use in “Content-Disposition” when [RFC5987] got published.

Since the publication of [RFC5987], two more popular desktop user agents have added support for this encoding; see http://purl.org/
   NET/http/content-disposition-tests#encoding-2231-char for details. At this time, only one major desktop user agent (Safari) does not support it.

Note that the implementation in Internet Explorer 9 does not support the ISO-8859-1 encoding; this document revision acknowledges that UTF-8 is sufficient for expressing all code points, and removes the requirement to support ISO-8859-1.’

Yay for UTF-8!

PermalinkCommentstechnical http http-headers ie9 internationalization utf-8 encoding

My favourite comment ever posted on Reddit

2011 Oct 26, 8:04
"Knowledge is Power; France is bacon"
PermalinkCommentstechnical

Owlboy Demo

2011 Aug 22, 2:00Owlboy is lovely old school 16bit side scrolling platforming and adventuring fun!PermalinkCommentsgame 16bit owl

JavaScript Garden

2011 Mar 14, 1:33A great intro to the details of JavaScript for developers familiar with other languages but only a passing knowledge of JavaScript.PermalinkCommentsjavascript tutorial programming reference technical

Ur Argumentz = Invalid

2010 Oct 14, 6:52PermalinkCommentshumor owl lolcat

Timefire: On Reducing the Size of Compressed Javascript (by up to 20%)

2009 Sep 1, 4:39"...what effect does the large-scale structure of the JS output code have on the DEFLATE algorithm of GZIP which is used to serve up compressed script?" Another instance of using knowledge of the specific file type to get gains in compression. Is there a web proxy running all this at which I can point my phone?PermalinkCommentsvia:kris.kowal performance javascript gzip deflate compression web technical

Cambridge Cop Accidentally Arrests Henry Louis Gates Again During White House Meeting | The Onion - America's Finest News Source

2009 Aug 4, 7:19"Witnesses said that Sgt. Crowley, failing to recognize Gates on their flight to Logan Airport, arrested the tenured professor in midair, once again at the baggage claim, and twice during their shared cab ride back to Cambridge"PermalinkCommentshumor onion politics

Scribblenauts director: believe in the idea, move slowly - Ars Technica

2009 Jul 20, 5:04"We had five people, over about six months, research and come up with the tens of thousands of words present on the Scribblenauts dictionary."PermalinkCommentsgame scribblenauts videogame nintendo dictionary

Apple Admits British Man Invented iPod in 1979, Uses Him to Win Patent Lawsuit - Apple - Gizmodo

2009 Jul 16, 3:28"I was up a ladder painting when I got the call from a lady with an American accent from Apple saying she was the head of legal affairs and that they wanted to acknowledge the work that I had done"
PermalinkCommentshumor history music apple legal patent ipod ip

Netflix CSRF - Stolen Thoughts

2009 May 3, 10:36

Looking at the HTTP traffic of Netflix under Fiddler I could see the HTTP request that added a movie to my queue and didn't see anything obvious that would prevent a CSRF. Sure enough its pretty easy to create a page that, if the user has set Netflix to auto-login, will add movies to the user's queue without their knowledge. I thought this was pretty neat, because I could finally get people to watch Primer. However, when I searched for Netflix CSRF I found that this issue has been known and reported to Netflix since 2006. Again my thoughts stolen from me and the theif doesn't even have the common decency to let me have the thought first!

With this issue known for nearly three years its hard to continue calling it an issue. Really they should just document it in their API docs and be done with it. Who knows what Netflix based web sites and services they'll break if they try to change this behavior? For instance, follow this link to add my Netflix recommended movies to your queue.

PermalinkCommentstechnical stolen-thoughts csrf netflix security

Time Travel Essentials - TopatoCo: We Sell T-shirts by the e-Shore

2009 Apr 15, 7:42"If you're like us, you live in constant fear of slipping into a wormhole and getting spit out in the 13th century, and the only real useful knowledge you have for your ignorant ancestors is 'watch out for that Hitler guy' and 'some of the Popes are evil.'" Its like they're inside my head! Love this shirt and poster telling you everything you need to know in case you accidentally fall back in time.PermalinkCommentstime-travel time shirt poster wishlist gift awesome

Platonic Ideals in Anathem and The Atrocity Archives

2009 Apr 7, 11:58
The Atrocity ArchivesThe Jennifer MorgueAnathem

This past week I finished Anathem and despite the intimidating physical size of the book (difficult to take and read on the bus) I became very engrossed and was able to finish it in several orders of magnitude less time than what I spent on the Baroque Cycle. Whereas reading the Baroque Cycle you can imagine Neal Stephenson sifting through giant economic tomes (or at least that's where my mind went whenever the characters began to explain macro-economics to one another), in Anathem you can see Neal Stephenson staying up late pouring over philosophy of mathematics. When not exploring philosophy, Anathem has an appropriate amount of humor, love interests, nuclear bombs, etc. as you might hope from reading Snow Crash or Diamond Age. I thoroughly enjoyed Anathem.

On the topic of made up words: I get made up words for made up things, but there's already a name for cell-phone in English: its "cell-phone". The narrator notes that the book has been translated into English so I guess I'll blame the fictional translator. Anyway, I wasn't bothered by the made up words nearly as much as some folk. Its a good thing I'm long out of college because I can easily imagine confusing the names of actual concepts and people with those from the book, like Hemn space for Hamming distance. Towards the beginning, the description of slines and the post-post-apocalyptic setting reminded me briefly of Idiocracy.

Recently, I've been reading everything of Charles Stross that I can, including about a month ago, The Jennifer Morgue from the surprisingly awesome amalgamation genre of spy thriller and Lovecraft horror. Its the second in a series set in a universe in which magic exists as a form of mathematics and follows Bob Howard programmer/hacker, cube dweller, and begrudging spy who works for a government agency tasked to suppress this knowledge and protect the world from its use. For a taste, try a short story from the series that's freely available on Tor's website, Down on the Farm.

Coincidentally, both Anathem and the Bob Howard series take an interest in the world of Platonic ideals. In the case of Anathem (without spoiling anything) the universe of Platonic ideals, under a different name of course, is debated by the characters to be either just a concept or an actual separate universe and later becomes the underpinning of major events in the book. In the Bob Howard series, magic is applied mathematics that through particular proofs or computations awakens/disturbs/provokes unnamed horrors in the universe of Platonic ideals to produce some desired effect in Bob's universe.

PermalinkCommentsatrocity archives neal stephenson jennifer morgue plato bob howard anathem

FormToAccelerator Internet Explorer Extension

2009 Mar 12, 2:17

I've made an extension for Internet Explorer 8, FormToAccelerator which turns HTML forms on a web page into either an accelerator or a search provider. In the design of the accelerators format we intentionally had HTML forms in mind so that it would be easy to create accelerators for existing web services. Consequently, creating an accelerator from an HTML form is a natural concept and an extension I've been meaning to finish for many months now.

This is similar in concept to the Opera feature that lets you add a form as a search provider. The user experience is very rough and requires some knowledge of accelerator variables. If I can come up with a better interaction model I may update this in the future, but at the moment all the designs I can come up with require way too much effort. Install IE8 RC1 and then try out FormToAccelerator.

PermalinkCommentsactivity html accelerator ie8 internet-explorer activities formtoaccelerator extension
Older Entries Creative Commons License Some rights reserved.