A bogus SoundCloud takedown anecdote and a brief history of and issues with US copyright law.
Another reminder that the rest of the Western world has a public domain day every year in which new IP enters the public domain
Various folks on OpenGameArt have converted the now public domain Glitch art assets into SVG and PNG.
When writing a JavaScript library that uses postMessage and the message event, I must be considerate of other JS code that will be
running along side my library. I shouldn't assume I'm the only sender and receiver on a caller provided MessagePort object. This means obviously I should use addEventListener("message" rather than
the onmessage property (see related What if two programs did this?). But considering the actual messages traveling
over the message channel I have the issue of accidentally processing another libraries messages and having another library accidentally process my own message. I have a few options for playing nice
in this regard:In IE10 and other new browsers one may create MessageChannel objects that have two MessagePorts each connected (w3c spec calls it entangled) to one another such that postMessage on one port results in the message event firing on the other. You can pass an array of ports as the last parameter to postMessage and they show up in the ports property of the message event arg.
The postMessage here is like the worker postMessage and unlike the window and iframe postMessage in that it applies no origin checking:
Unfortunately the origin isn't an optional parameter at the end to make the two postMessages have the same signature.
On the event handler side, the event arg always has an origin property. But in the no origin case it is always the empty string.
There is also a source property on the message event arg which if set is an object that has a postMessage property allowing you to post back to your caller. It is set for the origin case, however, in the no origin case this property is null. This is somewhat reasonable because in the case of MessagePort and Workers there are only two endpoints so you always know the source of a message implicitly. Unlike the origin case in which any iframe or window can be calling postMessage on any other iframe or window and the caller is unknown. So not unreasonable but it would be nice if the source property was always set for consistency.
When a MessageChannel is created it has two MessagePorts, but until those ports are started they will queue up any messages they receive. Once started they will dispatch all queued messages. Ports don't have to be started to send messages.
A port may be started in two ways, either by explicitly calling the start method on the port, or by setting the onmessage callback property on the port. However, adding an event listener via addEventListener("message", does not start the port. It works this way in IE and Chrome and the spec states this as well.
The justification is that since you can have only one callback via onmessage that once set you must implicitly be ready to receive messages and its fine to start the port. As opposed to the addEventListener in which case the user agent cannot start implicitly because it doesn't know how many event listeners will be added. I found Hixie stating this justification in geoloc meeting notes.
Number 1 and Benford’s Law - Numberphile (by numberphile)
I’d heard of Benford’s Law before but it sounded totally counter intuitive to me. This video does a good job explaining why one shows up as the leading digit in sets of random numbers that span large ranges.
This is essentially an AV exploit against Super Mario World that results in running the end game code. Watch the video. “…there’s a glitch that’s been known for a while, where Yoshi can end up in the “I have an item in my mouth” state, but not actually have an item in his mouth. When he spits out this nothingness, the game crashes. …That address did not contain code, and so the system crashed. But wait a second. What if, by some sheer coincidence, that address did contain code? The specific address dropped him in somewhere amongst various data for the game’s internal random number generator, and the random number generator can be manipulated in a TAS. Could the game be coerced into running arbitrary code?…”
According to the links within this article, although the root URI of the router requires authentication, the /password.cgi URI doesn’t and the resulting returned HTML contains (but does not display) the plaintext of the password, as well as an HTML FORM to modify the password that is exploitable by CSRF.
The attack… infected more than 4.5 million DSL modems… The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to booby-trapped imposter sites.
Seized shirt!
For the feds, it’s not enough to simply seize domain names without warning or due process—they want to make sure everyone knows the website operators were breaking the law, even if that has yet to be proven in court. That’s why every domain that gets seized ends up redirecting to one of these dramatic warning pages, replete with the eagle-emblazoned badges of the federal agencies involved.
(via Pareidoloop)
“Phil McCarthy’s Pareidoloop overlays randomly generated polygons on top of one another until facial recognition software recognizes a human face. Can’t sleep, at SIGGRAPH! [via @Brandonn]”
Chaos Monkey randomly kills your Amazon Web Service VMs increasing the failure rate forcing your web service to deal with it.
During formalization of the WebFinger protocol [I-D.jones-appsawg-webfinger], much discussion occurred regarding the appropriate URI scheme to include when specifying a user’s account as a web link [RFC5988].
…
acctURI = “acct:” userpart “@” domainpart
Use of my old Hotmail account has really snuck up on me as I end up caring more and more about all of the services with which it is associated. The last straw is Windows 8 login, but previous straws include Xbox, Zune, SkyDrive, and my Windows 7 Phone. I like the features and sync'ing associated with the Windows Live ID, but I don't like my old, spam filled, hotmail email address on the Live ID account.
A coworker told me about creating a Live ID from a custom domain, which sounded like just the ticket for me. Following the instructions above I was able to create a new deletethis.net Live ID but the next step of actually using this new Live ID was much more difficult. My first hope was there would be some way to link my new and old Live IDs so as to make them interchangeable. As it turns out there is a way to link Live IDs but all that does is make it easy to switch between accounts on Live Mail, SkyDrive and some other webpages.
Instead one must change over each service or start over depending on the service:
In Win8 you login with a Windows Live account. If you hook up a custom domain to a Live account you can login with that custom domain.
Flickr parses the exif out of images using Web Workers, and Blob (File API)!
On the topic of blobs and createObjectURL. Woo blobs!
Its all quite shocking.
Fourth , when I explained that the blog publisher had received music from the industry itself, a government attorney replied that authorization was an “affirmative defense” that need not be taken into account by the government in carrying out the seizure. That was stunning.
Web apps really make obvious the lack of URI APIs in the DOM or JavaScript. This blog post goes over using DOM API side effects to resolve relative URIs and parse URIs. An additonal benefit of this mechanism is that you avoid security issues caused by mismatched behavior between the browser’s URI parsing and your app’s URI parsing.
A House subcommittee has passed the Global Online Freedom Act (GOFA), which would require disclosure from companies about their human rights practices and limit the export of technologies that “serve the primary purpose of” facilitating government surveillance or censorship to countries designated as “Internet-restricting.”
Some rights reserved