store page 2 - Dave's Blog


Percent Clcok Windows Store App Development Notes

2013 Jul 11, 1:00

My third completed Windows Store app is Percent Clock which displays portions of a time span like the time of the day or time until your next birthday, as a percentage. This was a small project I had previously started as a webpage and converted and finished as an HTML JavaScript Windows Store app.

The only somewhat interesting aspect of this app is that its the first app for which I tried charging. I picked the minimum amount for price 1.49 USD as it is a simple app and unsurprisingly it has sold very poorly. I'm considering releasing new instances of the app for specific scenarios:

  • Death Clock: viewing your current age with respect to your life expectancy as a percentage.
  • New Year Countdown: percentage of the year until New Years.
PermalinkCommentsdevelopment javascript technical windows windows-store

Words with Hints Windows 8 App Development Notes

2013 Jul 4, 1:00

My second completed app for the Windows Store was Words with Hints a companion to Words with Friends or other Scrabble like games that gives you *ahem* hints. You provide your tiles and optionally letters placed in a line on the board and Words with Hints gives you word options.

I wrote this the first time by building a regular expression to check against my dictionary of words which made for a slow app on the Surface. In subsequent release of the app I now spawn four web workers (one for each of the Surface's cores) each with its own fourth of my dictionary. Each fourth of the dictionary is a trie which makes it easy for me to discard whole chunks of possible combinations of Scrabble letters as I walk the tree of possibilities.

The dictionaries are large and takes a noticeable amount of time to load on the Surface. The best performing mechanism I found to load them is as JavaScript source files that simply define their portion of the dictionary on the global object and synchronously (only on the worker so not blocking the UI thread). Putting them into .js files means they take advantage of bytecode caching making them load faster. However because the data is mostly strings and not code there is a dramatic size increase when the app is installed. The total size of the four dictionary .js files is about 44Mb. The bytecode cache for the dictionary files is about double that 88Mb meaning the dictionary plus the bytecode cache is 132Mb.

To handle the bother of postMessage communication and web workers this was the first app in which I used my promise MessagePort project which I'll discuss more in the future.

This is the first app in which I used the Microsoft Ad SDK. It was difficult to find the install for the SDK and difficult to use their website, but once setup, the Ad SDK was easy to import into VS and easy to use in my app.

PermalinkCommentsdevelopment technical windows windows-store words-with-hints

MSVC++ 64bit Enums

2013 Jul 1, 1:00

If you want to represent a value larger than 32bits in an enum in MSVC++ you can use C++0x style syntax to tell the compiler exactly what kind of integral type to store the enum values. Unfortunately by default an enum is always 32bits, and additionally while you can specify constants larger than 32bits for the enum values, they are silently truncated to 32bits.

For instance the following doesn't compile because Lorem::a and Lorem::b have the same value of '1':

enum Lorem {
a = 0x1,
b = 0x100000001
} val;

switch (val) {
case Lorem::a:
case Lorem::b:

Unfortunately it is not an error to have b's constant truncated, and the previous without the switch statement does compile just fine:

enum Lorem {
a = 0x1,
b = 0x100000001
} val;

But you can explicitly specify that the enum should be represented by a 64bit value and get expected compiling behavior with the following:

enum Lorem : UINT64 {
a = 0x1,
b = 0x100000001
} val;

switch (val) {
case Lorem::a:
case Lorem::b:
PermalinkComments64bit c++ development enum msvc++ technical

Shout Text Windows 8 App Development Notes

2013 Jun 27, 1:00

My first app for Windows 8 was Shout Text. You type into Shout Text, and your text is scaled up as large as possible while still fitting on the screen, as you type. It is the closest thing to a Hello World app as you'll find on the Windows Store that doesn't contain that phrase (by default) and I approached it as the simplest app I could make to learn about Windows modern app development and Windows Store app submission.

I rely on WinJS's default layout to use CSS transforms to scale up the user's text as they type. And they are typing into a simple content editable div.

The app was too simple for me to even consider using ads or charging for it which I learned more about in future apps.

The first interesting issue I ran into was that copying from and then pasting into the content editable div resulted in duplicates of the containing div with copied CSS appearing recursively inside of the content editable div. To fix this I had to catch the paste operation and remove the HTML data from the clipboard to ensure only the plain text data is pasted:

        function onPaste() {
var text;

if (window.clipboardData) {
text = window.clipboardData.getData("Text").toString();
window.clipboardData.setData("Text", util.normalizeContentEditableText(text));
shoutText.addEventListener("beforepaste", function () { return false; }, false);
shoutText.addEventListener("paste", onPaste, false);

I additionally found an issue in IE in which applying a CSS transform to a content editable div that has focus doesn't move the screen position of the user input caret - the text is scaled up or down but the caret remains the same size and in the same place on the screen. To fix this I made the following hack to reapply the current cursor position and text selection which resets the screen position of the user input caret.

        function resetCaret() {
setTimeout(function () {
var cursorPos = document.selection.createRange().duplicate();;
}, 200);

shoutText.attachEvent("onresize", function () { resetCaret(); }, true);
PermalinkCommentsdevelopment html javascript shout-text technical windows windows-store

Windows Store on Windows 8 Fun For Independent Developers

2013 Jun 24, 1:00
Having worked on Windows 8 I'm not in a neutral position to review aspects of it, however I'll say from a high level I love taking the following various positives from smart phone apps and app stores and applying it to the desktop:
  • Independent developers can easily publish apps.
  • One trusted place for a user to find apps.
  • User can trust apps are limited to a declared set of capabilities.
  • One common and easy way for users to buy and try apps.
  • Easy mechanism for independent developers to collect revenue.
Relieving the independent developer of software development overhead, in this case Windows taking care of distribution and sales infrastructure is wonderful for me with my third party developer hat on. This combined with my new found fun of developing in JavaScript and the new Windows Runtime APIs means I've been implementing and finishing various ideas I've had - some for fun and some for productivity on my Surface. Development notes to follow.
PermalinkCommentsstore technical windows windows-store

App Developer Agreement (Windows)

2013 Jun 21, 4:20

The Windows Store supports refunds and as the developer you are responsible for fulfilling those refunds even after Microsoft pays you. That seems reasonable I suppose but there’s no time limit mentioned…

"g. Reconciliation and Offset. You are responsible for all costs and expenses for returns and chargebacks of your app, including the full refund and chargeback amounts paid or credited to customers. Refunds processed after you receive the App Proceeds will be debited against your account. Microsoft may offset any amounts owed to Microsoft (including the refund and chargeback costs described in this paragraph) against amounts Microsoft owes you. Refunds processed by Microsoft can only be initiated by Microsoft; if you wish to offer a customer a refund, directly, you must do so via your own payment processing tools."

PermalinkCommentsmicrosoft developement software windows money

The Making of Pulp Fiction: Quentin Tarantino’s and the Cast’s Retelling | Vanity Fair

2013 Feb 28, 3:03

The first independent film to gross more than $200 million, Pulp Fiction was a shot of adrenaline to Hollywood’s heart, reviving John Travolta’s career, making stars of Samuel L. Jackson and Uma Thurman, and turning Bob and Harvey Weinstein into giants. How did Quentin Tarantino, a high-school dropout and former video-store clerk, change the face of modern cinema? Mark Seal takes the director, his producers, and his cast back in time, to 1993.

PermalinkCommentsarticle movie film interview pulp-fiction

Stripe CTF - Level 8

2012 Dec 7, 2:07
Level 8 of the Stripe CTF is a password server that returns success: true if and only if the password provided matches the password stored directly via a RESTful API and optionally indirectly via a callback URI. The solution is side channel attack like a timing attack but with ports instead of time.

(I found this in my drafts folder and had intended to post a while ago.)


    def nextServerCallback(self, data):
parsed_data = json.loads(data)
# Chunk was wrong!
if not parsed_data['success']:
# Defend against timing attacks
remaining_time = self.expectedRemainingTime()
self.log_info('Going to wait %s seconds before responding' %
reactor.callLater(remaining_time, self.sendResult, False)



The password server breaks the target password into four pieces and stores each on a different server. When a password request is sent to the main server it makes requests to the sub-servers for each part of the password request. It does this in series and if any part fails, then it stops midway through. Password requests may also be made with corresponding URI callbacks and after the server decides on the password makes an HTTP request on the provided URI callbacks saying if the password was success: true or false.
A timing attack looks at how long it took for a password to be rejected and longer times could mean a longer prefix of the password was correct allowing for a directed brute force attack. Timing attacks are prevented in this case by code on the password server that attempts to wait the same amount of time, even if the first sub-server responds with false. However, the server uses sequential outgoing port numbers shared between the requests to the sub-servers and the callback URIs. Accordingly, we can examine the port numbers on our callback URIs to direct a brute force attack.
If the password provided is totally incorrect then the password server will contact one sub-server and then your callback URI. So if you see the remote server's port number go up by two when requesting your callback URI, you know the password is totally incorrect. If by three then you know the first fourth of the password is correct and the rest is incorrect. If by four then two fourths of the password is correct. If by five then four sub-servers were contacted so you need to rely on the actual content of the callback URI request of 'success: true' or 'false' since you can't tell from the port change if the password was totally correct or not.
The trick in the real world is false positives. The port numbers are sequential over the system, so if the password server is the only thing making outgoing requests then its port numbers will also be sequential, however other things on the system can interrupt this. This means that the password server could contact three sub-servers and normally you'd see the port number increase by four, but really it could increase by four or more because of other things running on the system. To counteract this I ran in cycles: brute forcing the first fourth of the password and removing any entry that gets a two port increase and keeping all others. Eventually I could remove all but the correct first fourth of the password. And so on for the next parts of the password.
I wrote my app to brute force this in Python. This was my first time writing Python code so it is not pretty.
PermalinkCommentsbrute-force password python side-channel technical web

laughingsquid: Photos: MakerBot Retail Store in Manhattan

2012 Sep 20, 2:14


Photos: MakerBot Retail Store in Manhattan

PermalinkComments3d-printer maker-bot retail

Stripe Web Security CTF Summary

2012 Aug 30, 5:00

I was the 546th person to complete Stripe's web security CTF and again had a ton of fun applying my theoretical knowledge of web security issues to the (semi-)real world. As I went through the levels I thought about what red flags jumped out at me (or should have) that I could apply to future code reviews:

Level Issue Code Review Red Flags
0 Simple SQL injection No encoding when constructing SQL command strings. Constructing SQL command strings instead of SQL API
1 extract($_GET); No input validation.
2 Arbitrary PHP execution No input validation. Allow file uploads. File permissions modification.
3 Advanced SQL injection Constructing SQL command strings instead of SQL API.
4 HTML injection, XSS and CSRF No encoding when constructing HTML. No CSRF counter measures. Passwords stored in plain text. Password displayed on site.
5 Pingback server doesn't need to opt-in n/a - By design protocol issue.
6 Script injection and XSS No encoding while constructing script. Deny list (of dangerous characters). Passwords stored in plain text. Password displayed on site.
7 Length extension attack Custom crypto code. Constructing SQL command string instead of SQL API.
8 Side channel attack Password handling code. Timing attack mitigation too clever.

More about each level in the future.

PermalinkCommentscode-review coding csrf html internet programming script security sql stripe technical web xss

Members Of The Supreme Court As Human Beings

2010 May 14, 9:37New York Times article from May 15th 1910 titled "MEMBERS OF THE SUPREME COURT AS HUMAN BEINGS: When Not on the Bench They Are Pretty Much Like Other People — Characteristic Stores About Them". This is the NYT 1910's version of US Weekly's current "Celebrities Are Just Like Us!" feature.PermalinkCommentshumor history article supreme-court

Fake electronic gear props - Boing Boing

2010 Mar 9, 5:26I have often wondered where furniture stores get their fake TVs, PCs, etc. Yes, apparently there is a store where they buy that. Now about the chotchkies in Applebees or Red Robin...PermalinkCommentselectronics fake tv pc store purchase

Why the internet will fail (from 1995) « Three Word Chant!

2010 Feb 26, 8:50Did I read this already on Paleo-Future? Anyway still an awesome 1995 rant on why the Internet will fail. "Then there’s cyberbusiness. We’re promised instant catalog shopping–just point and click for great deals. We’ll order airline tickets over the network, make restaurant reservations and negotiate sales contracts. Stores will become obselete. So how come my local mall does more business in an afternoon than the entire Internet handles in a month? Even if there were a trustworthy way to send money over the Internet–which there isn’t–the network is missing a most essential ingredient of capitalism: salespeople."PermalinkCommentshumor internet fail article history

The Card Game - How Visa, Using Fees Behind Its Debit Card, Dominates a Market - Series -

2010 Jan 5, 5:51"When you sign for a debit card at a retailer, the store pays your bank more than twice as much as when you enter a PIN -- a strategy Visa hatched decades ago."PermalinkCommentsmoney visa credit economics competition card

RFC 2132 - DHCP Options and BOOTP Vendor Extensions

2009 Dec 12, 2:42"The Dynamic Host Configuration Protocol (DHCP) [1] provides a framework for passing configuration information to hosts on a TCP/IP network. Configuration parameters and other control information are carried in tagged data items that are stored in the 'options' field of the DHCP message. The data items themselves are also called "options.""PermalinkCommentstechnical reference rfc dhcp ietf ipv4 ip

Artist Shopdropped Her Work on Black Friday – Neatorama

2009 Dec 8, 1:54'As crowds rushed to find deals at the Emeryville, CA IKEA store, one of them had a plan other than shopping. Michelle Pred was actually placing her artwork, complete with working IKEA barcodes, into the inventory, an act she calls “shopdropping.”'PermalinkCommentscultural-disobediance shopdropping art ikea barcode

Grocery Shopper Data Use

2009 Oct 13, 11:15

Photo of Hostess Pride chicken display from the Library of VirginaQFC, the grocery store closest to me, has those irritating shoppers cards. They try to motivate me to use it with discounts, but that just makes me want to use a card, I don't care whose card and I don't care if the data is accurate. They should let me have my data or make it useful to me so that I actually care.

I can imagine several useful tools based on this: automatic grocery lists, recipes using the food you purchased, cheaper alternatives to your purchases, other things you might like based on what you purchased, or integration with dieting websites or software. At any rate, right now all I care about is getting the discount from using a card, but if they made the data available to me then the grocery store could align our interests and I'd want to ensure the data's accuracy.

PermalinkCommentsidea boring data grocery store

Hand Drawn QR Code for Marc Jacobs -

2009 Jul 1, 6:21"The QR code, used to store and decode small bits of data via printed symbol, received an artistic rendering by SET as part of its campaign for Marc by Marc Jacobs." I like the idea although in this case its not very subtle or different from a regular QR code IMHO. Also, I was surprised that my phone could still read the QR code in this form.PermalinkCommentsqr qrcode marketing art internet mobile technical

Eat Pants - Interactive Fiction Sessions from my Server Logs

2009 Jun 29, 4:19

I've looked at my web server logs previously to see if anyone had used my Web Frotz Interpreter and until recently didn't realize that awstats (the web server log report generator) was truncating the query from my URL, so I couldn't tell that anyone was actually using it. But after grepping the logs manually I've pulled out the URLs of visitor's text adventure sessions. If you'll recall, my Web Frotz Interpreter stores the game state in the URL so its easy to see user's game states in the web server logs.

I've put some of the links up on the Web Frotz Interpreter page. Some of the interesting ones:

PermalinkCommentsserver-logs technical zork frotz pants interactive-fiction uri if

PowerShell Scanning Script

2009 Jun 27, 3:42

I've hooked up the printer/scanner to the Media Center PC since I leave that on all the time anyway so we can have a networked printer. I wanted to hook up the scanner in a somewhat similar fashion but I didn't want to install HP's software (other than the drivers of course). So I've written my own script for scanning in PowerShell that does the following:

  1. Scans using the Windows Image Acquisition APIs via COM
  2. Runs OCR on the image using Microsoft Office Document Imaging via COM (which may already be on your PC if you have Office installed)
  3. Converts the image to JPEG using .NET Image APIs
  4. Stores the OCR text into the EXIF comment field using .NET Image APIs (which means Windows Search can index the image by the text in the image)
  5. Moves the image to the public share

Here's the actual code from my scan.ps1 file:

param([Switch] $ShowProgress, [switch] $OpenCompletedResult)

$filePathTemplate = "C:\users\public\pictures\scanned\scan {0} {1}.{2}";
$time = get-date -uformat "%Y-%m-%d";

[void]([reflection.assembly]::loadfile( "C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll"))

$deviceManager = new-object -ComObject WIA.DeviceManager
$device = $deviceManager.DeviceInfos.Item(1).Connect();

foreach ($item in $device.Items) {
        $fileIdx = 0;
        while (test-path ($filePathTemplate -f $time,$fileIdx,"*")) {

        if ($ShowProgress) { "Scanning..." }

        $image = $item.Transfer();
        $fileName = ($filePathTemplate -f $time,$fileIdx,$image.FileExtension);
        clear-variable image

        if ($ShowProgress) { "Running OCR..." }

        $modiDocument = new-object -comobject modi.document;
        if ($modiDocument.Images.Count -gt 0) {
                $ocrText = $modiDocument.Images.Item(0).Layout.Text.ToString().Trim();
                clear-variable modiDocument

                if (!($ocrText.Equals(""))) {
                        $fileAsImage = New-Object -TypeName system.drawing.bitmap -ArgumentList $fileName
                        if (!($fileName.EndsWith(".jpg") -or $fileName.EndsWith(".jpeg"))) {
                                if ($ShowProgress) { "Converting to JPEG..." }

                                $newFileName = ($filePathTemplate -f $time,$fileIdx,"jpg");
                                $fileAsImage.Save($newFileName, [System.Drawing.Imaging.ImageFormat]::Jpeg);
                                del $fileName;

                                $fileAsImage = New-Object -TypeName system.drawing.bitmap -ArgumentList $newFileName 
                                $fileName = $newFileName

                        if ($ShowProgress) { "Saving OCR Text..." }

                        $property = $fileAsImage.PropertyItems[0];
                        $property.Id = 40092;
                        $property.Type = 1;
                        $property.Value = [system.text.encoding]::Unicode.GetBytes($ocrText);
                        $property.Len = $property.Value.Count;
                        $fileAsImage.Save(($fileName + ".new"));
                        del $fileName;
                        ren ($fileName + ".new") $fileName
        else {
                clear-variable modiDocument

        if ($ShowProgress) { "Done." }

        if ($OpenCompletedResult) {
                . $fileName;
        else {
                $result = dir $fileName;
                $result | add-member -membertype noteproperty -name OCRText -value $ocrText

I ran into a few issues:

PermalinkCommentstechnical scanner ocr .net modi powershell office wia
Older EntriesNewer Entries Creative Commons License Some rights reserved.