uri - Dave's Blog


Search

How I Pranked My Roommate With Eerily Targeted Facebook Ads

2 days ago

"This is the chronicle of the most epic retaliation and how I pranked my roommate with targeted Facebook Ads to the point of complete paranoia and delusion."

Funny anecdote but also a how-to on creating a Facebook ad campaign that targets a single person.

PermalinkCommentshumor security ad facebook

Why do Nigerian Scammers Say They are from Nigeria? - Microsoft Research

Aug 26, 3:53

Mass mailing Internet scams intentionally use poor spelling, grammar etc to filter down to target ignorant audience .

PermalinkCommentstechnical security statistics

The Strange & Curious Tale of the Last True Hermit

Aug 21, 3:02

The story of Chris Knight, living in isolation in the woods of Maine for 27 years.

'Anyone who reveals what he's learned, Chris told me, is not by his definition a true hermit. Chris had come around on the idea of himself as a hermit, and eventually embraced it. When I mentioned Thoreau, who spent two years at Walden, Chris dismissed him with a single word: “dilettante.”'

'But still, I pressed on, there must have been some grand insight revealed to him in the wild…”Get enough sleep.”'

I don’t want to brag, but I’ve been telling that people all along and I didn’t have to live alone in the woods for decades.

PermalinkCommentshermit

The Secret Life of SIM Cards - DEFCON 21 - simhacks

Aug 16, 1:07

A DEFCON talk “The Secret Life of SIM Cards” that covers running apps on your SIM card. Surprisingly they run a subset of Java and execute semi-independent of the Phone’s OS.

PermalinkCommentstechnical phone sim-card security java

Detect login with CSP - When Security Generates Insecurity

Jul 8, 1:13

An interesting way to use the report-uri feature of CSP to detect if a user is logged into Google, Facebook etc.

PermalinkCommentstechnical security csp web

From Inside Edward Snowden’s Life as a Robot: Wizner had...

Jun 23, 7:04


From Inside Edward Snowden’s Life as a Robot:

Wizner had to jump on a phone call during a meeting with his whistleblower client. When he got off the phone, he found that Snowden had rolled the bot into civil liberties lawyer Jameel Jaffer’s office and was discussing the 702 provision of the Foreign Intelligence Surveillance Act. “It was kind of cool,” Wizner says.

It is neat but they’re marketing video is at times strangely terrifying. Put different music on when the Susan-bot comes up behind the unknowing Mark and this could be a horror movie trailer.

PermalinkCommentsedward-snowden beam robot telepresence

On exploiting security issues in botnet C&C...

Jun 23, 4:26


On exploiting security issues in botnet C&C software:

Hackers “are learning that it’s not so easy to write secure code,” Toro says. “Most of us in the business of securing our applications and systems know that bulletproofing software is an extremely expensive and exhaustive undertaking. Malware creators who have to look to their own defences would have to slow down the production of new attacks.”

FYI, if you want to know what it looks like when you hack a hacker, look no further than the seminal 1995 film Hackers.

PermalinkCommentstechnical security

U.S. Marshals Seize Cops’ Spying Records to Keep Them From the ACLU | Threat Level | WIRED

Jun 4, 6:08

"A routine request in Florida for records detailing the use of a surveillance tool known as stingray turned extraordinary Tuesday when the U.S. Marshals Service seized the documents before local police could release them."

Also what about the part where the PD reveals that its been using the stingray a bunch without telling any court and blames that on the manufacturer’s NDA.

PermalinkCommentstechnical law security phone

XSS game

May 29, 1:10

Google’s XSS training game. Learn how to find XSS issues for fun and profit.

PermalinkCommentstechnical web security xss google

location.hash and location.search are bad and they should feel bad

May 22, 9:25
The DOM location interface exposes the HTML document's URI parsed into its properties. However, it is ancient and has problems that bug me but otherwise rarely show up in the real world. Complaining about mostly theoretical issues is why blogging exists, so here goes:
  • The location object's search, hash, and protocol properties are all misnomers that lead to confusion about the correct terms:
    • The 'search' property returns the URI's query property. The query property isn't limited to containing search terms.
    • The 'hash' property returns the URI's fragment property. This one is just named after its delimiter. It should be called the fragment.
    • The 'protocol' property returns the URI's scheme property. A URI's scheme isn't necessarily a protocol. The http URI scheme of course uses the HTTP protocol, but the https URI scheme is the HTTP protocol over SSL/TLS - there is no HTTPS protocol. Similarly for something like mailto - there is no mailto wire protocol.
  • The 'hash' and 'search' location properties both return null in the case that their corresponding URI property doesn't exist or if its the empty string. A URI with no query property and a URI with an empty string query property that are otherwise the same, are not equal URIs and are allowed by HTTP to return different content. Similarly for the fragment. Unless the specific URI scheme defines otherwise, an empty query or hash isn't the same as no query or hash.
But like complaining about the number of minutes in an hour none of this can ever change without huge compat issues on the web. Accordingly I can only give my thanks to Anne van Kesteren and the awesome work on the URL standard moving towards a more sane (but still working practically within the constraints of compat) location object and URI parsing in the browser.
PermalinkComments

URI Design and Ownership - IETF Draft

May 21, 2:06

URI Design & Ownership - On the issues with and alternatives to requiring well known filenames and extensions in URIs. You must love the draft’s URI.

PermalinkCommentstechnical uri

Encrypted Web Traffic More Than Doubles

May 18, 1:20

RT @PeerProd In Europe, encrypted traffic went from 1.47% to 6.10%, and in Latin America, it increased from 1.8% to 10.37%
http://www.wired.com/2014/05/sandvine-report/ #NSA

PermalinkCommentstechnical security nsa encryption

exec($_GET

Apr 29, 8:27

Does it betray my innocence that I’m shocked by the amount of exec($_GET you can easily find on github? Hilarious comment thread on hacker news: 

This is awful. Shell commands are not guaranteed to be idempotent, people! These should all be of the form exec($_POST, not exec($_GET.

ephemeralgomi

PermalinkCommentshumor security http php technical

The 5 Things To Do About the New Heartbleed Bug

Apr 9, 9:06

Its time to get a password manager.

PermalinkCommentssecurity password technical

Hijacking user sessions with the Heartbleed vulnerability · Matt's Life Bytes

Apr 8, 6:36

Just a quick tutorial on exploiting heartbleed for session hijacking. Is it worse to use https than http today?

PermalinkCommentstechnical security ssl heartbleed session-hijack

Xbox One Sign Out Trolling - YouTube

Jan 8, 5:53PermalinkCommentsvideo game xbox voice security

laughingsquid: F.A.A. Lifts Restrictions on Electronics During...

2013 Oct 31, 4:57


laughingsquid:

F.A.A. Lifts Restrictions on Electronics During All Phases of Flight

PermalinkCommentsflight plane electronics faa

theatlantic: Victorian Trolling: How Con Artists Spammed in a...

2013 Oct 29, 7:42


theatlantic:

Victorian Trolling: How Con Artists Spammed in a Time Before Email

The main difference between 21st-century scams and those of centuries past is one of delivery method.

Read more. [Image: Wikimedia Commons/Benjamin Breen]

PermalinkCommentshistory spam technical humor internet

FitBit and WebOC Application Compatibility Errors

2013 Aug 29, 7:17
I just got a FitBit One from my wife. Unfortunately I had issues running their app on my Windows 8.1 Preview machine. But I recognized the errors as IE compatibility issues, for instance an IE dialog popup from the FitBit app telling me about an error in the app's JavaScript. Given my previous post on WebOC versioning you may guess what I tried next. I went into the registry and tried out different browser mode and document mode versions until I got the FitBit software running without error. Ultimately I found the following registry value to work well ('FitBit connect.exe' set to DWORD decimal 8888).
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"Fitbit Connect.exe"=dword:000022b8

For those familiar with the Windows registry the above should be enough. For those not familiar, copy and paste the above into notepad, save as a file named "fitbit.reg", and then double click the reg file and say 'Yes' to the prompt. Hopefully in the final release of Windows 8.1 this won't be an issue.
PermalinkComments

Pixel Perfect Timing Attacks with HTML5 - Context » Information Security

2013 Aug 7, 8:25PermalinkCommentssecurity html html5 svg javascript requestAnimationFrame iframe
Older Entries Creative Commons License Some rights reserved.