att page 15 - Dave's Blog

Search
My timeline on Mastodon

Schneier on Security: Reverse-Engineering Exploits from Patches

2008 Apr 23, 4:35Something I've had to take into consideration in the past: "Attackers can simply wait for a patch to be released, use these techniques, and with reasonable chance, produce a working exploit within seconds."PermalinkCommentssecurity paper reverse-engineer

Rattlesnake Sign

2008 Apr 21, 6:02

sequelguy posted a photo:

Rattlesnake Sign

PermalinkCommentscalifornia wedding sign rattlesnake saulcierawedding

URI Fragment Info Roundup

2008 Apr 21, 11:53

['Neverending story' by Alexandre Duret-Lutz. A framed photo of books with the droste effect applied. Licensed under creative commons.]Information about URI Fragments, the portion of URIs that follow the '#' at the end and that are used to navigate within a document, is scattered throughout various documents which I usually have to hunt down. Instead I'll link to them all here.

Definitions. Fragments are defined in the URI RFC which states that they're used to identify a secondary resource that is related to the primary resource identified by the URI as a subset of the primary, a view of the primary, or some other resource described by the primary. The interpretation of a fragment is based on the mime type of the primary resource. Tim Berners-Lee notes that determining fragment meaning from mime type is a problem because a single URI may contain a single fragment, however over HTTP a single URI can result in the same logical resource represented in different mime types. So there's one fragment but multiple mime types and so multiple interpretations of the one fragment. The URI RFC says that if an author has a single resource available in multiple mime types then the author must ensure that the various representations of a single resource must all resolve fragments to the same logical secondary resource. Depending on which mime types you're dealing with this is either not easy or not possible.

HTTP. In HTTP when URIs are used, the fragment is not included. The General Syntax section of the HTTP standard says it uses the definitions of 'URI-reference' (which includes the fragment), 'absoluteURI', and 'relativeURI' (which don't include the fragment) from the URI RFC. However, the 'URI-reference' term doesn't actually appear in the BNF for the protocol. Accordingly the headers like 'Request-URI', 'Content-Location', 'Location', and 'Referer' which include URIs are defined with 'absoluteURI' or 'relativeURI' and don't include the fragment. This is in keeping with the original fragment definition which says that the fragment is used as a view of the original resource and consequently only needed for resolution on the client. Additionally, the URI RFC explicitly notes that not including the fragment is a privacy feature such that page authors won't be able to stop clients from viewing whatever fragments the client chooses. This seems like an odd claim given that if the author wanted to selectively restrict access to portions of documents there are other options for them like breaking out the parts of a single resource to which the author wishes to restrict access into separate resources.

HTML. In HTML, the HTML mime type RFC defines HTML's fragment use which consists of fragments referring to elements with a corresponding 'id' attribute or one of a particular set of elements with a corresponding 'name' attribute. The HTML spec discusses fragment use additionally noting that the names and ids must be unique in the document and that they must consist of only US-ASCII characters. The ID and NAME attributes are further restricted in section 6 to only consist of alphanumerics, the hyphen, period, colon, and underscore. This is a subset of the characters allowed in the URI fragment so no encoding is discussed since technically its not needed. However, practically speaking, browsers like FireFox and Internet Explorer allow for names and ids containing characters outside of the defined set including characters that must be percent-encoded to appear in a URI fragment. The interpretation of percent-encoded characters in fragments for HTML documents is not consistent across browsers (or in some cases within the same browser) especially for the percent-encoded percent.

Text. Text/plain recently got a fragment definition that allows fragments to refer to particular lines or characters within a text document. The scheme no longer includes regular expressions, which disappointed me at first, but in retrospect is probably good idea for increasing the adoption of this fragment scheme and for avoiding the potential for ubiquitous DoS via regex. One of the authors also notes this on his blog. I look forward to the day when this scheme is widely implemented.

XML. XML has the XPointer framework to define its fragment structure as noted by the XML mime type definition. XPointer consists of a general scheme that contains subschemes that identify a subset of an XML document. Its too bad such a thing wasn't adopted for URI fragments in general to solve the problem of a single resource with multiple mime type representations. I wrote more about XPointer when I worked on hacking XPointer into IE.

SVG and MPEG. Through the Media Fragments Working Group I found a couple more fragment scheme definitions. SVG's fragment scheme is defined in the SVG documentation and looks similar to XML's. MPEG has one defined but I could only find it as an ISO document "Text of ISO/IEC FCD 21000-17 MPEG-12 FID" and not as an RFC which is a little disturbing.

AJAX. AJAX websites have used fragments as an escape hatch for two issues that I've seen. The first is getting a unique URL for versions of a page that are produced on the client by script. The fragment may be changed by script without forcing the page to reload. This goes outside the rules of the standards by using HTML fragments in a fashion not called out by the HTML spec. but it does seem to be inline with the spirit of the fragment in that it is a subview of the original resource and interpretted client side. The other hack-ier use of the fragment in AJAX is for cross domain communication. The basic idea is that different frames or windows may not communicate in normal fashions if they have different domains but they can view each other's URLs and accordingly can change their own fragments in order to send a message out to those who know where to look. IMO this is not inline with the spirit of the fragment but is rather a cool hack.

PermalinkCommentsxml text ajax technical url boring uri fragment rfc

Warm Weekend

2008 Apr 14, 10:22

Cafe Pirouette ExteriorIt was warm and lovely out this past Saturday and Sarah I and went to a new place for lunch, then to Kelsey Creek Park, and then out for Jane's birthday. We ate at Cafe Pirouette which serves crepes and is done up with French decorations reminding me of my parent's house. We got in for just the end of lunch and saw the second to last customers, a gaggle of older ladies leaving. I felt a little out of place with my "Longhorn [heart] RSS" t-shirt on. The food was good and in larger portions that I expected.

Kelsey Creek FarmAfter that we went to Kelsey Creek Park and Farm. The park is hidden at the end of a quiet neighborhood, starts out with some tables and children's jungle gym equipment, then there's a farm which includes a petting zoo, followed by many little trails going off into the forrest. There weren't too many animals out and the ones we did see didn't seem to expect or want the sun and warm weather. We followed one of the trails for a bit and turned back before getting sun burned. You can see my weekend photos mapped out on Live Maps.

That night we went out with some friends for Jane's birthday. Eric was just back from the RSA conference and we met Jane and Eric and others at Palace Kitchen in Seattle located immediately adjascent to the monorail's route. The weather was still good so they left the large windows open through twilight and every so often you'd see the monorail pass by.

PermalinkCommentswashington bellevue weekend nontechnical

ImpossibleFunky Productions: "I Will Kill George Lucas With A Shovel"

2008 Apr 10, 6:32"[Patton Oswalt's] comedy album, Werewolves and Lollipops is pretty friggin' brilliant, especially the track here -- "At Midnight I Will Kill George Lucas With A Shovel""PermalinkCommentspatton-oswalt humor starwars audio mp3

A List Apart: Articles: Accessible Data Visualization with Web Standards

2008 Apr 9, 8:26"I'm going to cover three basic techniques for incorporating some simple data visualization into standards-based navigation patterns."PermalinkCommentscss web visualization chart html via:swannman

Matt Mason on The Pirate's Dilemma - Google Video

2008 Apr 9, 12:51"Matt Mason's keynote on The Pirate's Dilemma, his book on how to compete with piracy... Mason discusses why piracy can be an opportunity as well as a threat, how pirates innovate outside of the marketplace and how legitimate businesses can respond."PermalinkCommentsvideo via:boingboing matt-mason piracy economics the-pirates-dilemma

Mail a brick to junk mailers using paid postage - Creative tips with dealing with spammers and bulk mailers

2008 Apr 7, 1:50Attach spam's pre-paid postage to objects and mail them back. FTA: "Dear Bulk Mailer, Please find attached to your no-postage-necessary envelope, this brick."PermalinkCommentshumor box junk mail prank spam howto

A complete break of the KeeLoq access control system

2008 Apr 4, 9:48I wonder if my car uses KeeLoq: "Hence, using the methods described by us, an attacker can clone a remote control from a distance and gain access to a target that is protected by the claimed to be "highly secure" KeeLoq algorithm."PermalinkCommentscryptography rfid security keeloq via:schneier car

YouTube - Seattle Pillow Fight 2008 in Pike Place Market

2008 Apr 2, 6:29A pillow fight in Pike Place Market. "A group of web-connected friends converge at a specified location in the city and at a designated time produce previously concealed pillows and begin an awesome fight."PermalinkCommentsflash-mob seattle washington pike-place-market pillow pillow-fight youtube video humor social via:swannman

NFT - Not For Tourists - Seattle - City Guidebooks, Maps, Urban Neighborhoods, Travel

2008 Mar 31, 2:31Social local's guide to various areas including Seattle.PermalinkCommentsvia:swannman guide seattle food social

Algorithmic Complexity Attacks

2008 Mar 28, 10:35Scott A Crosby and Dan S Wallach "present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications' data structures." DoS via worst case behavior in hash tables and exponential time RegExp'sPermalinkCommentsscott-crosby dan-wallach dos programming regex research security hash

Dinner with Goodwins at Icon Grill

2008 Mar 27, 9:33

The Goodwin family, except for Michelle who is taking a class trip to Washington DC and New York, was in Seattle this week. Sarah and I met up with them for dinner last night at the Icon Grill. I enjoy the Icon Grill in general and last night was no exception especially having dinner with the Goodwins which was a lot of fun. It was particularly cold and at one point snowed. The Goodwin's are seeing all the classic tourist attractions in Seattle some of which are depicted in the following 1962 Seattle's Worlds Fair postcard. The postcard is featured on Paleo-Future and unsurprisingly the 1962 Worlds Fair favored Seattle's Space Needle and monorail.

[Icon Grill front. Licensed under under Creative Commons. By Troy B Thompson][Seattle's Worlds Fair Postcard]

PermalinkCommentsicon grill life washington goodwins sarah seattle nontechnical

ThinkGeek Bluetooth Retro Handset Review

2008 Mar 23, 1:25

I ordered a ThinkGeek Bluetooth Retro Handset to use at home. When I come home I plug my phone in to charge in my room, but then I can't hear it ring elsewhere in the hosue. The idea was to take this handset which wirelessly connects to cellphones via bluetooth and place it in another part of the house so that I can tell I'm getting an incoming call. The only issue I have with that setup is that it ringing isn't any louder than conversations held over the phone, that is, the ringing is a little quiet.

The handset pairs with cellphones in the same manner as any other handset over bluetooth. It has an internal rechargeable battery which is charged via a standard USB port built into the base of the handset and it comes with a USB cable. Next to the USB port is the only button on the phone which is pressed to answer a call, hang up a call, or begin voice dial, held down to turn the handset on and off, and held down longer to begin pairing with a cellphone. There's a blue LED in one of the holes in the microphone portion of the phone which blinks to indicate if its on or trying to pair. Transitioning between on, off, and pairing produces a cute sound and a change to the LED.

Overal I'm pleased with its simplicity and use of common parts although I wish there was a way to adjust the volume of the ring.

PermalinkCommentsthinkgeek bluetooth cellphone phone product handset

Kids In the Hall tickets WaMu Theater Seattle, WA, Directions, seating chart. Official Ticketmaster site.

2008 Mar 21, 11:58Kids in the Hall are coming to Seattle!PermalinkCommentskith seattle humor ticket live

Matt Ball on Technology: Is 91 Prime?

2008 Mar 12, 1:57How to test if an integer is divisible by 2, 5, 3, 7, or 11. I knew about testing for divisibility by 3 but not why it worked.PermalinkCommentsblog math article prime

HTTP headers and non-asci characters (Content-Disposition, filename, attachment) Article

2008 Mar 8, 11:43"I was not able to find universal settings to do this task, but it looks like Mozilla based browsers accepts utf-8 encoded headers and headers Encoded Word Extensions from RFC 2231. Internet explorer accepts utf-8 filenames only when 1. the data are URL ePermalinkCommentshttp http-header charset ascii utf8 mozilla ie browser content-disposition

Juanita Beach Visit and Map

2008 Mar 7, 3:26

Don't Feed the Ducks SignTwo weekends ago it was actually sunny and kind of warm so Sarah and I went down to Spud Fish and Chips and Juanita Beach Park. We ate fish and chips on the dock. I took a few pictures and this time actually put some geographical information on Flickr so now I've got a map of my tiny fish and chips journey. On the map click on the floating marks to view the associated photos.

Flickr provides access to the geo data associated with your photos via GeoRSS feeds. And Google Maps displays GeoRSS feed content on their maps allowing you even to edit the data but doesn't appear to let you easily export the GeoRSS. Live Maps does the inverse, allowing you to create and export GeoRSS data but not import it. I'd like both please. Oh well.

PermalinkCommentsmap photo personal fish-and-chips juanita-beach

MSIE facilitates Cross Site Scripting [splitbrain.org]

2008 Mar 6, 2:22Using IE's mimetype sniffing for XSS attacks.PermalinkCommentsmime http sniffing sniff security browser ie ie7 pdf

The music of Lee Maddeford - Creative Commons

2008 Mar 5, 2:30Creative Commons website talks about Lee Maddeford who released his music under CC Attribution-NonCommercial license. "There's a huge variety of quality music (well over 10 hours of recordings) to enjoy, crossing several genres and many projects led byPermalinkCommentslee-maddeford music cc copyright
Older EntriesNewer Entries Creative Commons License Some rights reserved.