| |
Current Topic: Technology |
|
Truly beautiful code: JSMin |
|
|
Topic: Technology |
1:40 pm EDT, Jul 31, 2008 |
I've been reading Crockford's JavaScript: the Good Parts and am enjoying it enormously. But I'm really impressed by the code this man creates. Just look at the C source code from JSMin. Over the last few years I've written a number of tokenizers and parsers for HTML and JavaScript so I know what my version of JSMin would look like: * An enum defining states * a big while loop iterating through a character array * currChar and nextChar variables * a big switch block for the state with nested if/then/elses or switch blocks Crockford's JSMin is just... elegant. The way he shifts values back and forth between two char variables to hold last, current, and next char values. The way he processes string literals with a for loop that immediately does a put which allows him to simplify handling escape sequences inside of the string literal. The fall through in the action() function. I debugged through the code many times late last night was was just speechless over how powerful yet compact this code is. It's subtle and beautiful and artful all at the same time. Truly beautiful code! Truly beautiful code: JSMin |
|
Topic: Technology |
12:56 pm EDT, Jul 23, 2008 |
In 1998, traffic accidents caused 46 percent of all accidental deaths of infants and children aged 1 to 14 (National Center for Health Statistics, 2000). One study (Johnston et al. 1994) showed that the single strongest risk factor for injury in a traffic accident is the improper use of child-safety seats. Another study (Kahane 1986) showed that, when correctly used, child safety seats reduce the risk of fatal injury by 71 percent and hospitalization by 67 percent. To be effective, however, the seats must be installed correctly. Other studies, showed that 79 to 94 percent of car seats are used improperly (National Highway Traffic Safety Administration 1996, Decina and Knoebel 1997, Lane et al. 2000). Public-health specialists Dr. Mark Wegner and Deborah Girasek (2003) suspected that poor comprehension of the installation instructions might contribute to this problem. They looked into the readability of the instructions and published their findings in the medical journal Pediatrics. The story was covered widely in the media. The authors referred to the National Adult Literacy Study (National Center for Educational Statistics, 1993), which states the average adult in the U.S. reads at the 7th grade level. They also cited experts in health literacy who recommend that materials for the public be written at the fifth or sixth-grade reading level (Doak et al., 1996; Weiss and Coyne, 1997). Their study found that the average reading level of the 107 instructions they examined was the 10th grade, too difficult for 80 percent adult readers in the U.S.
Read world implications for readability computations is sexy. Readability |
|
Topic: Technology |
9:21 am EDT, Jul 9, 2008 |
In principio creavit Deus 2 bytes. Servers would also accept an answer if it had the correct 2 bytes even if it came in on a different port. You could win that race. So when this was discovered back then the solution was to increase entropy by modifying the servers so the source port had to match. Thats 2 more bytes of entropy right? Problem solved. [psst] Source port numbers are assigned from a pool. You don't have 4 bytes of entropy anymore. And the race is still winnable. And this is why Dan is, still very much the man. Its just annoying that co-workers keep telling me what was discovered is a mystery. |
|
Topic: Technology |
10:46 am EDT, Jun 27, 2008 |
I've been loving Amazon MP3 for a couple months now. Its just so damn easy. I can find who I want, move it back and forth between Linux at home, my work laptop, and my iPod with ease. The only thing that is annoying me is Amazon's MP3 Downloader. When you buy a song without the download you just get an MP3. When you use buy a song with the MP3 Downloader it files the MP3 away nicely into a directory structure in "My Music" and automatically adds it to iTunes. Amazon is doing some kind of detection in the browser and servers you an AMX file for the downloader instead of a raw MP3. Only it seems that my browsers "forget" about the Downloader after every reboot. Amazon goes back to gives me MP3s. I'm not sure whether the browsers just no longer detect the program or whether the file association is lsot or what. Its gotten so bad I just keep the install file on my desktop and do an uninstall/reinstall everytime I need to shop. Grrrr. I don't know anyone at Amazon, but if you are reading this, I love your service and please fix this issue. |
|
Bypassing Web Authentication and Authorization with HTTP Verb Tampering |
|
|
Topic: Technology |
12:46 pm EDT, May 28, 2008 |
This is a cool paper and all of you should read it for many reasons. First, because it’s a perfect example of hacking. Hacking is just critical thinking and understanding how a system works. In this paper by understanding the nuances of web technologies the researchers found a very trivial way to bypass the authentication systems of many popular web frameworks! Second, it’s a classic example how programmers with even a little security knowledge can make big mistakes. Here is the paper in a nutshell: Various web frameworks like Jave EE, ASP.NET, etc, allow you to configure the website so certain directories are only accessible to certain users with certain HTTP methods. So anyone can do a GET or POST to /public/ but only an admin can do a GET or POST to /admin/. Enter the HTTP HEAD method. This is usually used to diagnostics and caching. If you send an HTTP HEAD instead of an HTTP GET to a URL, the website is supposed to do everything it would normally do when processing a GET, only it should only the HTTP response contains only header and no body. To make sure the same response (sans body) is sent for an HEAD as a GET, web servers simply handle the response as if it was a GET, and suppress the body when sending the response. Do you see the trick yet? HTTP HEAD method can be used to side-step authentication systems in many web applications. An attacker simply sends a HEAD to /admin/deleteUser?user=billy? instead of an GET. The authentication framework checks and sees that anyone can send HEADs to /admin/ and does not stop the processing of the request. The web server runs all the back end code that it normally runs for a GET, which deletes Billy as a user. The attacker does not see the body on the response, so it’s a blind attack. However the attacker can see the HTTP status code that is returned with the response to the HEAD and based on its value (200, vs 500) the attacker can tell if it worked. This is exactly the reason why HTTP GET should be idempotent. In other works, GETs and HEADs should not modify the state of the web server so you can send multiple gets to the exact same URL and it should not cause problems. POSTs on the other hand are not idempotent. This is why e-commerce sites say things like “don’t click checkout again!” and your browser will say things like “You have already submitted POST data, are you sure you want to refresh and send this again?” (AMP, we aren’t doing this in our web frontend right?) We even have an idea about how widespread this problem could be. In 2005 Google launched Google Web Accelerator. This was a browser plug in that pre-fetched links on the page you were looking to better utilize your bandwidth. Unfortunately, thousands of sites started breaking because developers all of the world were using simple hyperlinks (which issue a GET) to modify the state of the web app. There was lots of kicking and screaming, and I acquired a healthy dislike for Ruby on Rails developers who kept insisted that the rest of the world was wrong and they were right, but I digress. In short, by knowing HTTP and understanding that a developer implemented a default “Allow All” feature, this very cool attack was discovered. Bypassing Web Authentication and Authorization with HTTP Verb Tampering |
|
MySpace Suicide Indictment: or TOS violation = crime |
|
|
Topic: Technology |
11:09 am EDT, May 27, 2008 |
On Thursday, the U.S. Attorney for the Central District of California announced that Lori Drew, now 49 years old, was indicted on conspiracy and hacking charges. The indictment charges Drew, a resident of O'Fallon, Missouri, with three counts of unauthorized access by violation of MySpace's terms of service and one count of conspiracy.
... ? Where hacking = Computer Fraud and Abuse Act. So, the DA's logic is that that by violating MySpace's TOS, Drew was no longer an authorized user of MySpace's systems and thus by continuing to use MySpace she committed unauthorized access. There is a good write up over at The Volokh Conspiracy by Orin Kerr and I highly suggest you read it. A few choice quotes from Security Focus's coverage: Yet, legal experts argue that charging a person for violating computer-crime statutes because they broke the terms-of-service agreement of an online site could lead to the ability to charge nearly anyone with computer crime. Using residential broadband for business purposes? A violation of the terms of service and, thus, potentially a crime. Checking sports sites while at work? A violation of corporate policy and, thus, potentially a crime.
and "There is nothing in the indictment that differentiates between what is a serious violation of the terms of service and a trivial violation of the terms of service," Morris told SecurityFocus. "I would bet that the majority of U.S. Internet users have committed a federal crime, if the charges in this indictment are upheld."
and my personal favorite "Violating a website's 'TOS' is carte blanche to an imaginative prosecutor," Greenfield said. "We are all felons if this flies."
MySpace Suicide Indictment: or TOS violation = crime |
|
Topic: Technology |
8:07 am EDT, May 15, 2008 |
They are a kinetic energy device like the railgun, but instead of using electricity to achieve destructive velocities, they use gravity. The still-hypothetical system would be comprised of two satellites in orbit around the Earth. One would house the communications and targeting hardware, while the other would house the rods themselves, each up to a foot in diameter and twenty feet long. To fire, they would simply be released and allowed to fall back to Earth (with a bit of remote guidance). By the time they reached the surface, they'd be traveling at a speed of 36,000 feet per second and carry the destructive force of a nuclear warhead, only with none of the radioactive fallout.
!!! ... !!! Dropping telephone poles on people. From Space! Damn. Rods From God |
|
CIA.gov XSS still working |
|
|
Topic: Technology |
5:45 pm EDT, Apr 18, 2008 |
In an age where JavaScript is so ubiquitous that some websites won't even load if you don't enable in your browser, cross-site scripting hacks are everywhere - letting malicious or merely mischievous hacker create links that have some very unintended consequences on websites that are not careful to keep from executing other people's code. Most are run-of-the-mill and hardly worth writing about, but reader Harry Sintonen writes in with a vulnerability on the CIA's site that THREAT LEVEL can't resist. For those of you who don't see it after clicking through, notice that the links lead to the CIA's site, but displays a recent THREAT LEVEL story. Here the CIA search box fails to rip out characters that will run as a script when the site tries to process the search query.
This story went up at 3:26pm, and it's still working at 8:45pm. This would be great for a prank form... Update: This is still working today. So much for fast response.. Here is the obligatory memestreams @ cia.gov link. SSL no less. CIA.gov XSS still working |
|
Everything i needed to know about managing hackers, i learnt from my DVD collection |
|
|
Topic: Technology |
8:22 am EDT, Mar 24, 2008 |
Many execs will tell you the same thing about their role in the eco-system.. but what they miss is that they do not need for this to be a zero sum game. i.e. Achilles does not want to be king, and he certainly doesnt want to concern himself with collecting taxes. He will gladly serve as a soldier to a king who proves himself worthy. This ties in pretty closely to Paul Grahams thoughts on your super hackers and remuneration: "Economically, this is a fact of the greatest importance, because it means you don't have to pay great hackers anything like what they're worth. A great programmer might be ten or a hundred times as productive as an ordinary one, but he'll consider himself lucky to get paid three times as much."
Everything i needed to know about managing hackers, i learnt from my DVD collection |
|