David Risney
@David_Risney :
Eric Lawrence
@ericlaw :Great blog post and set of powershell scripts for manipulating images.
Great blog post and set of powershell scripts for manipulating images.
Mathematically speaking, any two ducks are already in a row. In order to get your
ducks in a row, own exactly two ducks.
The best hack I’ve seen in a while. With no way to disable the shutter sound from the capture photo API, the developer creates the inverse waveform of the shutter sound and plays it at the same time to cancel out the shutter sound.
Matt & David on Chris Hardwick’s Comic Con Blunder (x)
requested by tennanttardistime
Bonus Chris Hardwick in costume:
Victorian Trolling: How Con Artists Spammed in a Time Before Email
The main difference between 21st-century scams and those of centuries past is one of delivery method.Read more. [Image: Wikimedia Commons/Benjamin Breen]
drug companies hiding the results of clinical trials.
(via I did a new talk at TED, on drug companies and hidden data.)
How the 8.5” x 11” Piece of Paper Got Its Size
Why do we use a paper size that is so unfriendly for the basic task of reading? According to a very interesting post by Paul Stanley, the rough dimensions of office paper evolved to accommodate handwriting and typewriters with monospaced fonts, both of which rendered many fewer characters per line. “Typewriters,” he explains, “produced 10 or 12 characters per inch: so on (say) 8.5 inch wide paper, with 1 inch margins, you had 6.5 inches of type, giving … around 65 to 78 characters.” This, he says, is “pretty close to ideal.”
Read more. [Image: Picsfive/Shutterstock]
Stripe's web security CTF's Level 1 and level 2 of the Stripe CTF had issues with missing input validation solutions described below.
Andy Baio @waxpancake
You know who hates Cyber Monday? Cyber Garfield.
[Testing Cat-Human Translator] Scientist: Cat, what is your name? Cat: I AM KANG THE
DESTROYER Owner: It's not working. His name is Socks.
OH: "take me down to concurrency city where green pretty is grass the girls the and
are"
.
$filename = 'secret-combination.txt';
extract($_GET);
if (isset($attempt)) {
$combination = trim(file_get_contents($filename));
if ($attempt === $combination) {The issue here is the usage of the extract php method which extracts name value pairs from the map input parameter and creates corresponding local variables. However this code uses $_GET which contains a map of name value pairs passed in the query of the URI. The expected behavior is to get an attempt variable out, but since no input validation is done I can provide a filename variable and overwrite the value of $filename. Providing an empty string gives an empty string $combination which I can match with an empty string $attempt. So without knowing the combination I can get past the combination check.
Code review red flag in this case was the direct use of $_GET with no validation. Instead of using extract the developer could try to extract specifically the attempt variable manually without using extract.
$dest_dir = "uploads/";
$dest = $dest_dir . basename($_FILES["dispic"]["name"]);
$src = $_FILES["dispic"]["tmp_name"];
if (move_uploaded_file($src, $dest)) {
$_SESSION["dispic_url"] = $dest;
chmod($dest, 0644);
echo "Successfully uploaded your display picture.
";
}
This code accepts POST uploads of images but with no validation to ensure it is not an arbitrary file. And even though it uses chmod to ensure the file is not executable, things like PHP don't require a file to be executable in order to run them. Accordingly, one can upload a PHP script, then navigate to that script to run it. My PHP script dumped out the contents of the file we're interested in for this level:
Code review red flags include manual file management, chmod, and use of file and filename inputs without any kind of validation. If this code controlled the filename and ensured that the extension was one of a set of image extensions, this would solve this issue. Due to browser mime sniffing its additionally a good idea to serve a content-type that starts with "image/" for these uploads to ensure browsers treat these as images and not sniff for script or HTML.
When they went to the Moon, they received the same per diem compensation as they would have for being away from base in Bakersfield: eight dollars a day, before various deductions (like for accommodation, because the government was providing the bed in the spaceship).
Apollo 11’s Astronauts Received an $8 Per Diem for the Mission to the Moon
The astronauts of Apollo 11: Intrepid explorers. Inspirational heroes. Government employees.
Read more. [Image: Reuters]
|
From: David Risney
Views: 75
0 ratings
|
|
| Time: 00:43 | More in People & Blogs |
|
From: David Risney
Views: 69
0 ratings
|
|
| Time: 00:53 | More in People & Blogs |
Some rights reserved