mit page 3 - Dave's Blog


EFF White Paper Outlines How Businesses Can Avoid Assisting Repressive Regimes

2012 Apr 18, 6:24

A House subcommittee has passed the Global Online Freedom Act (GOFA), which would require disclosure from companies about their human rights practices and limit the export of technologies that “serve the primary purpose of” facilitating government surveillance or censorship to countries designated as “Internet-restricting.”

PermalinkCommentstechnical human-rights eff software government law surveillance

IAmA NASA Astronaut who recently returned to Earth and I am new to reddit (

2012 Mar 23, 2:08

Astronaut endorses destroying the moon!

The best exchange on the IAmA:

Ghostshirts it’s been a dream for a long time now, do you think that we’ll actually be able to blow up the moon in our lifetime?

RonGaran I truly believe that we can accomplish anything we set our minds on. We only need the will to do it

PermalinkCommentshumor nasa astronaut moon

European Parliament Blocks Copyright Reform With 113% Voter Turnout (

2012 Mar 15, 4:05


This rather embarrassing issue was pointed out to the committee, the fact that there were three votes too many, and that these three votes determined the outcome. When this was done, along with formally requesting a re-vote, that re-vote on the points in question was denied.”

PermalinkCommentscopyright legal europe law

Alternate IPv4 Forms - URI Host Syntax Notes

2012 Mar 14, 4:30

By the URI RFC there is only one way to represent a particular IPv4 address in the host of a URI. This is the standard dotted decimal notation of four bytes in decimal with no leading zeroes delimited by periods. And no leading zeros are allowed which means there's only one textual representation of a particular IPv4 address.

However as discussed in the URI RFC, there are other forms of IPv4 addresses that although not officially allowed are generally accepted. Many implementations used inet_aton to parse the address from the URI which accepts more than just dotted decimal. Instead of dotted decimal, each dot delimited part can be in decimal, octal (if preceded by a '0') or hex (if preceded by '0x' or '0X'). And that's each section individually - they don't have to match. And there need not be 4 parts: there can be between 1 and 4 (inclusive). In case of less than 4, the last part in the string represents all of the left over bytes, not just one.

For example the following are all equivalent:
Standard dotted decimal form
Fewer parts
All of the above

The bread and butter of URI related security issues is when one part of the system disagrees with another about the interpretation of the URI. So this non-standard, non-normal form syntax has been been a great source of security issues in the past. Its mostly well known now (CreateUri normalizes these non-normal forms to dotted decimal), but occasionally a good tool for bypassing naive URI blocking systems.

PermalinkCommentsurl inet_aton uri technical host programming ipv4

Client Side Cross Domain Data YQL Hack

2012 Feb 27, 2:28

One of the more limiting issues of writing client side script in the browser is the same origin limitations of XMLHttpRequest. The latest version of all browsers support a subset of CORS to allow servers to opt-in particular resources for cross-domain access. Since IE8 there's XDomainRequest and in all other browsers (including IE10) there's XHR L2's cross-origin request features. But the vast majority of resources out on the web do not opt-in using CORS headers and so client side only web apps like a podcast player or a feed reader aren't doable.

One hack-y way around this I've found is to use YQL as a CORS proxy. YQL applies the CORS header to all its responses and among its features it allows a caller to request an arbitrary XML, HTML, or JSON resource. So my network helper script first attempts to access a URI directly using XDomainRequest if that exists and XMLHttpRequest otherwise. If that fails it then tries to use XDR or XHR to access the URI via YQL. I wrap my URIs in the following manner, where type is either "html", "xml", or "json":

        yqlRequest = function(uri, method, type, onComplete, onError) {
var yqlUri = "" +
encodeURIComponent("SELECT * FROM " + type + ' where url="' + encodeURIComponent(uri) + '"');

if (type == "html") {
yqlUri += encodeURIComponent(" and xpath='/*'");
else if (type == "json") {
yqlUri += "&callback=&format=json";

This also means I can get JSON data itself without having to go through JSONP.
PermalinkCommentsxhr javascript yql client-side technical yahoo xdr cors

Prime HTTP Status Codes

2012 Feb 22, 4:00
These are the prime HTTP status codes:
PermalinkCommentshttp prime technical useless

URI Percent Encoding Ignorance Level 2 - There is no Unencoded URI

2012 Feb 20, 4:00

As a professional URI aficionado I deal with various levels of ignorance on URI percent-encoding (aka URI encoding, or URL escaping).

Getting into the more subtle levels of URI percent-encoding ignorance, folks try to apply their knowledge of percent-encoding to URIs as a whole producing the concepts escaped URIs and unescaped URIs. However there are no such things - URIs themselves aren't percent-encoded or decoded but rather contain characters that are percent-encoded or decoded. Applying percent-encoding or decoding to a URI as a whole produces a new and non-equivalent URI.

Instead of lingering on the incorrect concepts we'll just cover the correct ones: there's raw unencoded data, non-normal form URIs and normal form URIs. For example:

  3. "http", "", "the?path", "query"

In the above (A) is not an 'encoded URI' but rather a non-normal form URI. The characters of 'the' and 'path' are percent-encoded but as unreserved characters specific in the RFC should not be encoded. In the normal form of the URI (B) the characters are decoded. But (B) is not a 'decoded URI' -- it still has an encoded '?' in it because that's a reserved character which by the RFC holds different meaning when appearing decoded versus encoded. Specifically in this case, it appears encoded which means it is data -- a literal '?' that appears as part of the path segment. This is as opposed to the decoded '?' that appears in the URI which is not part of the path but rather the delimiter to the query.

Usually when developers talk about decoding the URI what they really want is the raw data from the URI. The raw decoded data is (C) above. The only thing to note beyond what's covered already is that to obtain the decoded data one must parse the URI before percent decoding all percent-encoded octets.

Of course the exception here is when a URI is the raw data. In this case you must percent-encode the URI to have it appear in another URI. More on percent-encoding while constructing URIs later.

PermalinkCommentsurl encoding uri technical percent-encoding

URI Percent-Encoding Ignorance Level 1 - Purpose

2012 Feb 15, 4:00

As a professional URI aficionado I deal with various levels of ignorance on URI percent-encoding (aka URI encoding, or URL escaping).

Worse than the lame blog comments hating on percent-encoding is the shipping code which can do actual damage. In one very large project I won't name, I've fixed code that decodes all percent-encoded octets in a URI in order to get rid of pesky percents before calling ShellExecute. An unnamed developer with similar intent but clearly much craftier did the same thing in a loop until the string's length stopped changing. As it turns out percent-encoding serves a purpose and can't just be removed arbitrarily.

Percent-encoding exists so that one can represent data in a URI that would otherwise not be allowed or would be interpretted as a delimiter instead of data. For example, the space character (U+0020) is not allowed in a URI and so must be percent-encoded in order to appear in a URI:

  2. path/
In the above the first is a valid URI while the second is not valid since a space appears directly in the URI. Depending on the context and the code through which the wannabe URI is run one may get unexpected failure.

For an additional example, the question mark delimits the path from the query. If one wanted the question mark to appear as part of the path rather than delimit the path from the query, it must be percent-encoded:

In the second, the question mark appears plainly and so delimits the path "/foo" from the query "bar". And in the first, the querstion mark is percent-encoded and so the path is "/foo%3Fbar".
PermalinkCommentsencoding uri technical ietf percent-encoding

URI Percent Encoding Ignorance Level 0 - Existence

2012 Feb 10, 4:00

As a professional URI aficionado I deal with various levels of ignorance on URI percent-encoding (aka URI encoding, or URL escaping). The basest ignorance is with respect to the mere existence of percent-encoding. Percents in URIs are special: they always represent the start of a percent-encoded octet. That is to say, a percent is always followed by two hex digits that represents a value between 0 and 255 and doesn't show up in a URI otherwise.

The IPv6 textual syntax for scoped addresses uses the '%' to delimit the zone ID from the rest of the address. When it came time to define how to represent scoped IPv6 addresses in URIs there were two camps: Folks who wanted to use the IPv6 format as is in the URI, and those who wanted to encode or replace the '%' with a different character. The resulting thread was more lively than what shows up on the IETF URI discussion mailing list. Ultimately we went with a percent-encoded '%' which means the percent maintains its special status and singular purpose.

PermalinkCommentsencoding uri technical ietf percent-encoding ipv6

Report: Kindle produces nearly no electrical interference. FAA: "LALALALALA"

2011 Dec 28, 3:34

FTA: “Nick Bilton put the FAA’s claims regarding Kindles and airline avionics to the test. The result? They emit less EM interference than planes are required by law to withstand.” Much less, apparently.

PermalinkCommentsplane kindle

Swiss government keeps downloading legal after piracy study

2011 Dec 4, 2:28

“One in three people in Switzerland download unauthorized music, movies and games from the Internet and since last year the government has been wondering what to do about it. … The overall conclusion of the study is that the current copyright law, under which downloading copyrighted material for personal use is permitted, doesn’t have to change.” Wow, that sounds like almost reasonable and understandable copyright law.

PermalinkCommentstechnical political swiss copyright law legal

Features of image type input tags in HTML

2011 Nov 21, 11:00

A bug came up the other day involving markup containing <input type="image" src=" I knew that "image" was a valid input type but it wasn't until that moment that I realized I didn't know what it did. Looking it up I found that it displays the specified image and when the user clicks on the image, the form is submitted with an additional two name value pairs: the x and y positions of the point at which the user clicked the image.

Take for example the following HTML:

<form action="">
<input type="image" name="foo" src="">
If the user clicks on the image, the browser will submit the form with a URI like the following:

This seemed like an incredibly specific feature to be built directly into the language when this could instead be done with javascript. I looked a bit further and saw that its been in HTML since at least HTML2, which of course makes much more sense. Javascript barely existed at that point and sending off the user's click location in a form may have been the only way to do something interesting with that action.

PermalinkCommentsuri technical form history html

The Most Anticipated Shoe of All Time: Q+A With Someone Who Won A Pair of Marty McFly's Futuristic Kicks | Motherboard

2011 Sep 20, 9:27Interview with someone who bought the limited edition Back to the Future shoes: "[Interviewer] Have you watched the Back to the Future movies? [Respondent] Yeah, some of em. The hoverboards and shit. That was cool." ARGH! Not worthy!PermalinkCommentshumor bttf nike shoes

YouTube - ‪Star Trek: The Captain's Summit (1 of 7)‬‏

2011 Jun 30, 1:23"Join Whoopi Goldberg (Guinan) as she hosts The Captain's Summit. Whoopi sits down with Trek stars William Shatner (Kirk), Leonard Nimoy (Spock), Patrick Stewart (Picard) and Jonathan Frakes (Riker) and gets personal with them. From fan-etiquette to comparing series, this is a must see for all Trek fans."

PermalinkCommentsnerd video startrek youtube tng tos

RFC 3797 - Publicly Verifiable Nominations Committee (NomCom) Random Selection

2010 Dec 13, 11:12Used to generate publicly verifiable random numbers. For instance to pick 'xn--' for the IDN prefix from a set of prefixes, they decided on a hash, a set of stocks and a time in the future to generate the hash from the stock values. The resulting value is random and anyone can check the work to verify that it was chosen randomly.

Although, now looking back from the future I can't verify that they didn't generate this data after the stock quotes came out. And they're using MD5...PermalinkCommentsrfc algorithm random election ietf technical

C-SPAN Video Player - House Judiciary Subcmte. Hearing on Immigration and Farm Labor

2010 Sep 24, 8:38"Comedian Stephen Colbert joined the panel of witnesses at a House hearing on immigrant farm workers. Mr. Colbert has partnered with United Farm Workers and their campaign calling on unemployed Americans to take jobs in the agriculture sector. The organization's president, Arturo Rodriguez, also testified at the Judiciary Subcommittee on Immigration and Border Security hearing chaired by Rep. Zoe Lofgren (D-CA).
Washington, DC : 2 hr. 10 min."PermalinkCommentshumor video stephen-colbert politics immigration farm labor house

Google and Outlook Calendar Sync'ing

2010 Jul 8, 9:00
I previously described my desire to hook my Outlook calendar up to my Google calendar. I just found out that I can do this and the reverse as both support publishing calendars to the Internet. The following are how I set this up under Outlook 2010 and Google Calendar:

In Outlook, I go to the calendar view, right click on my calendar and select "Share Publish to". At this point I can change the permissions to allow anonymous Internet access, and under Detail change between 'Full details' (full calendar), 'Limited details' (subject lines & availability only), 'Availability only'. Availability only is almost just what I want -- I'd also like to include location but availability only is good enough. After hitting OK here I get a 'Do you want to send an invitation...' dialog box. I hit 'Yes' and I can copy the webcals:// URL out of the email window that opens up. Next, to add it to my Google calendar, I open, and under 'Other calendars', I select 'Add Add by URL', paste in that webcals:// URL but change the 'webcals' at the start to 'https'.

In Google Calendar, I can click on my calendar name under 'My calendars', select 'Calendar settings', and on the new page, look under 'Calendar Address', click the ICAL icon, and copy the URL in the new dialog. Now back in Outlook I go to the Calendar view, right click on 'My Calendars', and select 'Add Calendar From Internet...'. In the new dialog that pops up I paste in the URL from Google Calendar.

In this fashion I can share public calendar data between my personal and work calendars.

Ben Folds covers  Elliott Smith | Music | A.V. Undercover | The A.V. Club

2010 May 14, 8:19
PermalinkCommentsmusic video ben-folds elliott-smith say-yes

Shepard Fairey - Interview Magazine

2010 May 10, 8:59Iggy Pop interviews Shepard Fairey, including his Obama HOPE poster and AP lawsuit:

"... but the American public is generally pretty superficial, so an image like that just allows them to project whatever limited idea they have onto it. Obviously, not everyone is like that—I actually think there were a lot of people who were bummed by the image because they felt it was shallow propaganda."

"If I spend time conceiving and making a piece of art and somebody else sees that it has market value and replicates it in order to steal part of my market, then that’s not cool. But the way I make art—the way a lot of people make art—is as an extension of language and communication, where references are incredibly important. It’s about making a work that is inspired by something preexisting but changes it to have a new value and meaning that doesn’t in any way take away from the original—and, in fact, might provide the original with a second life or a new audience."
PermalinkCommentsart legal law ip shepard-fairey obey interview

The Emperor’s New APIs: On the (In)Secure Usage of New Client-side Primitives

2010 May 6, 7:43Covers case studies of insecure usage of HTML5 cross-document messaging and web storage.PermalinkCommentshtml html5 web browser security technical webstorage research facebook google system:filetype:pdf system:media:document
Older EntriesNewer Entries Creative Commons License Some rights reserved.