We thought it sure would be handy if life came with status codes, but since it doesn't, we did the next best thing and printed them on stuff you wear. But not just any old stuff - we had to try something different, and print them on undies. So we bring you HTTPanties for the discriminating woman who would prefer a web-savvy and somewhat-direct approach in the romance department.
Feeling frisky? Well then don the black "200 OK" panties and see where they take you. Alternatively, the white "403 Forbidden" style sends a very different and hopefully clear message. New for 2005 we bring you two more styles: 411 Length Required and 413 Requested Entity Too Large.
And now, in what will surely drive a "Not Safe For Work" flag, your moment of zen.
As some of my co-workers noted, there are many more HTTP code that could be pantified:
300 Multiple Choices 305 Use Proxy 402 Payment Required 406 Not Acceptable 415 Unsupported Media Type 417 Expectation Failed 501 Not Implemented 502 Bad Gateway
Last week a reporter asked me to comment on a story he was writing that detailed this hack. I couldn't post this to Memestreams until after that article was published.
I plug in the register URL and start inserting my information. The second screen is where your Priority Code gets entered. Being the curious person I am I took a peek at the source code. Much to my chagrin I find this:
Well huh. These look like MD5 hashes. So what we need to do is crack the MD5 passwords with what we know about our keyspace: All upper case, most likely keyboard ASCII characters and numbers only. We can probably rule out non-printable ASCII so now we're just looking at A-Z0-9. Just an educated guess.
We begin the crack. Less than 10 seconds and I've already cracked a code that looks interesting. Lets see what we get: A Platinum Pass for $0.00? Special line access to the Keynote! Alright!
In the case, IDG tried to make their website more responsive by performing some of their validation on the client. They did this by pushing some JavaScript to the client's web browser. Even if IDG still performed that validation on the server, they have leaked how the priority code is verified and used by their website. This is the leaking of control logic All an attacker needs to do is look at the JavaScript code and see how the priority code is verified against a list of valid codes. Even though those codes are encrypted, the JavaScript again aids the attacker. It provides step by step instructions showing how the priority code is encrypted as well as the algorithm used allowing the attacker to easily brute force the valid codes. By accessing the JavaScript code, the attacker could also see that IDG made some mistakes before they encrypted the code, making the discounts even easily to brute force (IDG first capitalized the code and the removed a number of special characters and symbols, etc). This drastically reduced the number of combinations an attacker needs to try to brute force all the priority codes)
Once the attacker knows all the priority codes, it is obvious which ones gave the attacker a free pass worth thousands of dollars.
The moral of the story: JavaScript code is visible to an attacker. It is impossible to completely obfuscate or hide it. More and more Web 2.0 technologies like Ajax means more and more programs are placing application logic in JavaScript, making it even easy to attackers to find flaws in web applications. In this case, by trying to enrich the user's experience, the programmers exposed all of there discount offers in JavaScript, allowing an attacker to discovery them and perform fraud for thousands of dollars.
Web developer's need to make sure they don't leak vital information about how their applications work. In today's Web 2.0 world of rich web interfaces like Ajax and Adobe's Flex, this is a very easy mistake to make.
Obviously the need for spaces in tags is an important one. Whether it’s “Semantic Web” or “Ford Interceptor” that you need to tag, it’s rather different from “Windows AND Vista” and “Ford AND Interceptor” - and it gets worse if you have a search engine that places OR in there instead of AND. Much worse. The big question is, why doesn’t such a standard already exist? It’s obvious that Web 2.0 is all about connecting ideas and bringing articles, content, and readers together. But anyone looking at the tagging process would immediately assume it’s about the exact opposite: splitting up content, making things difficult to find, and purposely making bloggers’ lives miserable.
With Habari, so far we’ve gone through all the forms, and at the moment we’re at number 3 for compatability and familiarity’s sake. But that may change - hence the need for a visible, tangible tagging standard. The only problem is, tagging isn’t some new concept. A tagging standard isn’t something that we can just whip up and serve on a platter.
What about the noun/verb argument? Look at the tags for this post: “Blogs, Blogging … Tags, Tagging” We just don’t know what people will search for - and we try to cover all the bases. But then you have so many possibilities! Code, Coding; Design, Designing; Research, Researching. For every pair there is one word more likely than the other. But people like to have all the bases covered, hence all the clutter. Tagging is fun, but only if done the right way.
This article touches on a few of the more obvious issues with implementing a tagging system properly. Tom, Rattle and I have already scoped all the places in Memestreams that use the topic system and are discussing ways to replace it with a tagging system. Believe me, it is not an easy problem!
Tagging by its very nature is more chaotic than a hierarchical topic system. Having a a good implementation is only half the battle: people must tag items well. A item that contains odd or tags that don't best describe the article is in danger of fading away. No one knows exactly what terms it could be filed under. This is where topics do very well. By imposing a controlled vocabulary, a searcher can presumably read the entire vocabulary to see all possible topic words they might be interested in.
In a nutshell, here are some big problems with tags:
-How to handle multiple words -If/how to allow tag delimiter inside a tag -Does letter case matter -Punctuation and symbols -Handling plural or singular words -Date formating -Multiple language support -Colloquialisms/slang
Remote Database management... now with a backdoor!
Topic: Technology
2:45 pm EST, Jan 11, 2007
This article started up quite nicely about about how to run SQL commands against a database in a shared hosting environment where you don't have a SQL console access.
It quickly spiraled into creating a webpage that will run arbitrary .SQL commands against a database.
Once uploaded, hit the remote RunSQL.aspx page via your browser. This will cause the page on your remote server to parse the .SQL file, and execute all of its statements.
Granted the article says to use obscure filenames and to delete it when you are done, but we all know most people won't. That like giving a kid a gun and reminding them to put on ear protection ahead of time and to clean it properly once they have finish shooting themselves in the foot!
Scott Guthrie may be smart but this deserves a "WTF were you thinking!"
The first peak in Apple's stock price (approx 1:45 EST, or 10:45 PST) was at the tail end of Steve Job's demoing the phone. He then goes on to talk about the busniess side (the price, exclusive with Cingular, etc) as well as the target 1% market share goal and the share price drops a little.
It's like watching a sing-a-song, only with lots of money!
Fab@Home is a website dedicated to making and using fabbers - machines that can make almost anything, right on your desktop. This website provides an open source kit that lets you make your own simple fabber, and use it to print three dimensional objects. You can download and print various items, try out new materials, or upload and share your own projects. Advanced users can modify and improve the fabber itself.
Fabbers (a.k.a 3D Printers or rapid prototyping machines) are a relatively new form of manufacturing that builds 3D objects by carefuly depositing materials drop by drop, layer by layer. Slowly but surely, with the right set of materials and a geometric blueprint, you can fabricate complex objects that would normally take special resources, tools and skills if produced using conventional manufacturing techniques. A fabber can allow you explore new designs, email physical objects to other fabber owners, and most importantly - set your ideas free. Just like MP3s, iPods and the Internet have freed musical talent, we hope that blueprints and fabbers will democratize innovation.
Holy Crap! Ok, I'm canceling the flower budget for the wedding and redirecting it to buiding one of these!
There are many way to specify a URL in a hyperlink. For all these examples, assume the user is currently looking at the page http://www.memestreams.net/topics/
In this can, the URL is relative to where the user currently is. The browser already knows it is using the HTTP protocol (HOW), it already knows the hostname (WHERE). The link simply tells the browser the resource to grab (WHAT).
Most people, including me, think that there is no way to create a hyperlink pointing to a different WHERE than you are currently on without specifying the HOW. For example, the following hyperlink does not take you to msblabs.org
This URL construction is perfectly valid, and the // lets the browser know that it should fetch this resource using the current HOW, but that the text after the // but before the / specifies a new WHERE. Yes this is messed up. Yes its in the RFC spec. Yes there are sites in the wild like SlashDot that use this form.
You want me to accept that the users should now become their own UI designers? Doesn't sound good to me. I may not know much about UI, but I know that my generic, fixed width, locked down site design is at least capable of conveying the relevant content to a large percentage of the public.
I don't want a different customized UI's for every user or user agent. I want adaptive UIs.
My mom is not going to design her own style style for a website. But when my mom bumbs the font size of http://www.cnn.com up 2 levels and suddenly the menu bar is going off the screen and text doesn't fit in boxes anymore, that's is a problem.
When a user enters in a bunch of text into a comment block and it appears as one long line going right over the pretty floating table of content, thats a problem.
When I have a 1400x900 screen and a blog renders as a thin vertical strip maybe 700 pixels across thats just silly.
This can be fixed, and it doesn't require you hacking around IE6 lacks of PNG transparency or Safari's crazy JavaScript. It's making smart decisions about how you define the layout of a page.
-- Disclosure Timeline: 2006.02.27 - Pre-existing digital Vaccine released to TippingPoint customers 2006.08.31 - Vulnerability reported to vendor 2006.12.12 - Coordinated public release of advisory
I noticed this in a vuln report for a remote code execution in JavaScript for IE. Maybe this is a mistake, but it appears that TippingPoint aka 3Com took steps to protect/secure their customers 6 months before even reporting the issue.
Surely this cannot be a standard security practice. Is this what corporate 0-day purchasing has forced?
