Back to the Future II writer Bob Gale: Biff Tannen was based on Donald Trump. No joke.
http://www.thedailybeast.com/articles/2015/10/21/how-back-to-the-future-predicted-trump.html … pic.twitter.com/kGvrFxhxxc
The first independent film to gross more than $200 million, Pulp Fiction was a shot of adrenaline to Hollywood’s heart, reviving John Travolta’s career, making stars of Samuel L. Jackson and Uma Thurman, and turning Bob and Harvey Weinstein into giants. How did Quentin Tarantino, a high-school dropout and former video-store clerk, change the face of modern cinema? Mark Seal takes the director, his producers, and his cast back in time, to 1993.
Stripe's web security CTF's level 0 and level 3 had SQL injection solutions described below.
app.get('/*', function(req, res) {
var namespace = req.param('namespace');
if (namespace) {
var query = 'SELECT * FROM secrets WHERE key LIKE ? || ".%"';
db.all(query, namespace, function(err, secrets) {There's no input validation on the namespace parameter and it is injected into the SQL query with no encoding applied. This means you can use the '%' character as the namespace which is the wildcard character matching all secrets.
Code review red flag was using strings to query the database. Additional levels made this harder to exploit by using an API with objects to construct a query rather than strings and by running a query that only returned a single row, only ran a single command, and didn't just dump out the results of the query to the caller.
@app.route('/login', methods=['POST'])
def login():
username = flask.request.form.get('username')
password = flask.request.form.get('password')
if not username:
return "Must provide username\n"
if not password:
return "Must provide password\n"
conn = sqlite3.connect(os.path.join(data_dir, 'users.db'))
cursor = conn.cursor()
query = """SELECT id, password_hash, salt FROM users
WHERE username = '{0}' LIMIT 1""".format(username)
cursor.execute(query)
res = cursor.fetchone()
if not res:
return "There's no such user {0}!\n".format(username)
user_id, password_hash, salt = res
calculated_hash = hashlib.sha256(password + salt)
if calculated_hash.hexdigest() != password_hash:
return "That's not the password for {0}!\n".format(username)There's little input validation on username before it is used to constrcut a SQL query. There's no encoding applied when constructing the SQL query string which is used to, given a username, produce the hashed password and the associated salt. Accordingly one can make username a part of a SQL query command which ensures the original select returns nothing and provide a new SELECT via a UNION that returns some literal values for the hash and salt. For instance the following in blue is the query template and the red is the username injected SQL code:
SELECT id, password_hash, salt FROM users WHERE username = 'doesntexist' UNION SELECT id, ('5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8') AS password_hash, ('word') AS salt FROM users WHERE username = 'bob' LIMIT 1Code review red flag is again using strings to query the database. Although this level was made more difficult by using an API that returns only a single row and by using the execute method which only runs one command. I was forced to (as a SQL noob) learn the syntax of SELECT in order to figure out UNION and how to return my own literal values.
On the topic of made up words: I get made up words for made up things, but there's already a name for cell-phone in English: its "cell-phone". The narrator notes that the book has been translated into English so I guess I'll blame the fictional translator. Anyway, I wasn't bothered by the made up words nearly as much as some folk. Its a good thing I'm long out of college because I can easily imagine confusing the names of actual concepts and people with those from the book, like Hemn space for Hamming distance. Towards the beginning, the description of slines and the post-post-apocalyptic setting reminded me briefly of Idiocracy.
Recently, I've been reading everything of Charles Stross that I can, including about a month ago, The Jennifer Morgue from the surprisingly awesome amalgamation genre of spy thriller and Lovecraft horror. Its the second in a series set in a universe in which magic exists as a form of mathematics and follows Bob Howard programmer/hacker, cube dweller, and begrudging spy who works for a government agency tasked to suppress this knowledge and protect the world from its use. For a taste, try a short story from the series that's freely available on Tor's website, Down on the Farm.
Coincidentally, both Anathem and the Bob Howard series take an interest in the world of Platonic ideals. In the case of Anathem (without spoiling anything) the universe of Platonic ideals, under a different name of course, is debated by the characters to be either just a concept or an actual separate universe and later becomes the underpinning of major events in the book. In the Bob Howard series, magic is applied mathematics that through particular proofs or computations awakens/disturbs/provokes unnamed horrors in the universe of Platonic ideals to produce some desired effect in Bob's universe.
Two and half weeks ago Sarah and I went to Las Vegas where I got to
see Jesse, Pat, Chris, and (briefly because he's some kind of big shot too busy for his friends now etc) Grib from college. They're mostly in San Jose and I hadn't seen them for a while so it was a
lot of fun to hang out. We all stayed at the MGM which is a nice hotel with some good restaurants. In other Vegas related links, Sarah added Sarah's Las Vegas restaurant reviews to her reviews and Jesse has Jesse's Vegas
photos up too.
Sarah and I saw the Blue Man Group (video from a concert) and the Price is Right Live Show. The Blue Man Group
was very cool although the music was all rock with a heavy drum focus (not depicted in the videos I linked) which I got a little tired of. But despite that I really enjoyed the show, very funny and
I totally recommend it. The Price is Right Live Show is like the regular show on TV except the recording is not televised and its not hosted by Bob Barker or Drew Carey. So folks from the audience
are still called up to play the same games and really win prizes. It was advertised as hosted by Todd Newton, B-list game show host, but was instead
hosted by JD Roberto who hosted such things as "Reality Remix" and the show "Are You Hot? The Search for America's Sexiest People". The showcase
showdown included the 2008 version of my car and thankfully I wasn't picked to compete for that because, well I don't know where they bought the car, but I would have gotten the price very wrong.
We sat right next to the stage for that show and had a good time.
For New Years Eve Sarah and I stayed in and watched the glitched Seattle Space Needle fireworks show from a safe distance. On New Years we went to a pot-luck at Todd's house and had a fun time. Todd's place
is on the top of a hill and has a lovely view of Washington's snow-capped mountains.
Some rights reserved