wikipedia - Dave's Blog


Search

honeysweetsugaricklepie: Uhh has anyone notice Garry Marshall’s...

Feb 24, 11:57


honeysweetsugaricklepie:

Uhh has anyone notice Garry Marshall’s Wikipedia page?

Hahaha

Wiki user ‘Gillian Marshal’ (http://en.wikipedia.org/w/index.php?title=Garry_Marshall&diff=prev&oldid=596787114) updated his page yesterday. Nice and subtle only editing the summary section on the right.

PermalinkCommentsgary-marshal humor wikipedia gillian-jacobs gillian-marshal comedy-bang-bang

Words with Hints Windows 8 App Development Notes

2013 Jul 4, 1:00

My second completed app for the Windows Store was Words with Hints a companion to Words with Friends or other Scrabble like games that gives you *ahem* hints. You provide your tiles and optionally letters placed in a line on the board and Words with Hints gives you word options.

I wrote this the first time by building a regular expression to check against my dictionary of words which made for a slow app on the Surface. In subsequent release of the app I now spawn four web workers (one for each of the Surface's cores) each with its own fourth of my dictionary. Each fourth of the dictionary is a trie which makes it easy for me to discard whole chunks of possible combinations of Scrabble letters as I walk the tree of possibilities.

The dictionaries are large and takes a noticeable amount of time to load on the Surface. The best performing mechanism I found to load them is as JavaScript source files that simply define their portion of the dictionary on the global object and synchronously (only on the worker so not blocking the UI thread). Putting them into .js files means they take advantage of bytecode caching making them load faster. However because the data is mostly strings and not code there is a dramatic size increase when the app is installed. The total size of the four dictionary .js files is about 44Mb. The bytecode cache for the dictionary files is about double that 88Mb meaning the dictionary plus the bytecode cache is 132Mb.

To handle the bother of postMessage communication and web workers this was the first app in which I used my promise MessagePort project which I'll discuss more in the future.

This is the first app in which I used the Microsoft Ad SDK. It was difficult to find the install for the SDK and difficult to use their website, but once setup, the Ad SDK was easy to import into VS and easy to use in my app.

PermalinkCommentsdevelopment technical windows windows-store words-with-hints

Stripe CTF - Level 7

2012 Sep 13, 5:00

Level 7 of the Stripe CTF involved running a length extension attack on the level 7 server's custom crypto code.

Code

@app.route('/logs/')
@require_authentication
def logs(id):
rows = get_logs(id)
return render_template('logs.html', logs=rows)

...

def verify_signature(user_id, sig, raw_params):
# get secret token for user_id
try:
row = g.db.select_one('users', {'id': user_id})
except db.NotFound:
raise BadSignature('no such user_id')
secret = str(row['secret'])

h = hashlib.sha1()
h.update(secret + raw_params)
print 'computed signature', h.hexdigest(), 'for body', repr(raw_params)
if h.hexdigest() != sig:
raise BadSignature('signature does not match')
return True

Issue

The level 7 web app is a web API in which clients submit signed RESTful requests and some actions are restricted to particular clients. The goal is to view the response to one of the restricted actions. The first issue is that there is a logs path to display the previous requests for a user and although the logs path requires the client to be authenticatd, it doesn't restrict the logs you view to be for the user for which you are authenticated. So you can manually change the number in the '/logs/[#]' to '/logs/1' to view the logs for the user ID 1 who can make restricted requests. The level 7 web app can be exploited with replay attacks but you won't find in the logs any of the restricted requests we need to run for our goal. And we can't just modify the requests because they are signed.

However they are signed using their own custom signing code which can be exploited by a length extension attack. All Merkle–Damgård hash algorithms (which includes MD5, and SHA) have the property that if you hash data of the form (secret + data) where data is known and the length but not content of secret is known you can construct the hash for a new message (secret + data + padding + newdata) where newdata is whatever you like and padding is determined using newdata, data, and the length of secret. You can find a sha-padding.py script on VNSecurity blog that will tell you the new hash and padding per the above. With that I produced my new restricted request based on another user's previous request. The original request was the following.

count=10&lat=37.351&user_id=1&long=%2D119.827&waffle=eggo|sig:8dbd9dfa60ef3964b1ee0785a68760af8658048c
The new request with padding and my new content was the following.
count=10&lat=37.351&user_id=1&long=%2D119.827&waffle=eggo%80%02%28&waffle=liege|sig:8dbd9dfa60ef3964b1ee0785a68760af8658048c
My new data in the new request is able to overwrite the waffle parameter because their parser fills in a map without checking if the parameter existed previously.

Notes

Code review red flags included custom crypto looking code. However I am not a crypto expert and it was difficult for me to find the solution to this level.

PermalinkCommentshash internet length-extension security sha1 stripe-ctf technical web

A New Species Discovered ... On Flickr (npr.org)

2012 Aug 11, 9:17

Winterton, a senior entomologist at the California Department of Food and Agriculture, has seen a lot of bugs. But he hadn’t seen this species before.

There’s no off switch when you’re the senior entomologist. If you’re browsing the web you find your way to Flickr photos of insects or start correcting Wikipedia articles on insects.

PermalinkCommentsflickr insect science photos

Reddit explains Obamacare

2012 Jul 1, 5:16

PPACA (aka Obamacare) broken down into its main subsections with brief explinations and citations linking into the actual PPACA document (why is it always PDF?).

Its interesting to see the very small number of parts folks are complaining about versus the rest which mostly strikes me as “how could this not already be the case?”

I’m no expert, and everything I posted here I attribute mostly to Wikipedia or the actual bill itself, with an occasional Google search to clarify stuff. I am absolutely not a difinitive source or expert. I was just trying to simplify things as best I can without dumbing them down. I’m glad that many of you found this helpful.”

PermalinkCommentshealth-care politics PPACA obama obamacare law legal

HTTP Compression Documentation Reference

2012 Jun 13, 3:08
There's a lot of name reuse in HTTP compression so I've made the following to help myself keep it straight.
HTTP Content Coding Token gzip deflate compress
An encoding format produced by the file compression program "gzip" (GNU zip) The "zlib" format as described in RFC 1950. The encoding format produced by the common UNIX file compression program "compress".
Data Format GZIP file format ZLIB Compressed Data Format The compress program's file format
Compression Method Deflate compression method LZW
Deflate consists of LZ77 and Huffman coding

Compress doesn't seem to be supported by popular current browsers, possibly due to its past with patents.

Deflate isn't done correctly all the time. Some servers would send the deflate data format instead of the zlib data format and at least some versions of Internet Explorer expect deflate data format instead of zlib data format.

PermalinkCommentscompress compression deflate gzip http http-header technical zlib

Slash (punctuation) - Wikipedia, the free encyclopedia

2012 May 8, 5:36

Wikipedia’s alternate names for the slash include stroke, solidus, and separatrix.

PermalinkCommentshumor wikipedia typography slash

Timeline of the far future (wikipedia.org)

2012 May 6, 3:01

Answers those questions like “When will the Sun boil away the Earth’s oceans?” and “When will the Sun burn out?”, but brings up new questions like which supercontinent configuration will win? I’m hoping for Pangea Ultima as it has the best name.

PermalinkCommentshistory future astronomy sun earth universe

Prime HTTP Status Codes

2012 Feb 22, 4:00
These are the prime HTTP status codes:
PermalinkCommentshttp prime technical useless

The 'Undue Weight' of Truth on Wikipedia (chronicle.com)

2012 Feb 15, 5:13

Interesting article on an expert attempting to modify an article on Wikipedia.  Sounds like an issue when presented in this fashion, but looking at it from Wikipedia’s perspective, I don’t know how they could do better.

PermalinkCommentstruth wikipedia internet

Herpderpedia, A Collection of Tweets by People Freaking Out About Wikipedia’s SOPA & PIPA Blackout

2012 Jan 18, 4:28PermalinkCommentshumor sopa pipa wikipedia law legal

Notabilia – Visualizing Deletion Discussions on Wikipedia

2011 Jan 10, 9:41PermalinkCommentswikipedia visualization infographics design analysis humor

Ratatat Rocks

2010 Dec 28, 10:42
I just found out that I like the group Ratatat. I'd first heard them way back when the Zune was first released as the backing for Los Corazones on the zune-arts.net website.




But I didn't know who they were until today when I watched this Filmography 2010 video (via Kottke)



Until about 1:16 in, the music is Ratatat's Nostrand. On the first viewing it drove me crazy because I could only vaguely recall hearing something like that music before. I tracked it down via the zune-arts thing above and eventually found my way to the Nostrand video. Funny, all the recent comments on that one are from people who also just watched the Filmography video.
PermalinkComments

Berners Street Hoax - Wikipedia, the free encyclopedia

2010 Dec 6, 12:17Ye olde DoS: "The Berners Street Hoax was perpetrated by Theodore Hook in the City of Westminster, London, in 1809. Hook had made a bet with his friend, Samuel Beazley, that he could transform any house in London into the most talked-about address in a week, which he achieved by sending out thousands of letters in the name of Mrs Tottenham, who lived at 54 Berners Street, requesting deliveries, visitors, and assistance."PermalinkCommentshumor history prank

Peer-to-peer tech now powers Wikipedia's videos

2010 Sep 27, 3:15This is awesome and similar to something I got a cube for. Wikipedia runs its videos through a service that sets up torrents for arbitrary URLs. So awesome! Now if only this were built into the user agent rather than requiring hardcoding the sites to use it...PermalinkCommentstechnical p2p wikipedia network networking torrent web

Comparison of JavaScript frameworks - Wikipedia, the free encyclopedia

2010 Apr 27, 3:30PermalinkCommentsajax javascript reference web browser script technical jquery gwt

The Hitchhiker's Guide to the Galaxy (film) - Wikipedia, the free encyclopedia

2010 Mar 12, 11:11"All of the sculpted noses on the planet Viltvodle VI were fashioned after Douglas Adams' own. The creators used a 3D model he had created for the game Starship Titanic." The noses mentioned in the previous sentence were depicted in the movie in a church. The religion of this church maintains that the universe was created by their god sneezing out the universe and so they have statues of their god's nose throughout the church. Of course this is intended to seem absurd, however based on the previous sentence -- that the nose belonged to Douglas Adams -- then they really were worshping the nose of their creator.PermalinkCommentsdouglas-adams book hhgttg movie religion nose

UVB-76 - Wikipedia, the free encyclopedia

2010 Jan 18, 3:24"UVB-76 is the callsign of a shortwave radio station that usually broadcasts on the frequency 4625 kHz (AM full carrier). It's known among radio listeners by the nickname The Buzzer. It features a short, monotonous buzz tone (help·info), repeating at a rate of approximately 25 tones per minute, for 24 hours per day. The station has been observed since around 1982.[1] In rare occasions, the buzzer signal is interrupted and a voice transmission in Russian takes place. Only four such events have been noted. There is much speculation; however, the actual purpose of this station remains unknown." Inspiration for Lost?PermalinkCommentsradio russia mystery

WPAD Server Fiddler Extension

2010 Jan 5, 7:42

I've made a WPAD server Fiddler extension and in a fit of creativity I've named it: WPAD Server Fiddler Extension.

Of course you know about Fiddler, Eric's awesome HTTP debugger tool, the HTTP proxy that lets you inspect, visualize and modify the HTTP traffic that flows through it. And on the subject you've probably definitely heard of WPAD, the Web Proxy Auto Discovery protocol that allows web browsers like IE to use DHCP or DNS to automatically discover HTTP proxies on their network. While working on a particularly nasty WPAD bug towards the end of IE8 I really wished I had a way to see the WPAD requests and responses and modify PAC responses in Fiddler. Well the wishes of me of the past are now fulfilled by present day me as this Fiddler extension will respond to WPAD DHCP requests telling those clients (by default) that Fiddler is their proxy.

When I started working on this project I didn't really understand how DHCP worked especially with respect to WPAD. I won't bore you with my misconceptions: it works by having your one DHCP server on your network respond to regular DHCP requests as well as WPAD DHCP requests. And Windows I've found runs a DHCP client service (you can start/stop it via Start|Run|'services.msc', scroll to DHCP Client or via the command line with "net start/stop 'DHCP Client'") that caches DHCP server responses making it just slightly more difficult to test and debug my extension. If a Windows app uses the DHCP client APIs to ask for the WPAD option, this service will send out a DHCP request and take the first DHCP server response it gets. That means that if you're on a network with a DHCP server, my extension will be racing to respond to the client. If the DHCP server wins then the client ignores the WPAD response from my extension.

Various documents and tools I found useful while working on this:

PermalinkCommentsproxy fiddler http technical debug wpad pac tool dhcp

Best of Wikipedia

2009 Jul 27, 5:29"A twice-daily updated collection of some of the best reading on Wikipedia."PermalinkCommentswiki wikipedia daily reference blog via:ethan_t_hein
Older Entries Creative Commons License Some rights reserved.