I learned something new today when I took my '08 Camry Hybrid for an 5000 mile oil change. Because hybrids use regenerative braking there is a lot less wear and tear on your brake pads. Toyota recommends replacing brake pads on a stock '08 Camry every 30,000 miles. The service rep told me they are replacing brake pads on the hybrids at 60,000 - 80,000 miles.

Sweet.

Side Jacking: When websites use HTTP I can passively monitor network traffic and see your cookies. That's just Bretarded

Surf Jacking: If developers designed an SSL site poorly, by a HIJACKING A LOWER NETWORK LAYER I can actively force your browser to reveal its cookies, even if your are using SSL. Pretty cool, but limited.

So there is a design flaw in HTTP state management that some folks might not know about: Developers, not the protocol, make the decision about whether cookies should be served over both secure and insecure connections. And as we know developers typically choose poorly when it comes to security.

Crux of paper: If I hijack a lower network layer I inject HTTP responses to non-SSL requests that force the browser to send its cookies for a site over a non-SSL connection, where anyone (read me) monitoring the traffic can see the session ID.

And thats the problem. If you can hijack network sessions HTTP cookie theft is a fairly tame thing to do. For example, just MITM a victim when they first try to connect to the secure site. 99.5% of users ignore broken SSL certs anyway. And this works against site's with rotating session ids where surf jacking would not.

In short, nifty trick, but high barriers that, if passable, let you do way worse things then what this paper describes.

Surf Jacking

Forget 1 hook. Forget 2 hooks. Forget the "hooks in the front" which comes out of left field to make you look silly. Now its all about the Rubik's cube clasp.

Clasps are so 1990s.

Dyson: Hello Dyson Vacuum Support
Billy: Yes, I have a DC14 Animal. The brush bar isn't moving when it's set to 'Bare Floor.'"
Dyson: That would be correct sir. It only engages when set to 'Carpet.'"
Billy: ... ... well ok then.

So blowing the dust off my BH demos I was getting weird results out of Caffeine Monkey. Like, results where the demo doesn't work. After playing with for a while I shot Ben Feinstein an email at 11:10pm. 5 minutes later he emails me back and 5 minutes after that I'm on the phone with him.

Turns out, I'm retarded Caffeine Monkey isn;t using STDERR like I mistakenly believed/remembered, but hardcoded log files in /tmp/.

I am an idiot and Ben is my hero.

From my meeting about reports today:

Joe: This is too much of one color for an executive summary. They needs lots of colors or they think the report is worthless

And the oddest exchange:

Joe: So you want multiple "Trend By" reports?
Ray: Yeah, like "Trend by Severity," "Trend by Risk Score," Trend by anything.... "Trend by Sheep" even.
Billy: Wow, I want to see a "Trend by Sheep" report.
Ray: Yeah! Sheep! But with Velcro gloves. Otherwise they can get away!

...

[awkward silence]

...

Billy: I'm posting this to Memestreams.

I've been reading Crockford's JavaScript: the Good Parts and am enjoying it enormously. But I'm really impressed by the code this man creates.

Just look at the C source code from JSMin. Over the last few years I've written a number of tokenizers and parsers for HTML and JavaScript so I know what my version of JSMin would look like:

* An enum defining states
* a big while loop iterating through a character array
* currChar and nextChar variables
* a big switch block for the state with nested if/then/elses or switch blocks

Crockford's JSMin is just... elegant. The way he shifts values back and forth between two char variables to hold last, current, and next char values. The way he processes string literals with a for loop that immediately does a put which allows him to simplify handling escape sequences inside of the string literal. The fall through in the action() function.

I debugged through the code many times late last night was was just speechless over how powerful yet compact this code is. It's subtle and beautiful and artful all at the same time. Truly beautiful code!

Truly beautiful code: JSMin

I did not expect to spend my Friday talking to Legal about what SQL injection is and why we released a free tool that tests for it.

[SMACK]
Do you have any idea what our commercial product suite does?
[SMACK]
Where's my money?

If I have to use the "a crowbar is a tool that can be used for good or evil" line I may well go insane.

Of course, its oddly refreshing to talk to people who don't think scary monsters exist. I remember those days...

The Kowloon Walled City was located just outside Hong Kong, China during British rule. A former watchpost to protect the area against pirates, it was occupied by Japan during World War II and subsequently taken over by squatters after Japan’s surrender. Neither Britain nor China wanted responsibility for it, so it became its own lawless city.

Its population flourished for decades, with residents building labyrinthine corridors above the street level, which was clogged with trash. The buildings grew so tall that sunlight couldn’t reach the bottom levels and the entire city had to be illuminated with fluorescent lights. It was a place where brothels, casinos, opium dens, cocaine parlors, food courts serving dog meat and secret factories ran unmolested by authorities. It was finally torn down in 1993 after a mutual decision was made by British and Chinese authorities, who had finally grown wary of the unsanitary, anarchic city and its out-of-control population. null

Wow, Kowloon looks like something out of Blade Runner. Kind of like the alleys of of Shinjuku if you turned the power off!

10 Most Amazing Ghost Towns

In 1998, traffic accidents caused 46 percent of all accidental deaths of infants
and children aged 1 to 14 (National Center for Health Statistics, 2000). One
study (Johnston et al. 1994) showed that the single strongest risk factor for injury in a traffic accident is the improper use of child-safety seats. Another study (Kahane 1986) showed that, when correctly used, child safety seats reduce the risk of fatal injury by 71 percent and hospitalization by 67 percent.

To be effective, however, the seats must be installed correctly. Other studies,
showed that 79 to 94 percent of car seats are used improperly (National Highway
Traffic Safety Administration 1996, Decina and Knoebel 1997, Lane et al. 2000). Public-health specialists Dr. Mark Wegner and Deborah Girasek (2003) suspected that poor comprehension of the installation instructions might contribute to this problem. They looked into the readability of the instructions and published their findings in the medical journal Pediatrics. The story was covered widely in the media.

The authors referred to the National Adult Literacy Study (National Center for
Educational Statistics, 1993), which states the average adult in the U.S. reads at the 7th grade level. They also cited experts in health literacy who recommend that materials for the public be written at the fifth or sixth-grade reading level (Doak et al., 1996; Weiss and Coyne, 1997).
Their study found that the average reading level of the 107 instructions they
examined was the 10th grade, too difficult for 80 percent adult readers in the U.S.

Read world implications for readability computations is sexy.

Readability