tos - Dave's Blog

Search

Retweet of shutupmikeginn

2015 Dec 20, 11:35
My Christmas gift to the internet is these Where's Waldo pictures with Waldo photoshopped out pic.twitter.com/PIo88oMFn1
PermalinkComments

Retweet of moody

2015 Nov 19, 8:36
The @USNatArchives just announced it is displaying The Refugee Act in its rotunda today. https://www.flickr.com/photos/usnationalarchives/sets/72157661462319371 … pic.twitter.com/GxKALnV4xV
PermalinkComments

Tweet from David_Risney

2015 Oct 19, 9:29
Klingon Forehead Problem: TOS no makeup, no ridges. TNG+ ridges. ENT S4 retcons the answer of virus http://www.ex-astris-scientia.org/inconsistencies/klingon-foreheads.htm …
PermalinkComments

laughingsquid:Photo-Editing Professionals React With Surprise...

2015 Mar 17, 3:05


laughingsquid:

Photo-Editing Professionals React With Surprise and Frustration as They Attempt to Use Photoshop 1.0 From 1990

PermalinkComments

laughingsquid:Photo-Editing Professionals React With Surprise...

2015 Mar 17, 3:05


laughingsquid:

Photo-Editing Professionals React With Surprise and Frustration as They Attempt to Use Photoshop 1.0 From 1990

PermalinkComments

Retweet of billcox

2015 Mar 3, 1:54
Marketing pro tip: punch up your artisanal PPTs with idiotic Vince Vaughn stock photos. http://www.adweek.com/adfreak/vince-vaughn-and-costars-pose-idiotic-stock-photos-you-can-have-free-163239 … pic.twitter.com/AZVCfIFN9T
PermalinkComments

The Doritos origin story: Repurposed garbage from Disneyland

2014 May 6, 7:16

shortformblog:

A reminder that those Doritos you love are trash:

Shortly after Disneyland opened in 1955, the founder of Frito-Lay got permission from Walt Disney to open a restaurant in Frontierland with a Mexican-ish theme. “Casa de Fritos” was, unsurprisingly, all about the Fritos. Customers got free Fritos, and Fritos were incorporated into many of the dishes. Fritos were dispensed by an animatronic vending machine that featured the terrifying “Frito Kid”asking his assistant “Klondike” to bring the bag up from a mineshaft. I guess the conceit is that Fritos were mined by Forty-Niners?

Casa de Fritos contracted their tortilla production to a company called Alex Foods. One of the salesmen from Alex Foods, making a delivery to Casa de Fritos, noticed stale tortillas in the garbage and gave the cook a little tip: fry them and sell them as chips instead of throwing them away. Casa de Fritos began making these fried, seasoned chips to enormous success, but didn’t report this new menu item to the Frito-Lay company.

Eventually Frito-Lay found out what they were doing with the chips, packaged them, and sold them by the truckload. See, dumpster diving works out sometimes!

PermalinkComments

Where the best designers go to find photos and graphics

2014 Jan 5, 3:09

List of useful free or CC licensed photography and icon sites.

PermalinkCommentsfree cc photo photography icon

picjumbo

2014 Jan 5, 2:22
/wp-content/uploads/IMG_3811-1300x866.jpg"/>

picjumbo

totally free photos for your commercial & personal works

 

PermalinkCommentsphoto free photography

Considerate MessagePort Usage

2013 Aug 7, 7:14
Sharing by leezie5. Two squirrels sharing food hanging from a bird feeder. Used under Creative Commons license Attribution-NonCommercial-NoDerivs 2.0 Generic.When writing a JavaScript library that uses postMessage and the message event, I must be considerate of other JS code that will be running along side my library. I shouldn't assume I'm the only sender and receiver on a caller provided MessagePort object. This means obviously I should use addEventListener("message" rather than the onmessage property (see related What if two programs did this?). But considering the actual messages traveling over the message channel I have the issue of accidentally processing another libraries messages and having another library accidentally process my own message. I have a few options for playing nice in this regard:
Require a caller provided unique MessagePort
This solves the problem but puts a lot of work on the caller who may not notice nor follow this requirement.
Uniquely mark my messages
To ensure I'm acting upon my own messages and not messages that happen to have similar properties as my own, I place a 'type' property on my postMessage data with a value of a URN unique to me and my JS library. Usually because its easy I use a UUID URN. There's no way someone will coincidentally produce this same URN. With this I can be sure I'm not processing someone else's messages. Of course there's no way to modify my postMessage data to prevent another library from accidentally processing my messages as their own. I can only hope they take similar steps as this and see that my messages are not their own.
Use caller provided MessagePort only to upgrade to new unique MessagePort
I can also make my own unique MessagePort for which only my library will have the end points. This does still require the caller to provide an initial message channel over which I can communicate my new unique MessagePort which means I still have the problems above. However it clearly reduces the surface area of the problem since I only need once message to communicate the new MessagePort.
The best solution is likely all of the above.
Photo is Sharing by leezie5. Two squirrels sharing food hanging from a bird feeder. Used under Creative Commons license Attribution-NonCommercial-NoDerivs 2.0 Generic.
PermalinkCommentsDOM html javascript messagechannel postMessage programming technical

Shout Text Windows 8 App Development Notes

2013 Jun 27, 1:00

My first app for Windows 8 was Shout Text. You type into Shout Text, and your text is scaled up as large as possible while still fitting on the screen, as you type. It is the closest thing to a Hello World app as you'll find on the Windows Store that doesn't contain that phrase (by default) and I approached it as the simplest app I could make to learn about Windows modern app development and Windows Store app submission.

I rely on WinJS's default layout to use CSS transforms to scale up the user's text as they type. And they are typing into a simple content editable div.

The app was too simple for me to even consider using ads or charging for it which I learned more about in future apps.

The first interesting issue I ran into was that copying from and then pasting into the content editable div resulted in duplicates of the containing div with copied CSS appearing recursively inside of the content editable div. To fix this I had to catch the paste operation and remove the HTML data from the clipboard to ensure only the plain text data is pasted:

        function onPaste() {
var text;

if (window.clipboardData) {
text = window.clipboardData.getData("Text").toString();
window.clipboardData.clearData("Html");
window.clipboardData.setData("Text", util.normalizeContentEditableText(text));
}
}
shoutText.addEventListener("beforepaste", function () { return false; }, false);
shoutText.addEventListener("paste", onPaste, false);

I additionally found an issue in IE in which applying a CSS transform to a content editable div that has focus doesn't move the screen position of the user input caret - the text is scaled up or down but the caret remains the same size and in the same place on the screen. To fix this I made the following hack to reapply the current cursor position and text selection which resets the screen position of the user input caret.

        function resetCaret() {
setTimeout(function () {
var cursorPos = document.selection.createRange().duplicate();
cursorPos.select();
}, 200);
}

shoutText.attachEvent("onresize", function () { resetCaret(); }, true);
PermalinkCommentsdevelopment html javascript shout-text technical windows windows-store

2012 Oct 22, 11:24

PermalinkComments

2012 Oct 22, 11:24

PermalinkComments

laughingsquid: Photos: MakerBot Retail Store in Manhattan

2012 Sep 20, 2:14


laughingsquid:

Photos: MakerBot Retail Store in Manhattan

PermalinkComments3d-printer maker-bot retail

Stripe CTF - XSS, CSRF (Levels 4 & 6)

2012 Sep 10, 4:43

Level 4 and level 6 of the Stripe CTF had solutions around XSS.

Level 4

Code

> Registered Users 

  • <% @registered_users.each do |user| %>
    <% last_active = user[:last_active].strftime('%H:%M:%S UTC') %>
    <% if @trusts_me.include?(user[:username]) %>

  • <%= user[:username] %>
    (password: <%= user[:password] %>, last active <%= last_active %>)
  • Issue

    The level 4 web application lets you transfer karma to another user and in doing so you are also forced to expose your password to that user. The main user page displays a list of users who have transfered karma to you along with their password. The password is not HTML encoded so we can inject HTML into that user's browser. For instance, we could create an account with the following HTML as the password which will result in XSS with that HTML:

    
    
    This HTML runs script that uses jQuery to post to the transfer URI resulting in a transfer of karma from the attacked user to the attacker user, and also the attacked user's password.

    Notes

    Code review red flags in this case included lack of encoding when using user controlled content to create HTML content, storing passwords in plain text in the database, and displaying passwords generally. By design the web app shows users passwords which is a very bad idea.

    Level 6

    Code



    ...

    def self.safe_insert(table, key_values)
    key_values.each do |key, value|
    # Just in case people try to exfiltrate
    # level07-password-holder's password
    if value.kind_of?(String) &&
    (value.include?('"') || value.include?("'"))
    raise "Value has unsafe characters"
    end
    end

    conn[table].insert(key_values)
    end

    Issue

    This web app does a much better job than the level 4 app with HTML injection. They use encoding whenever creating HTML using user controlled data, however they don't use encoding when injecting JSON data into script (see post_data initialization above). This JSON data is the last five most recent messages sent on the app so we get to inject script directly. However, the system also ensures that no strings we write contains single or double quotes so we can't get out of the string in the JSON data directly. As it turns out, HTML lets you jump out of a script block using no matter where you are in script. For instance, in the middle of a value in some JSON data we can jump out of script. But we still want to run script, so we can jump right back in. So the frame so far for the message we're going to post is the following:

    
    
PermalinkCommentscsrf encoding html internet javascript percent-encoding script security stripe-ctf technical web xss

A New Species Discovered ... On Flickr (npr.org)

2012 Aug 11, 9:17

Winterton, a senior entomologist at the California Department of Food and Agriculture, has seen a lot of bugs. But he hadn’t seen this species before.

There’s no off switch when you’re the senior entomologist. If you’re browsing the web you find your way to Flickr photos of insects or start correcting Wikipedia articles on insects.

PermalinkCommentsflickr insect science photos

enochliew: Tetris Street Art by Gaffa gallery Located in Sydney...

2012 Jun 25, 2:40




enochliew:

Tetris Street Art by Gaffa gallery

Located in Sydney on Abercrombie Lane.

I’d get out of there before they form a horizontal line…

PermalinkCommentstetris street-art photos

The Verge has the best earliest coverage of the Microsoft...

2012 Jun 18, 1:07


The Verge has the best earliest coverage of the Microsoft Surface press conference and pretty photos.

Microsoft Surface event 2012: everything you need to know

PermalinkCommentstechnical windows win8 tablet surface laptop windows-8

(via Descriptive Camera) A digital camera sends photos to...

2012 Apr 25, 4:23


(via Descriptive Camera)

A digital camera sends photos to Mechanical Turk service to generate a textual description and print the result on a thermal printer.  Thus a camera that prints out a textual description of what you photographed.

PermalinkCommentshumor camera photo mechanical-turk

Image Error Level Analysis with HTML5

2012 Apr 16, 1:59

Javascript tool says if a photo is shopped. It can tell by looking at the pixels. Seriously. Links to cool presentation on the theory behind the algorithm behind the tool: http://www.wired.com/images_blogs/threatlevel/files/bh-usa-07-krawetz.pdf

PermalinkCommentstechnical javascript jpeg photoshop
Older Entries Creative Commons License Some rights reserved.