Via Acidus:

Brilliant!

We thought it sure would be handy if life came with status codes, but since it doesn't, we did the next best thing and printed them on stuff you wear. But not just any old stuff - we had to try something different, and print them on undies. So we bring you HTTPanties for the discriminating woman who would prefer a web-savvy and somewhat-direct approach in the romance department.

Feeling frisky? Well then don the black "200 OK" panties and see where they take you. Alternatively, the white "403 Forbidden" style sends a very different and hopefully clear message. New for 2005 we bring you two more styles: 411 Length Required and 413 Requested Entity Too Large.

And now, in what will surely drive a "Not Safe For Work" flag, your moment of zen.

As some of my co-workers noted, there are many more HTTP code that could be pantified:

300 Multiple Choices
305 Use Proxy
402 Payment Required
406 Not Acceptable
415 Unsupported Media Type
417 Expectation Failed
501 Not Implemented
502 Bad Gateway

ThinkGeek :: HTTPanties

This is a great example of information leakage in "Web 2.0" applications. Acidus comments:

Last week a reporter asked me to comment on a story he was writing that detailed this hack. I couldn't post this to Memestreams until after that article was published.

I plug in the register URL and start inserting my information. The second screen is where your Priority Code gets entered. Being the curious person I am I took a peek at the source code. Much to my chagrin I find this:

Well huh. These look like MD5 hashes. So what we need to do is crack the MD5 passwords with what we know about our keyspace: All upper case, most likely keyboard ASCII characters and numbers only. We can probably rule out non-printable ASCII so now we're just looking at A-Z0-9. Just an educated guess.

We begin the crack. Less than 10 seconds and I've already cracked a code that looks interesting. Lets see what we get: A Platinum Pass for $0.00? Special line access to the Keynote! Alright!

My thoughts are this is an excellent example of security issues with Web 2.0 applications. Specifically, the leaking of an application's programing logic to the attacker.

In the case, IDG tried to make their website more responsive by performing some of their validation on the client. They did this by pushing some JavaScript to the client's web browser. Even if IDG still performed that validation on the server, they have leaked how the priority code is verified and used by their website. This is the leaking of control logic All an attacker needs to do is look at the JavaScript code and see how the priority code is verified against a list of valid codes. Even though those codes are encrypted, the JavaScript again aids the attacker. It provides step by step instructions showing how the priority code is encrypted as well as the algorithm used allowing the attacker to easily brute force the valid codes. By accessing the JavaScript code, the attacker could also see that IDG made some mistakes before they encrypted the code, making the discounts even easily to brute force (IDG first capitalized the code and the removed a number of special characters and symbols, etc). This drastically reduced the number of combinations an attacker needs to try to brute force all the priority codes)

Once the attacker knows all the priority codes, it is obvious which ones gave the attacker a free pass worth thousands of dollars.

The moral of the story: JavaScript code is visible to an attacker. It is impossible to completely obfuscate or hide it. More and more Web 2.0 technologies like Ajax means more and more programs are placing application logic in JavaScript, making it even easy to attackers to find flaws in web applications. In this case, by trying to enrich the user's experience, the programmers exposed all of there discount offers in JavaScript, allowing an attacker to discovery them and perform fraud for thousands of dollars.

Web developer's need to make sure they don't leak vital information about how their applications work. In today's Web 2.0 world of rich web interfaces like Ajax and Adobe's Flex, this is a very easy mistake to make.

Your Free MacWorld Expo Platinum Pass

From Decius:

Some really nice infoporn over at The Big Picture right now. The linked chart compares the assets of various nations organized into geopolitical buckets.

Notice that Asia, for all its mindshare, is still relatively tiny, and the U.S., despite her plethora of self-inflicted woes, remains globally dominant.

In other words, America can screw up an aweful lot for a long time before international competitors are really a threat to her economic position. (Although a commenter in the thread observes that U.S. asset prices may be unfairly high due to foreign currencies being pegged to the dollar.) Also worth a look is this chart which vaugely compares the GDP of various nations with various U.S. States. I'm sure you're heard before that California has roughly the GDP of France (and half the population) but I didn't know that Texas has a comparable GDP to Canada. And Georgia, oh Georgia, if only your ski slopes were as nice as your GDP...

Its worth comparing top lists for GDP between 1995 and 2005. There have been some significant changes. For example, Canada appears to be falling behind in international terms, although I don't know if that is due to failings on her part, or simply that far more populous countries are starting to get their acts together. Brazil is rocketing up, but they have 6 times the population of Canada. Canada's population is comparable to California, but it is spread out over a far wider area, which probably makes it less efficient. (I also think that weather plays a role. Snow plows cost money.)

As various countries begin to figure out how to operate effective economies and stable politics you'd think that these charts would normalize toward a reflection of population differences, with some effects due to geographic constraints such as those I mentioned for Canada. Of course, I'm describing a vision for world peace. I think we're a long way off, but it appears progress is being made.

A longer term investment in ETFs targetting countries that have moved significantly between 1995 and 2005 might be a very sound idea if coupled with a reasonable understanding of and monitoring of the political and economic stability of the countries in question. Of course, I'm not an economist, so take that with a grain of salt.

The Big Picture | How big IS the US anyway?

In honor of MLK day and to take the edge of the last post, here is a video of the "I have a dream speech."

YouTube - Martin Luther King Jr - I have a dream speech - Aug 28 1963

Our recent update went out with a bug that sometimes cropped up when replying to posts which resulted in a 500 server error. This bug has been addressed. Please let us know if you see anything odd with the site.

Reply bug fixed

ImageWell is a small, but powerful, image editing application that lets you quickly resize, crop, watermark, edit your images and then upload them to the web, save to your computer or email them to a friend. ImageWell also lets you annotate your images with text, shapes, arrows and lines, quickly and easily. And it doesn't stop there - add a drop shadow, a shaped border, flip or rotate your image, take screen grabs, plus so much more.

ImageWell is a great utility for facilitating easy picture posting to MemeStreams.

ImageWell, the Free and Lean Image Editor

Image posting has been re-enabled! Post away. We've tested on IE, Firefox, Safari, SideKick and Nintendo Wii, and the feature seems to work on all of these platforms. We still have some bugs we're still tracking with the most recent update, but we should have those cleared up over the course of Sunday...

Image Posting has been re-enabled!

Those that were exposed to the Best of Bootie 2005 will be happy to know that the next Best of Bootie CD has been released. It can be downloaded for free off the Bootie website.

The Best of Bootie compilations contain the best mashup tracks I've ever heard. I just started playing the new collection, and it sounds like it blows the last one away. These make the perfect party albums. They really confuse and delight a crowd. Every song is guaranteed to be familiar sounding.

An entire underground music scene has formed around these type of works. The recording industry licensing regime makes it pretty much impossible to legitimately create and release these type of works. The overhead you have to devote to getting the rights is unbelievable.

Best of Bootie 2006

(Update: This is causing problems with IE. Image links have been disabled while we work out the cause of the problem.. Argh..)

This comes with several improvements to the way messages are edited and displayed. In addition to inline display of images using the img tag, we have also added the HTML tags u, center, and pre, in addition to the already existing support for b, i, and a. blockquote can be used as blockquote, bq, or quote. When pre is used, any HTML tags within are escaped, so you can now display snippets of code and other previously impossible text without losing formatting. For instance, here is an example of an image tag:

<img src="http://kradmeme.local/meme_tail.gif" alt="Optional description">

Image tags can be justified left or right using the align attribute so text wraps around them, such as the image in this post. All implemented tags support standard HTML attributes to the degree we support the attributes.

When posting, the interface now displays error messages in realtime about formatting problems above the edit window. Eventually we will have this functionality include better information about to what types of HTML is allowed and how it can be used. In general, the system will display posts better and more uniformly. It is no longer so ridged about spacing after quotes, posts will now display properly regardless of if you have a newline after a quote or not. Characters such as > and < can now be used in posts without being part of an HTML tag as well.

Any Google/YouTube/Revver videos that are primary links will be displayed automatically at the top of the post. Videos can also be displayed inline with a tag like this:

<video url="http://www.youtube.com/watch?v=b2f4heaG288" alt="Optional description">

We will add other video services as we become aware of them. Let us know if there is a service you would like us to support.

We would like to single out Acidus for praise. His help made this update happen. We are very excited to have him actively involved with MemeStreams developlment. His work is present in several aspects of this update, such as the on-the-fly picture resizing and the realtime post validity checking. Be sure to tell him how much he kicks ass. We have never worked with anyone better when it comes to web security and javascript.

Be sure to tell terratogen he kicks ass as well. For years now, he has been providing us with with all our graphic design needs. You can see his work in the site's logo and the various graphical icons used throughout the site.

As always, if you encounter any problems, let Rattle or Decius know. More information and site updates are on the way.

It may feel like looking into the mirror for Bill O'Reilly and Stephen Colbert next week.

The Fox News Channel host and Colbert, who has essentially based his comic character every evening on Comedy Central on him, will trade appearances on each other's programs January 18.

"I'm really looking forward to speaking to a man who owes his entire career to me," O'Reilly said.

On "The Colbert Report," Colbert portrays a self-involved talk-show host who has tried to bring "truthiness" to the world. His character owes an obvious debt to O'Reilly, who holds court in the "no-spin zone" each evening.

On "The O'Reilly Factor," O'Reilly portrays a ... um, he hosts the top-rated program in cable news.

"I look forward to the evening," Colbert said. "It is an honor to speak face-to-face with a broadcasting legend, and I feel the same way about Mr. O'Reilly."

Note that CNN breaks AP style to take a swipe at O'Reilly in the second to last paragraph... Nice.

I expect this to be damn entertaining.

O'Reilly, Colbert to appear on each other's shows - CNN.com