Should you take the latest security scare seriously? I do, and here is what I am doing about it.
Its time to get a password manager.
I don’t care whether the game is good or not, I just love this trailer. Make more trailers. Also 240kb should be enough for anyone.
|
WinRT (JS and
C++)
|
JS Only
|
C++ Only
|
.NET Only
|
|
|
Parse
|
|
|||
|
Build
|
||||
|
Normalize
|
||||
|
Equality
|
|
|
||
|
Relative
resolution
|
||||
|
Encode data for
including in URI property
|
||||
|
Decode data extracted
from URI property
|
||||
|
Build Query
|
||||
|
Parse Query
|
A former State Department lawyer has his doubts, and a famous cartoonist predicts jury nullification.
The Windows Runtime API Windows.Foundation.Collections.PropertySet class is a nice string name to object value map that has a changed event that fires when the contents of the map is modified. Be careful with this event because it fires synchronously from the thread on which the PropertySet was modified. If modified from the UI thread, the UI thread will then wait as it synchronously dispatches the changed event to all listeners which could lead to performance issues or especially from the UI thread deadlock. For instance, deadlock if you have two threads both trying to tell each other about changed events for different PropertySets.
My second completed app for the Windows Store was Words with Hints a companion to Words with Friends or other Scrabble like games that gives you *ahem* hints. You provide your tiles and optionally letters placed in a line on the board and Words with Hints gives you word options.
I wrote this the first time by building a regular expression to check against my dictionary of words which made for a slow app on the Surface. In subsequent release of the app I now spawn four web workers (one for each of the Surface's cores) each with its own fourth of my dictionary. Each fourth of the dictionary is a trie which makes it easy for me to discard whole chunks of possible combinations of Scrabble letters as I walk the tree of possibilities.
The dictionaries are large and takes a noticeable amount of time to load on the Surface. The best performing mechanism I found to load them is as JavaScript source files that simply define their portion of the dictionary on the global object and synchronously (only on the worker so not blocking the UI thread). Putting them into .js files means they take advantage of bytecode caching making them load faster. However because the data is mostly strings and not code there is a dramatic size increase when the app is installed. The total size of the four dictionary .js files is about 44Mb. The bytecode cache for the dictionary files is about double that 88Mb meaning the dictionary plus the bytecode cache is 132Mb.
To handle the bother of postMessage communication and web workers this was the first app in which I used my promise MessagePort project which I'll discuss more in the future.
This is the first app in which I used the Microsoft Ad SDK. It was difficult to find the install for the SDK and difficult to use their website, but once setup, the Ad SDK was easy to import into VS and easy to use in my app.
My first app for Windows 8 was Shout Text. You type into Shout Text, and your text is scaled up as large as possible while still fitting on the screen, as you type. It is the closest thing to a Hello World app as you'll find on the Windows Store that doesn't contain that phrase (by default) and I approached it as the simplest app I could make to learn about Windows modern app development and Windows Store app submission.
I rely on WinJS's default layout to use CSS transforms to scale up the user's text as they type. And they are typing into a simple content editable div.
The app was too simple for me to even consider using ads or charging for it which I learned more about in future apps.
The first interesting issue I ran into was that copying from and then pasting into the content editable div resulted in duplicates of the containing div with copied CSS appearing recursively inside of the content editable div. To fix this I had to catch the paste operation and remove the HTML data from the clipboard to ensure only the plain text data is pasted:
function onPaste() {
var text;
if (window.clipboardData) {
text = window.clipboardData.getData("Text").toString();
window.clipboardData.clearData("Html");
window.clipboardData.setData("Text", util.normalizeContentEditableText(text));
}
}
shoutText.addEventListener("beforepaste", function () { return false; }, false);
shoutText.addEventListener("paste", onPaste, false);I additionally found an issue in IE in which applying a CSS transform to a content editable div that has focus doesn't move the screen position of the user input caret - the text is scaled up or down but the caret remains the same size and in the same place on the screen. To fix this I made the following hack to reapply the current cursor position and text selection which resets the screen position of the user input caret.
function resetCaret() {
setTimeout(function () {
var cursorPos = document.selection.createRange().duplicate();
cursorPos.select();
}, 200);
}
shoutText.attachEvent("onresize", function () { resetCaret(); }, true);Axe Cop coming this summer!
Nick Offerman, Tyler the Creator, Me (Rob Huebel), Giancarlo Esposito and Vincent Kartheiser.
The first independent film to gross more than $200 million, Pulp Fiction was a shot of adrenaline to Hollywood’s heart, reviving John Travolta’s career, making stars of Samuel L. Jackson and Uma Thurman, and turning Bob and Harvey Weinstein into giants. How did Quentin Tarantino, a high-school dropout and former video-store clerk, change the face of modern cinema? Mark Seal takes the director, his producers, and his cast back in time, to 1993.
Stripe's web security CTF's level 0 and level 3 had SQL injection solutions described below.
app.get('/*', function(req, res) {
var namespace = req.param('namespace');
if (namespace) {
var query = 'SELECT * FROM secrets WHERE key LIKE ? || ".%"';
db.all(query, namespace, function(err, secrets) {There's no input validation on the namespace parameter and it is injected into the SQL query with no encoding applied. This means you can use the '%' character as the namespace which is the wildcard character matching all secrets.
Code review red flag was using strings to query the database. Additional levels made this harder to exploit by using an API with objects to construct a query rather than strings and by running a query that only returned a single row, only ran a single command, and didn't just dump out the results of the query to the caller.
@app.route('/login', methods=['POST'])
def login():
username = flask.request.form.get('username')
password = flask.request.form.get('password')
if not username:
return "Must provide username\n"
if not password:
return "Must provide password\n"
conn = sqlite3.connect(os.path.join(data_dir, 'users.db'))
cursor = conn.cursor()
query = """SELECT id, password_hash, salt FROM users
WHERE username = '{0}' LIMIT 1""".format(username)
cursor.execute(query)
res = cursor.fetchone()
if not res:
return "There's no such user {0}!\n".format(username)
user_id, password_hash, salt = res
calculated_hash = hashlib.sha256(password + salt)
if calculated_hash.hexdigest() != password_hash:
return "That's not the password for {0}!\n".format(username)There's little input validation on username before it is used to constrcut a SQL query. There's no encoding applied when constructing the SQL query string which is used to, given a username, produce the hashed password and the associated salt. Accordingly one can make username a part of a SQL query command which ensures the original select returns nothing and provide a new SELECT via a UNION that returns some literal values for the hash and salt. For instance the following in blue is the query template and the red is the username injected SQL code:
SELECT id, password_hash, salt FROM users WHERE username = 'doesntexist' UNION SELECT id, ('5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8') AS password_hash, ('word') AS salt FROM users WHERE username = 'bob' LIMIT 1Code review red flag is again using strings to query the database. Although this level was made more difficult by using an API that returns only a single row and by using the execute method which only runs one command. I was forced to (as a SQL noob) learn the syntax of SELECT in order to figure out UNION and how to return my own literal values.
(via Pareidoloop)
“Phil McCarthy’s Pareidoloop overlays randomly generated polygons on top of one another until facial recognition software recognizes a human face. Can’t sleep, at SIGGRAPH! [via @Brandonn]”
Bookmarklet that lets you drop cartoon style black spherical bombs that send the text on any page flying.
cnet:
Mp3 playing retainer transmits music through your teeth:
Bone conduction audio, retainers, and shiny hip-hop teeth grills aren’t new inventions, but tech hacker Aisen Caro Chacin had the clever idea to put them all together.
The Play-A-Grill MP3 player prototype fits in your mouth like a retainer, shines on the outside like a precious metal rap grill, and plays music through bone conduction through your teeth.
Oh man, this would have made puberty just a touch cooler. Maybe.
This specification defines a “Problem Detail” as an extensible way to carry machine-readable details of errors in a response, to avoid the need to invent new response formats.
PPACA (aka Obamacare) broken down into its main subsections with brief explinations and citations linking into the actual PPACA document (why is it always PDF?).
Its interesting to see the very small number of parts folks are complaining about versus the rest which mostly strikes me as “how could this not already be the case?”
I’m no expert, and everything I posted here I attribute mostly to Wikipedia or the actual bill itself, with an occasional Google search to clarify stuff. I am absolutely not a difinitive source or expert. I was just trying to simplify things as best I can without dumbing them down. I’m glad that many of you found this helpful.”
(via Classic pro-science-careers music video PSA: Chemical Party)
Xeni says: “The EU wasn’t always so terrible at promoting science careers through funny internet music videos! (thanks, Guido)”
Some rights reserved