edge page 2 - Dave's Blog

Search

Web Security Contest - Stripe CTF

2012 Aug 27, 4:18

Stripe is running a web security capture the flag - a series of increasingly difficult web security exploit challenges. I've finished it and had a lot of fun. Working on a web browser I knew the theory of these various web based attacks, but this was my first chance to put theory into practice with:

  • No adverse consequences
  • Knowledge that there is a fun security exploit to find
  • Access to the server side source code

Here's a blog post on the CTF behind the scenes setup which has many impressive features including phantom users that can be XSS/CSRF'ed.

I'll have another post on my difficulties and answers for the CTF levels after the contest is over on Wed, but if you're looking for hints, try out the CTF chatroom or the level specific CTF chatroom.

PermalinkCommentscontest security technical

(via Pareidoloop) “Phil McCarthy’s Pareidoloop...

2012 Aug 6, 4:11


(via Pareidoloop)

“Phil McCarthy’s Pareidoloop overlays randomly generated polygons on top of one another until facial recognition software recognizes a human face. Can’t sleep, at SIGGRAPH! [via @Brandonn]”

PermalinkCommentstechnical images facial-recognition siggraph

Crowdsource These Projects

2012 May 22, 3:00

I keep seeing crowdsource projects with big names that I actually want to back:

PermalinkCommentsvideo-game music crowdsource

URI Percent Encoding Ignorance Level 2 - There is no Unencoded URI

2012 Feb 20, 4:00

As a professional URI aficionado I deal with various levels of ignorance on URI percent-encoding (aka URI encoding, or URL escaping).

Getting into the more subtle levels of URI percent-encoding ignorance, folks try to apply their knowledge of percent-encoding to URIs as a whole producing the concepts escaped URIs and unescaped URIs. However there are no such things - URIs themselves aren't percent-encoded or decoded but rather contain characters that are percent-encoded or decoded. Applying percent-encoding or decoding to a URI as a whole produces a new and non-equivalent URI.

Instead of lingering on the incorrect concepts we'll just cover the correct ones: there's raw unencoded data, non-normal form URIs and normal form URIs. For example:

  1. http://example.com/%74%68%65%3F%70%61%74%68?query
  2. http://example.com/the%3Fpath?query
  3. "http", "example.com", "the?path", "query"

In the above (A) is not an 'encoded URI' but rather a non-normal form URI. The characters of 'the' and 'path' are percent-encoded but as unreserved characters specific in the RFC should not be encoded. In the normal form of the URI (B) the characters are decoded. But (B) is not a 'decoded URI' -- it still has an encoded '?' in it because that's a reserved character which by the RFC holds different meaning when appearing decoded versus encoded. Specifically in this case, it appears encoded which means it is data -- a literal '?' that appears as part of the path segment. This is as opposed to the decoded '?' that appears in the URI which is not part of the path but rather the delimiter to the query.

Usually when developers talk about decoding the URI what they really want is the raw data from the URI. The raw decoded data is (C) above. The only thing to note beyond what's covered already is that to obtain the decoded data one must parse the URI before percent decoding all percent-encoded octets.

Of course the exception here is when a URI is the raw data. In this case you must percent-encode the URI to have it appear in another URI. More on percent-encoding while constructing URIs later.

PermalinkCommentsurl encoding uri technical percent-encoding

Indicating Character Encoding and Language for HTTP Header Field Parameters

2011 Nov 24, 7:45

From the document: ‘Appendix B. Implementation Report: The encoding defined in this document currently is used for two different HTTP header fields: “Content-Disposition”, defined in [RFC6266], and “Link”, defined in [RFC5988]. As the encoding is a profile/clarification of the one defined in [RFC2231] in 1997, many user agents already supported it for use in “Content-Disposition” when [RFC5987] got published.

Since the publication of [RFC5987], two more popular desktop user agents have added support for this encoding; see http://purl.org/
   NET/http/content-disposition-tests#encoding-2231-char for details. At this time, only one major desktop user agent (Safari) does not support it.

Note that the implementation in Internet Explorer 9 does not support the ISO-8859-1 encoding; this document revision acknowledges that UTF-8 is sufficient for expressing all code points, and removes the requirement to support ISO-8859-1.’

Yay for UTF-8!

PermalinkCommentstechnical http http-headers ie9 internationalization utf-8 encoding

My favourite comment ever posted on Reddit

2011 Oct 26, 8:04
"Knowledge is Power; France is bacon"
PermalinkCommentstechnical

JavaScript Garden

2011 Mar 14, 1:33A great intro to the details of JavaScript for developers familiar with other languages but only a passing knowledge of JavaScript.PermalinkCommentsjavascript tutorial programming reference technical

It's Official: Duke Nukem Forever Coming From Gearbox In 2011

2010 Sep 4, 7:55"Given Duke Nukem Forever's epic development—it was first announced in 1997 as a sequel to Duke Nukem 3D—it might be wise to hedge on the later of those two release windows."PermalinkCommentsduke-nukem game video videogame

Gimme Indie Game: the one button action film of AdamAtomic's Canabalt | Offworld

2009 Sep 2, 4:36"Consider it, maybe, the souped-up Tiger/Game & Watch LCD version of Mirror's Edge, then: you have one goal, and one button, and the goal is to run, and the button is jump, and the game comes from simply maintaining breakneck momentum as you leap from rooftop to randomly generated rooftop."PermalinkCommentsgame flash mirrors-edge

Timefire: On Reducing the Size of Compressed Javascript (by up to 20%)

2009 Sep 1, 4:39"...what effect does the large-scale structure of the JS output code have on the DEFLATE algorithm of GZIP which is used to serve up compressed script?" Another instance of using knowledge of the specific file type to get gains in compression. Is there a web proxy running all this at which I can point my phone?PermalinkCommentsvia:kris.kowal performance javascript gzip deflate compression web technical

Apple Admits British Man Invented iPod in 1979, Uses Him to Win Patent Lawsuit - Apple - Gizmodo

2009 Jul 16, 3:28"I was up a ladder painting when I got the call from a lady with an American accent from Apple saying she was the head of legal affairs and that they wanted to acknowledge the work that I had done"
PermalinkCommentshumor history music apple legal patent ipod ip

Infrared Paint Link Roundup

2009 May 29, 2:50

I like the idea of QR codes, encoding URLs and placing them on real world objects, but the QR codes themselves are kind of ugly. To make them less obvious I thought I could spray QR codes on to an object with an infrared reflective paint and shine infrared light on the QR codes, since most cameras, for instance the camera in my G1 phone, pick up infrared that our eyes do not.

In my search for infrared paint I've found a seller of IR ink (via programming forum) and an Infrared Paint Recipe (via IR FAQ).

In looking for this paint I've found that it comes up a lot in relation to the military for things like paint markers that are visible at night with proper equipment, and paint that absorbs IR light to make vehicles less obvious to night vision goggles. Even though the first reflects infrared light and the second absorbs it websites end up refering to both as infrared paint which made it difficult to search.

Additionally I found links to some other geeky infrared projects:

PermalinkCommentsir paint technical ir infrared qr qr code

What San Francisco/Silicon Valley can learn from the Twittering company: Zappos - Scobleizer: bleeding edge technology talk

2009 May 13, 11:21Lots of interesting notes on the company culture of Zappos. "Yesterday I was lucky enough to visit Zappos and get a tour and talk with some of their executives, including Tony Hsieh, CEO."PermalinkCommentstwitter marketing business culture zappos shoes ecommerce

Netflix CSRF - Stolen Thoughts

2009 May 3, 10:36

Looking at the HTTP traffic of Netflix under Fiddler I could see the HTTP request that added a movie to my queue and didn't see anything obvious that would prevent a CSRF. Sure enough its pretty easy to create a page that, if the user has set Netflix to auto-login, will add movies to the user's queue without their knowledge. I thought this was pretty neat, because I could finally get people to watch Primer. However, when I searched for Netflix CSRF I found that this issue has been known and reported to Netflix since 2006. Again my thoughts stolen from me and the theif doesn't even have the common decency to let me have the thought first!

With this issue known for nearly three years its hard to continue calling it an issue. Really they should just document it in their API docs and be done with it. Who knows what Netflix based web sites and services they'll break if they try to change this behavior? For instance, follow this link to add my Netflix recommended movies to your queue.

PermalinkCommentstechnical stolen-thoughts csrf netflix security

Time Travel Essentials - TopatoCo: We Sell T-shirts by the e-Shore

2009 Apr 15, 7:42"If you're like us, you live in constant fear of slipping into a wormhole and getting spit out in the 13th century, and the only real useful knowledge you have for your ignorant ancestors is 'watch out for that Hitler guy' and 'some of the Popes are evil.'" Its like they're inside my head! Love this shirt and poster telling you everything you need to know in case you accidentally fall back in time.PermalinkCommentstime-travel time shirt poster wishlist gift awesome

Platonic Ideals in Anathem and The Atrocity Archives

2009 Apr 7, 11:58
The Atrocity ArchivesThe Jennifer MorgueAnathem

This past week I finished Anathem and despite the intimidating physical size of the book (difficult to take and read on the bus) I became very engrossed and was able to finish it in several orders of magnitude less time than what I spent on the Baroque Cycle. Whereas reading the Baroque Cycle you can imagine Neal Stephenson sifting through giant economic tomes (or at least that's where my mind went whenever the characters began to explain macro-economics to one another), in Anathem you can see Neal Stephenson staying up late pouring over philosophy of mathematics. When not exploring philosophy, Anathem has an appropriate amount of humor, love interests, nuclear bombs, etc. as you might hope from reading Snow Crash or Diamond Age. I thoroughly enjoyed Anathem.

On the topic of made up words: I get made up words for made up things, but there's already a name for cell-phone in English: its "cell-phone". The narrator notes that the book has been translated into English so I guess I'll blame the fictional translator. Anyway, I wasn't bothered by the made up words nearly as much as some folk. Its a good thing I'm long out of college because I can easily imagine confusing the names of actual concepts and people with those from the book, like Hemn space for Hamming distance. Towards the beginning, the description of slines and the post-post-apocalyptic setting reminded me briefly of Idiocracy.

Recently, I've been reading everything of Charles Stross that I can, including about a month ago, The Jennifer Morgue from the surprisingly awesome amalgamation genre of spy thriller and Lovecraft horror. Its the second in a series set in a universe in which magic exists as a form of mathematics and follows Bob Howard programmer/hacker, cube dweller, and begrudging spy who works for a government agency tasked to suppress this knowledge and protect the world from its use. For a taste, try a short story from the series that's freely available on Tor's website, Down on the Farm.

Coincidentally, both Anathem and the Bob Howard series take an interest in the world of Platonic ideals. In the case of Anathem (without spoiling anything) the universe of Platonic ideals, under a different name of course, is debated by the characters to be either just a concept or an actual separate universe and later becomes the underpinning of major events in the book. In the Bob Howard series, magic is applied mathematics that through particular proofs or computations awakens/disturbs/provokes unnamed horrors in the universe of Platonic ideals to produce some desired effect in Bob's universe.

PermalinkCommentsatrocity archives neal stephenson jennifer morgue plato bob howard anathem

Twitter switch for Guardian, after 188 years of ink | Media | The Guardian

2009 Apr 1, 9:20"Consolidating its position at the cutting edge of new media technology, the Guardian today announces that it will become the first newspaper in the world to be published exclusively via Twitter"PermalinkCommentshumor news twitter journalism newspaper

FormToAccelerator Internet Explorer Extension

2009 Mar 12, 2:17

I've made an extension for Internet Explorer 8, FormToAccelerator which turns HTML forms on a web page into either an accelerator or a search provider. In the design of the accelerators format we intentionally had HTML forms in mind so that it would be easy to create accelerators for existing web services. Consequently, creating an accelerator from an HTML form is a natural concept and an extension I've been meaning to finish for many months now.

This is similar in concept to the Opera feature that lets you add a form as a search provider. The user experience is very rough and requires some knowledge of accelerator variables. If I can come up with a better interaction model I may update this in the future, but at the moment all the designs I can come up with require way too much effort. Install IE8 RC1 and then try out FormToAccelerator.

PermalinkCommentsactivity html accelerator ie8 internet-explorer activities formtoaccelerator extension

Language Log - Nerdview

2008 Oct 23, 10:34Geoffrey K. Pullum of Language Log defines 'nerdview': "It is a simple problem that afflicts us all: people with any kind of technical knowledge of a domain tend to get hopelessly (and unwittingly) stuck in a frame of reference that relates to their view of the issue, and their trade's technical parlance, not that of the ordinary humans with whom they so signally fail to engage... The phenomenon - we could call it nerdview - is widespread." Woo, go year-month-day, go!PermalinkCommentsnerdview language date programming nerd writing

Neatorama - Blog Archive - Pet Your Chicken Through the Internet!

2008 Sep 3, 6:15"National University of Singapore's Mixed Reality Lab is fast becoming my favorite in cutting edge (and a little wacky - okay, a lot) research. Take, for instance, this project titled Poultry Internet, where a chicken is outfitted with a special dress that lets its owner pet it over the Internet." Johnny Cat writes: "Kudos to Gonzo for inventing this." I can't get to the actual site with the info on the project but it is available on the Wayback Machine.PermalinkCommentschicken humor internet virtual-reality mixed-reality
Older EntriesNewer Entries Creative Commons License Some rights reserved.