popular - Dave's Blog

Search
My timeline on Mastodon

DSL modem hack used to infect millions with banking fraud malware | Ars Technica

2012 Oct 1, 6:33

According to the links within this article, although the root URI of the router requires authentication, the /password.cgi URI doesn’t and the resulting returned HTML contains (but does not display) the plaintext of the password, as well as an HTML FORM to modify the password that is exploitable by CSRF.

The attack… infected more than 4.5 million DSL modems… The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to booby-trapped imposter sites.

PermalinkCommentstechnical security html router web dns csrf

HTTP Compression Documentation Reference

2012 Jun 13, 3:08
There's a lot of name reuse in HTTP compression so I've made the following to help myself keep it straight.
HTTP Content Coding Token gzip deflate compress
An encoding format produced by the file compression program "gzip" (GNU zip) The "zlib" format as described in RFC 1950. The encoding format produced by the common UNIX file compression program "compress".
Data Format GZIP file format ZLIB Compressed Data Format The compress program's file format
Compression Method Deflate compression method LZW
Deflate consists of LZ77 and Huffman coding

Compress doesn't seem to be supported by popular current browsers, possibly due to its past with patents.

Deflate isn't done correctly all the time. Some servers would send the deflate data format instead of the zlib data format and at least some versions of Internet Explorer expect deflate data format instead of zlib data format.

PermalinkCommentscompress compression deflate gzip http http-header technical zlib

Feds Mistakenly Shut Down Popular Blog For Over A Year (techdirt.com)

2011 Dec 8, 10:57PermalinkCommentstechnical censorship government internet riaa copyright

Indicating Character Encoding and Language for HTTP Header Field Parameters

2011 Nov 24, 7:45

From the document: ‘Appendix B. Implementation Report: The encoding defined in this document currently is used for two different HTTP header fields: “Content-Disposition”, defined in [RFC6266], and “Link”, defined in [RFC5988]. As the encoding is a profile/clarification of the one defined in [RFC2231] in 1997, many user agents already supported it for use in “Content-Disposition” when [RFC5987] got published.

Since the publication of [RFC5987], two more popular desktop user agents have added support for this encoding; see http://purl.org/
   NET/http/content-disposition-tests#encoding-2231-char for details. At this time, only one major desktop user agent (Safari) does not support it.

Note that the implementation in Internet Explorer 9 does not support the ISO-8859-1 encoding; this document revision acknowledges that UTF-8 is sufficient for expressing all code points, and removes the requirement to support ISO-8859-1.’

Yay for UTF-8!

PermalinkCommentstechnical http http-headers ie9 internationalization utf-8 encoding

URI Empty Path Segments Matter

2011 Nov 23, 11:00

Shortly after joining the Internet Explorer team I got a bug from a PM on a popular Microsoft web server product that I'll leave unnamed (from now on UWS). The bug said that IE was handling empty path segments incorrectly by not removing them before resolving dotted path segments. For example UWS would do the following:

A.1. http://example.com/a/b//../
A.2. http://example.com/a/b/../
A.3. http://example.com/a/
In step 1 they are given a URI with dotted path segment and an empty path segment. In step 2 they remove the empty path segment, and in step 3 they resolve the dotted path segment. Whereas, given the same initial URI, IE would do the following:
B.1. http://example.com/a/b//../
B.2. http://example.com/a/b/
IE simply resolves the dotted path segment against the empty path segment and removes them both. So, how did I resolve this bug? As "By Design" of course!

The URI RFC allows path segments of zero length and does not assign them any special meaning. So generic user agents that intend to work on the web must not treat an empty path segment any different from a path segment with some text in it. In the case above IE is doing the correct thing.

That's the case for generic user agents, however servers may decide that a URI with an empty path segment returns the same resource as a the same URI without that empty path segment. Essentially they can decide to ignore empty path segments. Both IIS and Apache work this way and thus return the same resource for the following URIs:

http://exmaple.com/foo//bar///baz
http://example.com/foo/bar/baz
The issue for UWS is that it removes empty path segments before resolving dotted path segments. It must follow normal URI procedure before applying its own additional rules for empty path segments. Not doing that means they end up violating URI equivalency rules: URIs (A.1) and (B.2) are equivalent but UWS will not return the same resource for them.
PermalinkCommentsuser agent url ie uri technical web browser

Lessons of the Chewbacca Incident « Binary Bonsai

2010 Sep 27, 1:51Learn how to correctly generalize about the users of Reddit, Facebook, BoingBoing, etc based on the redirect HTTP stats collected from this sites recent popular post on Chewbacca.PermalinkCommentsstatistics internet web blog

Amanda Palmer Performs The Popular Hits Of Radiohead On Her Magical Ukulele | Amanda Palmer

2010 Jul 21, 3:08"Amanda Palmer Performs The Popular Hits Of Radiohead On Her Magical Ukulele" "Immediate download of 7-track album in your choice of 320k mp3, FLAC, or just about any other format you could possibly desire. Buy Now $0.84 USD or more"PermalinkCommentsamanda-palmer audio download mp3 music radiohead ukulele

Amanda Palmer To Release an EP of Radiohead Covers & Debuts “Idioteque” as First Single « amanda palmer

2010 Jun 22, 3:24"On July 20th Amanda will be releasing an EP of Radiohead cover songs titled Amanda Palmer Performs The Popular Hits of Radiohead on Her Magical Ukulele." Includes her cover of Idioteque.

PermalinkCommentsamanda-palmer radiohead ukulele uke music

A Practical Attack to De-Anonymize Social Network Users

2010 Mar 8, 1:50Paper suggests history stealing to find what popular social networking site groups a visitor to your web site belongs to and stats on how easy it is to then uniquely identify the visitor on the popular social networking site.PermalinkCommentssecurity privacy social social-network paper research web browser css technical system:filetype:pdf system:media:document

Popular Science Archive - Google Books

2010 Mar 5, 3:15A full archive of Popular Science magazines.
PermalinkCommentspopular-science google books magazine history archive

No, you can’t do that with H.264 « Digital Diary of Ben Schwartz

2010 Feb 4, 2:01On the crappy licensing of the H.264 and MPEG codecs in popular video encoding software.PermalinkCommentsvideo encoding codec patent legal law apple microsoft theora h.264 technical

Thought Experiments and Design Principles

2010 Jan 29, 3:54

Raymond Chen has some thought experiments useful for discovering various kinds of stupidity in software design:

Tim Berners-Lee's principles of Web design includes my favorite: Test of Independent Invention. This has a thought experiment containing the construction of the MMM (Multi-Media Mesh) with MRIs (Media Resource Identifiers) and MMTP (Muli-Media Transport Protocol).

The Internet design principles (RFC 1958) includes the Robustness Principle: be strict when sending and tolerant when receiving. A good one, but applied too liberally can lead to interop issues. For instance, consider web browsers. Imagine one browser becomes so popular that web devs create web pages and just test out their pages in this popular browser. They don't ensure their pages conform to standards and accidentally end up depending on the manner in which this popular browser tolerantly accepts non-standard input. This non-standard behavior ends up as de facto standard and future updates to the standard essentially has had decisions made for it.

PermalinkCommentstechnical design principles software development

A Peek Into Netflix Queues - NYTimes.com

2010 Jan 11, 2:24Heat map of rental popularity of particular movies from NetFlix in various cities.PermalinkCommentsvisualization movie netflix map nytimes flash information

Public Domain Day

2010 Jan 6, 3:41Public Domain Day sounds neat. Not just celebrating the public domain but celebrating new works now available in the public domain every Jan 1st. But we'll have to wait at least nine years to celebrate in the US. We need to get the copyright lifetime to match up with retro things regaining popularity -- like when big band music was briefly popular again.PermalinkCommentscopyright ip public-domain law legal

4chan Founder “moot” to Speak at TED – GigaOM

2009 Dec 23, 10:03"Christopher “moot” Poole, the young founder of the irascible online forum 4chan, will speak in February at the TED conference, the elite gathering of thought leaders whose video-taped talks have become immensely popular online." Its like TED is just asking for it.PermalinkCommentsted 4chan christopher-poole moot

curlies - Project Hosting on Google Code

2009 Dec 23, 9:58Results of a set of black box tests on various characters in various parts of URLs in various popular browsers.PermalinkCommentsvia:mnot url uri iri idn dns browser web technical

How to Remove Caulk in 6 Easy Steps - Popular Mechanics

2009 Oct 18, 5:22"Q: The caulk around my bathtub is peeling away in places, and it looks pretty ugly. How do I remove it and recaulk?"PermalinkCommentshowto diy home tool caulk shower bathtub tile

Bookmarklet of death: Domain hijacking without 0days | GNUCITIZEN

2009 Sep 23, 7:56"I do understand that it would be annoying to warn users every time they run a bookmarklet, but I think it would be sensible to show a warning at least the first time a given bookmarklet is executed. If you work for a popular web browser vendor such as Microsoft or Mozilla, you can think of this as my wish for the day! I'd love to hear your feedback if you are reading this!"PermalinkCommentstechnical bookmarklet bookmarklets security web webbrowser javascript

linkiblog | How to Build a Popularity Algorithm You can be Proud of

2009 Sep 9, 5:49PermalinkCommentstechnical statistics algorithms howto social tutorial math popular reddit digg programming

Timelines: Time travel in popular film and tv | Information Is Beautiful

2009 Aug 28, 3:02Lovely visualization of the time travels taken by characters in various movies and television series and notes the places where they overlap.PermalinkCommentsvia:waxy time-travel bttf startrek tv movie information visualization
Older Entries Creative Commons License Some rights reserved.