writing - Dave's Blog

Search

Tweet from David Risney

2016 Sep 8, 3:21
Trump's speech writing staff must consist solely of Andrey Markov. https://twitter.com/JoyAnnReid/status/773892852673814529 
PermalinkComments

Retweet of igrigorik

2015 Jul 26, 2:43
writing Promise-using API's: http://bit.ly/1KsMQ7X  - must read for all JavaScript and spec developers alike.
PermalinkComments

Retweet of bhalp1

2015 Mar 19, 6:57
Sometimes when I'm writing Javascript I want to throw up my hands and say "this is bullshit!" but I can never remember what "this" refers to
PermalinkComments

fuckyeahpeeweeherman:Pee-wee Herman’s next adventure is coming...

2015 Mar 17, 3:28


fuckyeahpeeweeherman:

Pee-wee Herman’s next adventure is coming to Netflix.

Netflix says the film will be called “Pee-wee’s Big Holiday” and will feature Pee-wee taking his first-ever vacation after meeting a mysterious stranger.

Reubens created the quirky character in the 1980s when he was a member of the Groundlings improv group.

Netflix currently streams the Pee-wee films “Pee-wee’s Big Adventure” and “Big Top Pee-wee,” as well as the TV show “The Pee-wee Herman Show” and “Pee-wee’s Playhouse.”

“Pee-wee’s Big Holiday” is being produced by Judd Apatow and directed by John Lee. Reubens is writing the movie’s script with Paul Rust.

Netflix says production will begin this year.

PermalinkComments

fuckyeahpeeweeherman:Pee-wee Herman’s next adventure is coming...

2015 Mar 17, 3:28


fuckyeahpeeweeherman:

Pee-wee Herman’s next adventure is coming to Netflix.

Netflix says the film will be called “Pee-wee’s Big Holiday” and will feature Pee-wee taking his first-ever vacation after meeting a mysterious stranger.

Reubens created the quirky character in the 1980s when he was a member of the Groundlings improv group.

Netflix currently streams the Pee-wee films “Pee-wee’s Big Adventure” and “Big Top Pee-wee,” as well as the TV show “The Pee-wee Herman Show” and “Pee-wee’s Playhouse.”

“Pee-wee’s Big Holiday” is being produced by Judd Apatow and directed by John Lee. Reubens is writing the movie’s script with Paul Rust.

Netflix says production will begin this year.

PermalinkComments

lunarcicadas: when did monsters that live under your bed start writing clickbait articles

2015 Jan 17, 4:05
Yandere Boyfriend LC @lunarcicadas :
when did monsters that live under your bed start writing clickbait articles pic.twitter.com/Fwsqh8gcBH
PermalinkComments

sharkfucker96: when did monsters that live under your bed start writing clickbait articles

2015 Jan 17, 4:05
Yandere Boyfriend LC @sharkfucker96 :
when did monsters that live under your bed start writing clickbait articles pic.twitter.com/Fwsqh8gcBH
PermalinkComments

Debugging anecdote - the color transparent black breaks accessibility

2014 May 22, 10:36

Some time back while I was working on getting the Javascript Windows Store app platform running on Windows Phone (now available on the last Windows Phone release!) I had an interesting bug that in retrospect is amusing.

I had just finished a work item to get accessibility working for JS WinPhone apps when I got a new bug: With some set of JS apps, accessibility appeared to be totally broken. At that time in development the only mechanism we had to test accessibility was a test tool that runs on the PC, connects to the phone, and dumps out the accessibility tree of whatever app is running on the phone. In this bug, the tool would spin for a while and then timeout with an error and no accessibility information.

My first thought was this was an issue in my new accessibility code. However, debugging with breakpoints on my code I could see none of my code was run nor the code that should call it. The code that called that code was a more generic messaging system that hit my breakpoints constantly.

Rather than trying to work backward from the failure point, I decided to try and narrow down the repro and work forwards from there. One thing all the apps with the bug had in common was their usage of WinJS, but not all WinJS apps demonstrated the issue. Using a binary search approach on one such app I removed unrelated app code until all that was left was the app's usage of the WinJS AppBar and the bug still occurred. I replaced the WinJS AppBar usage with direct usage of the underlying AppBar WinRT APIs and continued.

Only some calls to the AppBar WinRT object produced the issue:

        var appBar = Windows.UI.WebUI.Core.WebUICommandBar.getForCurrentView(); 
// appBar.opacity = 1;
// appBar.closeDisplayMode = Windows.UI.WebUI.Core.WebUICommandBarClosedDisplayMode.default;
appBar.backgroundColor = Windows.UI.Colors.white; // Bug!
Just setting the background color appeared to cause the issue and I didn't even have to display the AppBar. Through additional trial and error I was blown away to discover that some colors I would set caused the issue and other colors did not. Black wouldn't cause the issue but transparent black would. So would aqua but not white.

I eventually realized that predefined WinRT color values like Windows.UI.Colors.aqua would cause the issue while JS literal based colors didn't cause the issue (Windows.UI.Color is a WinRT struct which projects in JS as a JS literal object with the struct members as JS object properties so its easy to write something like {r: 0, g: 0, b: 0, a: 0} to make a color) and I had been mixing both in my tests without realizing there would be a difference. I debugged into the backgroundColor property setter that consumed the WinRT color struct to see what was different between Windows.UI.Colors.black and {a: 1, r: 0, g: 0, b: 0} and found the two structs to be byte wise exactly the same.

On a hunch I tried my test app with only a reference to the color and otherwise no interaction with the AppBar and not doing anything with the actual reference to the color: Windows.UI.Colors.black;. This too caused the issue. I knew that the implementation for these WinRT const values live in a DLL and guessed that something in the code to create these predefined colors was causing the issue. I debugged in and no luck. Now I also have experienced crusty code that would do exciting things in its DllMain, the function that's called when a DLL is loaded into the process so I tried modifying my C++ code to simply LoadLibrary the DLL containing the WinRT color definition, windows.ui.xaml.dll and found the bug still occurred! A short lived moment of relief as the world seemed to make sense again.

Debugging into DllMain nothing interesting happened. There were interesting calls in there to be sure, but all of them behind conditions that were false. I was again stumped. On another hunch I tried renaming the DLL and only LoadLibrary'ing it and the bug went away. I took a different DLL renamed it windows.ui.xaml.dll and tried LoadLibrary'ing that and the bug came back. Just the name of the DLL was causing the issue.

I searched for the DLL name in our source code index and found hits in the accessibility tool. Grinning I opened the source to find that the accessibility tool's phone side service was trying to determine if a process belonged to a XAML app or not because XAML apps had a different accessibility contract. It did this by checking to see if windows.ui.xaml.dll was loaded in the target process.

At this point I got to fix my main issue and open several new bugs for the variety of problems I had just run into. This is a how to on writing software that is difficult to debug.

PermalinkCommentsbug debug javascript JS technical windows winrt

Considerate MessagePort Usage

2013 Aug 7, 7:14
Sharing by leezie5. Two squirrels sharing food hanging from a bird feeder. Used under Creative Commons license Attribution-NonCommercial-NoDerivs 2.0 Generic.When writing a JavaScript library that uses postMessage and the message event, I must be considerate of other JS code that will be running along side my library. I shouldn't assume I'm the only sender and receiver on a caller provided MessagePort object. This means obviously I should use addEventListener("message" rather than the onmessage property (see related What if two programs did this?). But considering the actual messages traveling over the message channel I have the issue of accidentally processing another libraries messages and having another library accidentally process my own message. I have a few options for playing nice in this regard:
Require a caller provided unique MessagePort
This solves the problem but puts a lot of work on the caller who may not notice nor follow this requirement.
Uniquely mark my messages
To ensure I'm acting upon my own messages and not messages that happen to have similar properties as my own, I place a 'type' property on my postMessage data with a value of a URN unique to me and my JS library. Usually because its easy I use a UUID URN. There's no way someone will coincidentally produce this same URN. With this I can be sure I'm not processing someone else's messages. Of course there's no way to modify my postMessage data to prevent another library from accidentally processing my messages as their own. I can only hope they take similar steps as this and see that my messages are not their own.
Use caller provided MessagePort only to upgrade to new unique MessagePort
I can also make my own unique MessagePort for which only my library will have the end points. This does still require the caller to provide an initial message channel over which I can communicate my new unique MessagePort which means I still have the problems above. However it clearly reduces the surface area of the problem since I only need once message to communicate the new MessagePort.
The best solution is likely all of the above.
Photo is Sharing by leezie5. Two squirrels sharing food hanging from a bird feeder. Used under Creative Commons license Attribution-NonCommercial-NoDerivs 2.0 Generic.
PermalinkCommentsDOM html javascript messagechannel postMessage programming technical

Sci-fi short stories disguised as Internet docs

2013 May 29, 2:48
The recent short story Twitter API returning results that do not respect arrow of time by Tim May written as a Twitter bug report reminded me of a few other short sci-fi stories written in the style of some sort of Internet document:
PermalinkCommentscsc fiction sci-fi Scifi time-travel twitter

Stripe CTF - Level 8

2012 Dec 7, 2:07
Level 8 of the Stripe CTF is a password server that returns success: true if and only if the password provided matches the password stored directly via a RESTful API and optionally indirectly via a callback URI. The solution is side channel attack like a timing attack but with ports instead of time.

(I found this in my drafts folder and had intended to post a while ago.)

Code

    def nextServerCallback(self, data):
parsed_data = json.loads(data)
# Chunk was wrong!
if not parsed_data['success']:
# Defend against timing attacks
remaining_time = self.expectedRemainingTime()
self.log_info('Going to wait %s seconds before responding' %
remaining_time)
reactor.callLater(remaining_time, self.sendResult, False)
return

self.checkNext()

Issue

The password server breaks the target password into four pieces and stores each on a different server. When a password request is sent to the main server it makes requests to the sub-servers for each part of the password request. It does this in series and if any part fails, then it stops midway through. Password requests may also be made with corresponding URI callbacks and after the server decides on the password makes an HTTP request on the provided URI callbacks saying if the password was success: true or false.
A timing attack looks at how long it took for a password to be rejected and longer times could mean a longer prefix of the password was correct allowing for a directed brute force attack. Timing attacks are prevented in this case by code on the password server that attempts to wait the same amount of time, even if the first sub-server responds with false. However, the server uses sequential outgoing port numbers shared between the requests to the sub-servers and the callback URIs. Accordingly, we can examine the port numbers on our callback URIs to direct a brute force attack.
If the password provided is totally incorrect then the password server will contact one sub-server and then your callback URI. So if you see the remote server's port number go up by two when requesting your callback URI, you know the password is totally incorrect. If by three then you know the first fourth of the password is correct and the rest is incorrect. If by four then two fourths of the password is correct. If by five then four sub-servers were contacted so you need to rely on the actual content of the callback URI request of 'success: true' or 'false' since you can't tell from the port change if the password was totally correct or not.
The trick in the real world is false positives. The port numbers are sequential over the system, so if the password server is the only thing making outgoing requests then its port numbers will also be sequential, however other things on the system can interrupt this. This means that the password server could contact three sub-servers and normally you'd see the port number increase by four, but really it could increase by four or more because of other things running on the system. To counteract this I ran in cycles: brute forcing the first fourth of the password and removing any entry that gets a two port increase and keeping all others. Eventually I could remove all but the correct first fourth of the password. And so on for the next parts of the password.
I wrote my app to brute force this in Python. This was my first time writing Python code so it is not pretty.
PermalinkCommentsbrute-force password python side-channel technical web

theatlantic: How the 8.5” x 11” Piece of Paper Got Its...

2012 Sep 19, 6:37


theatlantic:

How the 8.5” x 11” Piece of Paper Got Its Size

Why do we use a paper size that is so unfriendly for the basic task of reading? According to a very interesting post by Paul Stanley, the rough dimensions of office paper evolved to accommodate handwriting and typewriters with monospaced fonts, both of which rendered many fewer characters per line. “Typewriters,” he explains, “produced 10 or 12 characters per inch: so on (say) 8.5 inch wide paper, with 1 inch margins, you had 6.5 inches of type, giving … around 65 to 78 characters.” This, he says, is “pretty close to ideal.”

Read more. [Image: Picsfive/Shutterstock]

PermalinkCommentstechnical paper history

Funny People: Steve Heinrich, You Don’t Know Jack head writer | Interview | The Gameological Society

2012 Jul 1, 3:38

A veteran of the satirical trivia game series since its first heyday in the 1990s, Heinrich talks about Jack’s writing process, its long hiatus, and that short-lived live-action TV version.

PermalinkCommentsgame interview video-game you-dont-know-jack ydkj

Why Your Links Should Never Say “Click Here” - UX Movement

2012 Jun 25, 1:06

I’ve been following this advice for many years now to the extent that I find myself rewriting text to make linking my nouns easier and shorter.

The one I wasn’t following that seems obvious only after I read it is to keep links towards the end of your text to allow users to follow the link once they’re done reading.

links at the end of the sentence allow users to take action faster

PermalinkCommentsweb technical ux html

Play Fez

2012 May 7, 3:30

I'm done playing Fez. The style is atmospheric retro nastalgia and on the surface the gameplay is standard 2D platformer with one interesting Flatland style game mechanic but dig deeper to find Myst style puzzles. Despite the following I thoroughly enjoyed the game and would recommend it to anyone intrigued by the previous. Five eighths through the game I ran into one of the game's infamous Fez save game breaking issues, but I enjoyed the game enough that I started over before any patches were released and had no further issues.

While playing the game I created some tools to help keep track of my Fez notes (spoilers) including a Pixelated Image Creator that makes it easy to generate data URIs for large, black and white pixelated images, and (spoilers) a Fez Transliteration Tool to help me translate the in-game writing system.

PermalinkCommentsvideo-game fez game xbox

Client Side Cross Domain Data YQL Hack

2012 Feb 27, 2:28

One of the more limiting issues of writing client side script in the browser is the same origin limitations of XMLHttpRequest. The latest version of all browsers support a subset of CORS to allow servers to opt-in particular resources for cross-domain access. Since IE8 there's XDomainRequest and in all other browsers (including IE10) there's XHR L2's cross-origin request features. But the vast majority of resources out on the web do not opt-in using CORS headers and so client side only web apps like a podcast player or a feed reader aren't doable.

One hack-y way around this I've found is to use YQL as a CORS proxy. YQL applies the CORS header to all its responses and among its features it allows a caller to request an arbitrary XML, HTML, or JSON resource. So my network helper script first attempts to access a URI directly using XDomainRequest if that exists and XMLHttpRequest otherwise. If that fails it then tries to use XDR or XHR to access the URI via YQL. I wrap my URIs in the following manner, where type is either "html", "xml", or "json":

        yqlRequest = function(uri, method, type, onComplete, onError) {
var yqlUri = "http://query.yahooapis.com/v1/public/yql?q=" +
encodeURIComponent("SELECT * FROM " + type + ' where url="' + encodeURIComponent(uri) + '"');

if (type == "html") {
yqlUri += encodeURIComponent(" and xpath='/*'");
}
else if (type == "json") {
yqlUri += "&callback=&format=json";
}
...

This also means I can get JSON data itself without having to go through JSONP.
PermalinkCommentsxhr javascript yql client-side technical yahoo xdr cors

How Bots Seized Control of My Pricing Strategy (bueno.org)

2012 Feb 22, 6:54

Automated authors writing books and automated middle men trying to sell over priced books at a profit. The author of the blog post claims to be human, but I’m not so sure.

PermalinkCommentshumor technical amazon economics bots

Why I Like Glitch

2012 Feb 17, 4:00

Sarah and I have been enjoying Glitch for a while now. Reviews are usually positive although occasionally biting (but mostly accurate).

I enjoy Glitch as a game of exploration: exploring the game's lands with hidden and secret rooms, and exploring the games skills and game mechanics. The issue with my enjoyment coming from exploration is that after I've explored all streets and learned all skills I've got nothing left to do. But I've found that even after that I can have fun writing client side JavaScript against Glitch's web APIs making tools (I work on the Glitch Helperator) for use in Glitch. And on a semi-regular basis they add new features reviving my interest in the game itself.

PermalinkCommentsvideo-game glitch glitch-helperator me project game

Patterns for using the InitOnce functions - The Old New Thing - Site Home - MSDN Blogs

2011 Apr 8, 2:32"Since writing lock-free code is issuch a headache-inducer,you're probably best off making some other people suffer the headachesfor you. And those other people are the kernel folks, who have developedquite a few lock-free building blocks so you don't have to. For example, there's a collection of functions for manipulatinginterlocked lists.But today we're going to look at theone-time initialization functions."PermalinkCommentstechnical windows programming raymond-chen lock thread-safety

Post mortem - Charlie's Diary

2010 Mar 12, 9:20Charles Stross on the business and technical aspects of writing and selling a series of books - specifically The Family Trade series for which the next in the series is due out soon.PermalinkCommentscharles-stross family-trade book literature business
Older Entries Creative Commons License Some rights reserved.