Dentists recommend flossing and we recommend bacon! Now you can improve your dental hygiene while enjoying the amazing flavor of crispy fried bacon. Is there anything bacon can’t improve? Each 2-1/2" tall plastic dispenser contains 27.3 yards of waxed floss.

Yummy...

Bacon Floss - Meat Flavored Dental Supplies

Firefox is coming to mobile. The innovation, usability, and extensibility that has propelled Firefox to 200 million users is set to do the same for Firefox in a mobile setting.

User experience is the most important aspect of having a compelling mobile product. Every bit of interaction and pixel of presentation counts when typing is laborious and screen sizes are minuscule. Many of the standard interaction models, like menus, always-present chrome, and having a cursor, don’t necessarily make sense on mobile. It’s a wickedly exciting opportunity but there are myriad challenges to getting it right.

One avenue for exploring this opportunity is through Mozilla Labs, which is about pushing the envelope towards better and brighter interaction horizons, as well as incorporating a winder community into the innovation process. This concept video explains one direction we are thinking in, and we’d love to inspire participation in thinking about other directions.

Firefox Mobile Concept Video

Today in Berlin HP announced the Voodoo Envy 133 notebook that was hinted at last week in the video teaser I posted. Voodoo is aiming to take on the MacBook Air and the Envy is ready for the bout. The Envy 133 has an LED backlit 13.3-inch screen, carbon fiber body (super lightweight), multi-touch trackpad (I just tried it out and it stinks. I’ll get a full demo later on, but there’s a short video after the jump. It pinches but doesn’t do the rotation.), built-in ethernet port into the power brick, removable battery, HDMI port, two USB ports, and an express card slot. The Envy’s starting price of $2,099 is less desirable, though. Another unique and cool feature for the Envy is Voodoo InstantOn, which allows the user to boot to a Linux screen with seconds of starting up while Vista boots in the background.

The Voodoo Envy 133 will be available for a starting price of $2,099.(1) Other key features include:
• Voodoo Aura PowerConnect – establishes a one-to-one wireless connection between the Envy 133 notebook and an Ethernet connector located on the power supply, allowing users to roam free from the wired connection.(3)
• Multiple gesture touchpad – more than a standard touchpad, the Envy 133 also provides capabilities such as a circular gesture called chiral scroll and pinch options.
• Durability – the carbon fibre casing and fused composite glass covering the display provide surprising strength and durability.
• External optical disk drive – an ID-coordinated external eSATA optical drive is included with every unit.
• Professional backlit keyboard – reminiscent of old-school tactile desktop keyboards with just enough “click” to get even the most die-hard tech enthusiast smiling.
• Ports – extensive usability via a variety of I/O ports, including headphone/microphone, HDMI, USB 2.0 (1x) and a shared e-SATA/USB (1x).

I've commented on Memestreams about the Macbook Air vs. the Lenovo X300 but now I've got to say I want a Voodoo Envy.

HP unveils Voodoo Envy 133 notebook

I believe they found my google search history...I knew it was only a matter of time until i was exposed.

busted.

I think they found my google search history...

This is a cool paper and all of you should read it for many reasons.

First, because it’s a perfect example of hacking. Hacking is just critical thinking and understanding how a system works. In this paper by understanding the nuances of web technologies the researchers found a very trivial way to bypass the authentication systems of many popular web frameworks!

Second, it’s a classic example how programmers with even a little security knowledge can make big mistakes.

Here is the paper in a nutshell:

Various web frameworks like Jave EE, ASP.NET, etc, allow you to configure the website so certain directories are only accessible to certain users with certain HTTP methods. So anyone can do a GET or POST to /public/ but only an admin can do a GET or POST to /admin/.

Enter the HTTP HEAD method. This is usually used to diagnostics and caching. If you send an HTTP HEAD instead of an HTTP GET to a URL, the website is supposed to do everything it would normally do when processing a GET, only it should only the HTTP response contains only header and no body. To make sure the same response (sans body) is sent for an HEAD as a GET, web servers simply handle the response as if it was a GET, and suppress the body when sending the response.

Do you see the trick yet?

HTTP HEAD method can be used to side-step authentication systems in many web applications. An attacker simply sends a HEAD to /admin/deleteUser?user=billy? instead of an GET. The authentication framework checks and sees that anyone can send HEADs to /admin/ and does not stop the processing of the request. The web server runs all the back end code that it normally runs for a GET, which deletes Billy as a user. The attacker does not see the body on the response, so it’s a blind attack. However the attacker can see the HTTP status code that is returned with the response to the HEAD and based on its value (200, vs 500) the attacker can tell if it worked.

This is exactly the reason why HTTP GET should be idempotent. In other works, GETs and HEADs should not modify the state of the web server so you can send multiple gets to the exact same URL and it should not cause problems. POSTs on the other hand are not idempotent. This is why e-commerce sites say things like “don’t click checkout again!” and your browser will say things like “You have already submitted POST data, are you sure you want to refresh and send this again?” (AMP, we aren’t doing this in our web frontend right?)

We even have an idea about how widespread this problem could be. In 2005 Google launched Google Web Accelerator. This was a browser plug in that pre-fetched links on the page you were looking to better utilize your bandwidth. Unfortunately, thousands of sites started breaking because developers all of the world were using simple hyperlinks (which issue a GET) to modify the state of the web app. There was lots of kicking and screaming, and I acquired a healthy dislike for Ruby on Rails developers who kept insisted that the rest of the world was wrong and they were right, but I digress.

In short, by knowing HTTP and understanding that a developer implemented a default “Allow All” feature, this very cool attack was discovered.

Bypassing Web Authentication and Authorization with HTTP Verb Tampering

Let the drummer kick

Citizen Cope - Let The Drummer Kick

We're in the final week before Summercon 2008! Come out Friday night @ 7PM and meet at the Wyndham Hotel bar, a.k.a. "The Mojito Lounge". Don't be shy, just look for someone wearing a Summercon t-shirt and introduce yourself. They won't bite or fight... probably. We'll plan on hanging out at the hotel for a bit and then herd everyone to another fine drinking establishment. Friday night is an ice-breaker, so come out and get to know your friendly neighborhood hacker. Don't sleep in much past noon on Saturday, presentations start at 12:30PM.

Operation Summercon 2k8 in Da House

Of all the copy shops in all of England, Trudy Coughlan had the rotten luck of walking into Document Image Processing.

It was June 2007 in sleepy Surrey County, and Coughlan, a statuesque blonde, sauntered through the door of the shop holding a sheaf of 780 pages. Scan them onto two CDs, she told the clerk, a forgettable middle-aged guy in a forgettable office park in the middle of nowhere. Nothing strange about the order, unless you happened to be a Formula One fan and happened to take a close look at the material: schematic drawings, technical reports, pictures, and financial information — enough insider dope to design a Formula One race car. Each page was emblazoned with one of the most famous logos in the world: the prancing black horse of Ferrari.

Surrey is McLaren country, just down the road from what locals call the Spaceship, the futuristic, top-secret, half underground headquarters of the McLaren Formula One racing team. But as it happened, the copy clerk was a rabid Ferrari fan — among the legion who worshipped Ferrari's star F1 driver Michael Schumacher and agonized over the fact that the Ferrari team was lagging behind top-ranked McLaren that summer.

This article:
Most advanced expensive automotive technology. Check.
Corporate espionage. Check.
Nazi orgy. Ummm. Check.

Inside the Scandal That Rocked the Formula One Racing World

Decius wrote:

Worthersee wrote:
If you love it so much why don't you just marry it.

Why bother with Carma Sutra when you can get into some real freaky shit.

J. G. Ballard's graphic, violent novel is controversial wherever it is read, even on Amazon.com's own Web page! The book's characters are obsessed with automobile accidents and are determined to narrate the horrors of the car crash as luridly as possible. In the words of the novel's protagonist, the wounds caused by automobile collisions are "the keys to a new sexuality born from a perverse technology."

That sounds exactly like something I would be into.

Crash: A Novel

Meetings