Level 5 of the Stripe CTF revolved around a design issue in an OpenID like protocol.
Code
def authenticated?(body) body =~ /[^\w]AUTHENTICATED[^\w]*$/ end
...
if authenticated?(body) session[:auth_user] = username session[:auth_host] = host return "Remote server responded with: #{body}." \ " Authenticated as #{username}@#{host}!"
Issue
This level is an implementation of a federated identity protocol. You give it an endpoint URI and a username and password, it posts the username and password to the endpoint URI, and if the
response is 'AUTHENTICATED' then access is allowed. It is easy to be authenticated on a server you control, but this level requires you to authenticate from the server running the level. This
level only talks to stripe CTF servers so the first step is to upload a document to the level 2 server containing the text 'AUTHENTICATED' and we
can now authenticate on a level 2 server. Notice that the level 5 server will dump out the content of the endpoint URI and that the regexp it uses to detect the text 'AUTHENTICATED' can match on
that dump. Accordingly I uploaded an authenticated file to
Navigating
to that URI results in the level 5 server telling me I'm authenticated as level 2 and lists the text of the level 2 file 'AUTHENTICATED'. Feeding this back into the level 5 server as my endpoint
URI means level 5 seeing 'AUTHENTICATED' coming back from a level 5 URI.
Notes
I didn't see any particular code review red flags, really the issue here is that the regular expression testing for 'AUTHENTICATED' is too permisive and the protocol itself doesn't do enough. The
protocol requires only a set piece of common literal text to be returned which makes it easy for a server to accidentally fall into authenticating. Having the endpoint URI have to return variable
text based on the input would make it much harder for a server to accidentally authenticate.
Former FireFox developer on the switch to their continuous update cycle.
Oh no, Chrome is doing such-and-such; we’d better do something equivalent or we’ll fall behind! We thought we needed a rapid update process like Chrome. We were jealous of their rapid update
capability, which let them deploy improvements to users continuously. We had to “catch up” with Chrome’s updating capability.
Dealing with servicing on IE for years had led me to some of the same thoughts when I heard FireFox was switching to continuous updates.
2010 Apr 21, 1:47So... There's Downfall a 2004 film about the final days of Hitler's life. Then folks take the most dramatic scene and parody it with new subtitles having Hitler yell about various things
like his cell phone or Burning Man. It becomes a meme and meta Downfall parodies show up with Hitler yelling about the Downfall parodies. Now the studio producing the film has sent DMCA takedown
notices to Youtube and many of the videos are disappearing. In response is a new Downfall parody in which Hitler issues DMCA notices to Youtube...censorshiphitlerhumorcopyrightdmcaefflegalyoutubevideofairusememewebinternettechnical
2009 Jun 12, 12:37"Last night on Late Night with Jimmy Fallon, Microsoft's Kudo Tsunoda brought along his baby, Project Natal, and let Jimmy Fallon, John Krasinski, and Stephen Moyer go to town. The footage has made
its way onto Hulu and while these are pretty much the same demos for Ricochet and Burnout Paradise that we saw at E3 last week, they're still impressive."videohumorvideogamenatalxbox360jimmy-fallon
2009 May 19, 2:09"Today's other best Fallout 3 development: Japan's 'agoministrator' re-imagines the game as a 70s TV drama"for:hellosarahfallout3videohumortv
2009 Apr 21, 1:28Fallout 3's May 5th DLC removes old ending, adds new quests, new levels, new perks. Sounds good! "In a nutshell, Broken Steel will remove the game's ending entirely, with Bethesda's Pete Hines saying
simply to fans that called for an open-ended resolution, "We got the idea." Players will still have to make the final choice, but following that climax the game will continue, presenting new epilogue
quests, another 10 levels to gain, and new perks, monsters and achievements to keep the climb interesting."gamevideogamenewsfallout3fallout
2009 Apr 15, 7:42"If you're like us, you live in constant fear of slipping into a wormhole and getting spit out in the 13th century, and the only real useful knowledge you have for your ignorant ancestors is 'watch
out for that Hitler guy' and 'some of the Popes are evil.'" Its like they're inside my head! Love this shirt and poster telling you everything you need to know in case you accidentally fall back in
time.time-traveltimeshirtposterwishlistgiftawesome