stolen-thoughts - Dave's Blog


Netflix CSRF - Stolen Thoughts

2009 May 3, 10:36

Looking at the HTTP traffic of Netflix under Fiddler I could see the HTTP request that added a movie to my queue and didn't see anything obvious that would prevent a CSRF. Sure enough its pretty easy to create a page that, if the user has set Netflix to auto-login, will add movies to the user's queue without their knowledge. I thought this was pretty neat, because I could finally get people to watch Primer. However, when I searched for Netflix CSRF I found that this issue has been known and reported to Netflix since 2006. Again my thoughts stolen from me and the theif doesn't even have the common decency to let me have the thought first!

With this issue known for nearly three years its hard to continue calling it an issue. Really they should just document it in their API docs and be done with it. Who knows what Netflix based web sites and services they'll break if they try to change this behavior? For instance, follow this link to add my Netflix recommended movies to your queue.

PermalinkCommentstechnical stolen-thoughts csrf netflix security

Commons:Photo scavenger hunts - Wikimedia Commons

2008 Dec 30, 1:19The other day I thought a creative commons photography scavenger hunt is such a good idea, that it must already exist. And of course it does.PermalinkCommentsscavenger-hunt cc creative-commons wikipedia photo photography stolen-thoughts

The Freenet Project - /fairshare

2008 Apr 8, 2:32Distributed patronage: "FairShare essentially democratizes this process. Anybody can "invest" in an artist, and if that artist goes on to be a success, then the person is rewarded in proportion to their investment and how early they made it."PermalinkCommentsdistributed patronage paper fairshare economics riaa stolen-thoughts

Zeno's Progress Bar - Stolen Thoughts

2008 Apr 7, 10:09

Text-less progress bar dialog. Licensed under Creative Commons by Ian HamptonMore of my thoughts have been stolen: In my previous job the customer wanted a progress bar displayed while information was copied off of proprietary hardware, during which the software didn't get any indication of progress until the copy was finished. I joked (mostly) that we could display a progress bar that continuously slows down and never quite reaches the end until we know we're done getting info from the hardware. The amount of progress would be a function of time where as time approaches infinity, progress approaches a value of at most 100 percent.

This is similar to Zeno's Paradox which says you can't cross a room because to do so first you must cross half the room, then you must cross half the remaining distance, then half the remaining again, and so on which means you must take an infinite number of steps. There's also an old joke inspired by Zeno's Paradox. The joke is the prototypical engineering vs sciences joke and is moderately humorous, but I think the fact that Wolfram has an interactive applet demonstrating the joke is funnier than the joke itself.

I recently found Lou Franco's blog post "Using Zeno's Paradox For Progress Bars" which covers the same concept as Zeno's Progress Bar but with real code. Apparently Lou wasn't making a joke and actually used this progress bar in an application. A progress bar that doesn't accurately represent progress seems dishonest. In cases like the Vista Defrag where the software can't make a reasonable guess about how long a process will take the software shouldn't display a progress bar.

Similarly a paper by Chris Harrison "Rethinking the Progress Bar" suggests that if a progress bar speeds up towards the end the user will perceive the operation as taking less time. The paper is interesting, but as in the previous case, I'd rather have progress accurately represented even if it means the user doesn't perceive the operation as being as fast.

Update: I should be clearer about Lou's post. He was actually making a practical and implementable suggestion as to how to handle the case of displaying progress when you have some idea of how long it will take but no indications of progress, whereas my suggestion is impractical and more of a joke concerning displaying progress with no indication of progress nor a general idea of how long it will take.

PermalinkCommentszenos paradox technical stolen-thoughts boring progress zeno software math

Lou Franco's ECM Imaging Blog : Using Zeno's Paradox For Progress Bars

2008 Mar 24, 9:42Zeno's progress bar. Stolen thoughts...PermalinkCommentsprogress-bar zeno gui ui programming stolen-thoughts

Crossing Four Way Stops Fast and Searching Closed Caption MCE Videos: More Stolen Thoughts

2008 Jan 22, 9:56

More ideas stolen from me in the same vein as my stolen OpenID thoughts.

Fast Pedestrian Crossing on Four Way Stops. In college I didn't have a car and every weekend I had weekly poker with friends who lived nearby so I would end up waiting to cross from one corner of a traffic lit four way stop to the opposite corner. Waiting there in the cold gave me plenty of time to consider the fastest method of getting to the opposite corner of a four-way stop. My plan was to hit the pedestrian crossing button for both directions and travel on the first one available. This only seems like a bad choice if the pedestrian crossing signal travels clockwise or counter clockwise around the four way stop. In those two cases its better to take the later of the two pedestrian signal crossings, but I have yet to see those two patterns on a real life traffic stop. I decided recently to see if my plan was actually sound and looked up info on traffic signals. But the info didn't say much other than "its complicated" and "it depends" (I'm paraphrasing). Then I found some guy's analysis of this problem. So I'm done with this and I'll continue pressing both buttons and crossing on the first pedestrian signal. Incidentally on one such night when I was waiting to cross this intersection I heard a loud multi-click sound and realized that the woman in the SUV waiting to cross the intersection next to me had just locked her doors. I guess my thinking-about-crossing-the-street face is intimidating.

Windows Searching Windows Media Center Recorded TV's Closed Captions. An Ars-Technica article on a fancy DVR described one of the DVRs features: full text search over the subtitles of the recorded TV shows. I thought implementing this for Windows Media Center recorded TV shows and Windows Search would be an interesting project to learn about video files, and extending Windows Search. As it turns out though some guy, Stephen Toub implemented Windows Search over MCE closed captions already. Stephen Toub's article is very long and describes some other very interesting related projects including 'summarizing video files' which you may want to read.

PermalinkCommentsstolen-thoughts windows search mce windows traffic closed captions four-way-stop windows-media-center

OpenID Stolen Thoughts

2007 Mar 13, 7:57I had a few thoughts after reading about OpenID. However, after doing only a very small amount of digging I can see these aren't new thoughts.
Anonymous OpenID
Have an OpenID that anyone can use because it performs no authorization. You'd specify a URI like and you'd immediately get an anonymous OpenID associated with that URI. This has already been implemented by Jayant Gandhi.
Group OpenID
Have an OpenID that consists of a group of member OpenIDs. To login as the Group OpenID you need to login with any of the member OpenIDs. This is discussed more by Dmitry Shechtman on his blog.
OpenID Normalization
I find that I already have a couple of OpenIDs without even trying due to AOL giving out OpenIDs. I'd like for all of my OpenIDs to point to one canonical OpenID. It looks like this may already be possible by the OpenID specification.
I guess I'm a little late to the scene.PermalinkCommentstechnical stolen-thoughts openid
Older Entries Creative Commons License Some rights reserved.