Caleb and I were giving a demo on reverse engineering client-side JavaScript. I showed some cool JavaScript analysis stuff and then started to show the Firefox plugin Firebug, quite possibly the best JavaScript debugger on the planet.
The reaction in the crowd was like a vampire's reaction to sunlight. A cry. A scream, and a literally moan erupted from the crowd of ASP.NET and Visual Studio designers: No! We cannot see that! Turn it off!
At first I thought this was some crappy policy about not being able to use Firefox at Microsoft or something. So I close it and move on. Later, Caleb and I needed to edit some HTML inline, so I click on Firebug's DOM inspector. The results were the same a before: Ahhhhh! Turn it off, Turn it off! The lawyers, they will kill us!
As near as I could piece together afterwards, these developers were absolutely forbidden by Microsoft's legal department from looking at Firebug, for fear of inadvertent infringement. They aren't allowed to see the feature set, the implementation, or the UI. Which of course can mean only one thing. The VS and ASP.NET guys are working on some kind of JavaScript debugger.
Acidus wrote: Vista: You are coming to a sad realization, cancel or allow? PC: ... ... allow.
Hi, I'm a Mac, and I don't have any security problems because I don't have any customers. No one bothers to write exploits for me. I'm so lonely... So lonely.... Stupid PCs...
Macs don't have security problems. Macs have Jay fucking Beale. And thats all you really need :-)
NASA has plan for mentally unstable astronauts in space
Topic: Technology
10:55 am EST, Feb 24, 2007
CAPE CANAVERAL, Fla. -- What would happen if an astronaut came unglued in space? What would happen if a crazed crew members destroyed the ship's oxygen system or tried to open the hatch and kill everyone on board?
That was the question on some minds after the apparent breakdown of Lisa Nowak. She was the astronaut arrested in Orlando recently for allegedly trying to kidnap and kill a woman she regarded as a romantic rival.
It turns out NASA has a detailed set of written procedures for dealing with a suicidal or psychotic astronaut in space. The documents, obtained this week by The Associated Press, say crewmates should bind the astronaut's wrists and ankles with duct tape, tie him (or her) down with a bungee cord, then inject the crew member with tranquilizers if necessary.
The instructions advise “Talk with the patient while you are restraining him. Explain what you are doing, and that you are using a restraint to ensure that he is safe.''
The instructions don't spell out what happens after that. But NASA spokesman James Hartsfield says the space agency, a flight surgeon on the ground and the commander in space would decide on a case-by-case basis whether to abort the flight -- the case of the shuttle -- or send the unhinged astronaut home -- if the episode took place on the international space station.
The crew members might have to rely in large part on brute strength to subdue an out-of-control astronaut, since there are no weapons on the space station or the shuttle.
In this post I'll walk through some of the ways web application developers take advantage of local storage to speed up applications, persist user preferences, and enable features for "occasionally connected" users.
A web application can rely on local storage options when disconnected from the Internet, saving changes locally and synchronizing results whenever an active Internet connection is available.
Imagine a personal finance site storing your stock portfolio and historical prices locally, creating quick access to charting and planning tools powered by pre-loaded data.
I swear on all that is holy Niall Kennedy, for even suggesting this, I am going to punch you in the face if I ever meet you.
Current versions of Firefox 2 allow unlimited storage through the DOM Storage feature but future Firefox releases (post-2.0.0.1) will restrict usage to 5 MB per-domain. A website can access not only data within its own subdomain or domain, but within a given top-level domain (.gov, .com, etc.) or any requesting page, creating some interesting opportunities for shared data namespaces.
Why is it every time I turn my back the web developers of this world decide to collectively binge drink on stupid?
Joe: And what did I find, but a Brazilian, waiting right there for me. Now that's the way to do hair. Erik (walking up): Hair? I've always wanted a 360 degree Mohawk. Everyone: (horrific silence) Erik: wait, ... what are you talking about?
Tsudohnimh wrote: I clicked a link for hot judicial action and I got 0wn3d. I'd like to thank the academy, my parents for warping me, Tom and Nick for letting me do this, and my hero Acidus.
OK, let me explain what the story is with this. Its possible to embed a link in a MemeStreams page to /recommend. When people who are logged in click on it, it will automatically post a message to their MemeStream, and then redirect them back to the page they were looking at. Ironically, this tends to result in lots of clicking, as it seems like the browser has done something wrong. If Acidus had really wanted to be nasty he could have included a redundant link in the posts he was adding to your pages to that people who read your MemeStreams would also spread the post. Its like a meme worm.
This is actually a problem that Rattle and I anticipated when we first built this website. We used to have protection in place that prevented this. It worked by checking to make sure that when you submitted a post the referer header in your http request came from /recommend and not some other page. Unfortunately, we ran into trouble with this feature. Some Internet privacy software screens referer headers out of http requests, and so people who used such software were unable to post. After struggling through the process of explaining to a few users how to fix this problem we decided to disable the security feature for /recommend until we had time to revisit the problem. The security feature is still present in /delete and /edit, because we decided that a self propagating MemeStreams Meme was only a bit of an annoyance, but if someone wrote a javascript that wiped out your whole blog that would be a serious problem. This explains why a few of you have trouble editing or deleting posts sometimes.
We have a fix for this problem which is unlikely to cause problems for people running Internet privacy software. Its checked into subversion. However, we haven't shipped it yet because it is boiled in with a bunch of other changes to the UI that aren't quite ready for release yet. We decided it might be fun to go ahead and let Acidus propagate one of these Memes as he uncovered this issue a few weeks back and advised us on how to implement a better fix. I'd like to say that we're shipping this weekend, but I don't think its going to happen. I'm skiing and Rattle is attending Outerz0ne. Acidus is actually giving a talk at Outerz0ne which includes a discussion of this issue, so its not out of the question that you might see a few more people screwing around with it. Fortunately I don't think you can do anything terribly malicious with this. Its all in good fun.
Well, its over. Memestreams now has a cron job running every 2 minutes which deletes the "I like it old-school!" posts that got posted to a user's blog without their permission when they clicked on a link. Welcome to the wonderful world of the XSRF attack.
Originally, the hyperlink that caused a user to make the post was in the SRC of an image. This means simply looking at an HTML page with the image would make a user create a new post. Every time they looked at the page. Once this image attack reached the front page. everyone would be owned, and every time they refreshed the page, they would get owned again. I almost took down my Memestreams dev box with the flood of hits against the database.
Anyway, thanks to Tom and Nick for letting me do this. I found the vuln a few weeks back, and when we roll out the site update in a few days, it will be fixed.
