Dan Q

Month: June 2016

A Suitable Blog

At a little over 590 thousand words and spanning 1,349 pages, Vikram Seth’s A Suitable Boy is almost-certainly among the top ten longest single-volume English-language novels. It’s pretty fucking huge.

A Suitable Boy, seen from the edge
I’ll stick with the Kindle edition: I fear that merely holding the paperback would be exhausting.

I only discovered A Suitable Boy this week (and haven’t read it – although there are some good reviews that give me an inclination to) when, on a whim, I decided to try to get a scale of how much I’d ever written on this blog and then decided I needed something tangible to use as a comparison. Because – give or take – that’s how much I’ve written here, too:

Graph showing cumulative words written on this blog, peaking at 593,457.
At 593,457 words, this blog wouldn’t fit into that book unless we printed it on the covers as well.

Of course, there’s some caveats that might make you feel that the total count should be lower:

  • It might include a few pieces of non-content code, here and there. I tried to strip them out for the calculation, but I wasn’t entirely successful.
  • It included some things which might be considered metadata, like image alt-text (on the other hand, sometimes I like to hide fun messages in my image alt-text, so perhaps they should be considered content).

On the other hand, there are a few reasons that it perhaps ought to be higher:

  • It doesn’t include any of the content “lost” during the July 2004 server failure, some of which (like this post about Orange) were later recovered but many of which (like this post about Christmas plans and upcoming exams) remain damaged. It also doesn’t include any of the lost content from the original 1998/1999 version of this blog, only the weird angsty-teen out-of-context surviving bits.
  • Post titles (which sometimes contain part of the content) and pages outside of blog posts are not included in the word count.
  • I’ve removed all pictures for the purpose of the word count. Tempting though it was to make each worth a thousand words, that’d amount to about another one and a half million words, which seemed a little excessive.
A delicious-looking BLT. Mmm, bacon.
Another reason for not counting images was that it was harder than you’d think to detect repeat use of images that I’ve used too many times. Like this one.

Of course, my blog doesn’t really have a plot like A Suitable Boy (might compare well to the even wordier Atlas Shrugged, though…): it’s a mixture of mostly autobiographical wittering interspersed with musings on technology and geekery and board games and magic and VR and stuff. I’m pretty sure that if I knew where my life would be now, 18 years ago (which is approximately when I first started blogging), I’d have, y’know, tried to tie it all together with an overarching theme and some character development or something.

Or perhaps throw in the odd plot twist or surprise: something with some drama to keep the reader occupied, rather than just using the web as a stream-of-conciousness diary of whatever it is I’m thinking about that week. I could mention, for example, that there’ll be another addition to our house later this year. You heard it here first (unless you already heard it from somewhere else first, in which case you heard it there first.)

Annabel sitting on her daddy's knee and looking at sonograph pictures of her future baby brother.
Brought up in a world of tiny, bright, UHD colour touchscreens, Annabel seemed slightly underwhelmed by the magic of a sonograph picture of her future baby brother.

Still: by the end of this post I’ll have hit a nice, easy-to-remember 594,000 words.

Graph showing cumulative words written on this blog, peaking at 593,457.× A delicious-looking BLT. Mmm, bacon.× Annabel sitting on her daddy's knee and looking at sonograph pictures of her future baby brother.×

Article posted at UTC on .

5 comments

Anatomy of Cookie XSS

A cross-site scripting vulnerability (shortened to XSS, because CSS already means other things) occurs when a website can be tricked into showing a visitor unsafe content that came from another site visitor. Typically when we talk about an XSS attack, we’re talking about tricking a website into sending Javascript code to the user: that Javascript code can then be used to steal cookies and credentials, vandalise content, and more.

Good web developers know to sanitise input – making anything given to their pages by a user safe before ever displaying it on a page – but even the best can forget quite how many things really are “user input”.

"Who Am I?" page provided by University of Oxford IT Services.
This page outputs a variety of your inputs right back at you.

Recently, I reported a vulnerability in a the University of Oxford’s IT Services‘ web pages that’s a great example of this.  The page (which isn’t accessible from the public Internet, and now fixed) is designed to help network users diagnose problems. When you connect to it, it tells you a lot of information about your connection: what browser you’re using, your reverse DNS lookup and IP address, etc.. The developer clearly understood that XSS was a risk, because if you pass a query string to the page, it’s escaped before it’s returned back to you. But unfortunately, the developer didn’t consider the fact that virtually anything given to you by the browser can’t be trusted.

My Perl program, injecting XSS code into the user's cookie and then redirecting them.
To demonstrate this vulnerability, I had the option of writing Perl or Javascript. For some reason, I chose Perl.

In this case, I noticed that the page would output any cookies that you had from the .ox.ac.uk domain, without escaping them. .ox.ac.uk cookies can be manipulated by anybody who has access to write pages on the domain, which – thanks to the users.ox.ac.uk webspace – means any staff or students at the University (or, in an escalation attack, anybody’s who’s already compromised the account of any staff member or student). The attacker can then set up a web page that sets up such a “poisoned” cookie and then redirects the user to the affected page and from there, do whatever they want. In my case, I experimented with showing a fake single sign-on login page, almost indistinguishable from the real thing (it even has a legitimate-looking .ox.ac.uk domain name served over a HTTPS connection, padlock and all). At this stage, a real attacker could use a spear phishing scam to trick users into clicking a link to their page and start stealing credentials.

A fake SSO login page, delivered from a legitimate-looking https URL.
The padlock, the HTTPS url, and the convincing form make this page look legitimate. But it’s actually spoofed.

I’m sure that I didn’t need to explain why XSS vulnerabilities are dangerous. But I wanted to remind you all that truly anything that comes from the user’s web browser, even if you think that you probably put it there yourself, can’t be trusted. When you’re defending against XSS attacks, your aim isn’t just to sanitise obvious user input like GET and POST parameters but also anything that comes from a browser header including cookies and referer headers, especially if your domain name carries websites managed by many different people. In an ideal world, Content Security Policy would mitigate all these kinds of attacks: but in our real world – sanitise those inputs!

"Who Am I?" page provided by University of Oxford IT Services.× My Perl program, injecting XSS code into the user's cookie and then redirecting them.× A fake SSO login page, delivered from a legitimate-looking https URL.×

Article posted at UTC on .

6 comments

Fewer and Faster // John Nunemaker

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Sometimes I feel developers think that performance is a dark art. It is not. In my experience, well performing systems come down to this: fewer and faster. If you are doing something a lot, do it fewer times. If you are doing something that is slow, make it faster. It really is that simple. The more things you make your system do and the slower those things are, the worse your performance will be…

Repost posted at UTC on .

No comments

Dan Q found GLN7PDN2 A Marathon not a Sprint – Cutty Sark

This checkin to GLN7PDN2 A Marathon not a Sprint – Cutty Sark reflects a geocaching.com log entry. See more of Dan's cache logs.

A nice easy find while on my way to a meeting at the Naval College. Not too many muggles about at this time on a weekday morning, so only had to wait a few minutes for a window of opportunity to stealthily get to the cache. TFTC.

Payment Redirection Fraud

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Here is an example scenario… You receive an email requesting a payment. It could be for rent, it could be fees for a course or any other legitimate reason. Typically, the payment is a significant sum. The email contains the banking details you need to make the payment. Then shortly after the 1st email arrives…

Repost posted at UTC on .

No comments

A Research-driven Recruitment Story

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

[It] was initially frustrating to not be able to tell you things about who I am and what I’ve done. But it’s great that it’s a level playing field. By the final interview I was liking the process so much that I was reluctant to share my CV and de-anonymize myself. – Successful Careers applicant…

Repost posted at UTC on .

No comments

Dan Q found GLN6G06B North Moors View

This checkin to GLN6G06B North Moors View reflects a geocaching.com log entry. See more of Dan's cache logs.

Found on a gentle morning hike with my 2 year old niece. She was pretty keen on the loom band bracelet, but we hadn’t brought anything to exchange, so she made do with wearing it for a bit and showing it off to a ladybird we met, before returning it to the cache. TFTC.

DRY: Do Repeat Yourself

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

I am increasingly of the opinion that the general software engineering adage “Don’t Repeat Yourself” does not always apply to web development. Also, I found that web development classes in CS academia are not very realistic. These two problems turn out to have the same root cause: a lack of appreciation of what browsers do…

Repost posted at UTC on .

No comments

The Golden Age of x86 Gaming

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

I’ve been happy with my 2016 HTPC, but the situation has changed, largely because of something I mentioned in passing back in November: The Xbox One and PS4 are effectively plain old PCs, built on: Intel Atom class (aka slow) AMD 8-core x86 CPU 8 GB RAM AMD Radeon 77xx / 78xx GPUs cheap commodity…

Repost posted at UTC on .

No comments

Underground and Overground in the City of London

Despite being only a short journey away (made even shorter by the new railway station that appeared near by house last year), I rarely find myself in London. But once in a while a week comes along when I feel like I’m there all the time.

British Rail branded poster from an abandoned tunnel under Euston Station, circa 1960s.
TODO: funny caption

On Friday of last week, Ruth, JTA and I took one of the London Transport Museum‘s Hidden London tours. Back in 2011 we took a tour of Aldwych Tube Station, probably the most well-known of the London Underground’s disused stations, and it was fantastic, so we were very excited to be returning for another of their events. This time around, we were visiting Euston Station.

Our tour group gathers around the corner from Euston Station.
Stylish hi-vis jackets for everybody!

But wait, you might-well say: Euston station isn’t hidden nor disused! And you’d be right. But Euston’s got a long and convoluted history, and it used to consist of not one but three stations: the mainline station and two independent underground stations run by competing operators. The stations all gradually got connected with tunnels, and then with a whole different set of tunnels as part of the redevelopment in advance of the station’s reopening in 1968. But to this day, there’s still a whole network of tunnels underneath Euston station, inaccessible to the public, that are either disused or else used only as storage, air vents, or cable runs.

Disused lift shaft under Euston Station.
This lift shaft used to transport passengers between what are now the Northern and Victoria lines. Now it’s just a big hole.

A particular highlight was getting to walk through the ventilation shaft that draws all of the hot air out of the Victoria Line platforms. When you stand and wait for your train you don’t tend to think about the network of tunnels that snake around the one you’re in, hidden just beyond the grills in the ceiling or through the doors at the end of the platforms. I shot a video (below) from the shaft, periodically looking down on the trains pulling in and out below us.

No sooner were we back than I was away again. Last Saturday, I made my way back to London to visit Twitter’s UK headquarters in Soho to help the fantastic Code First: Girls team to make some improvements to the way they organise and deliver their Javascript, Python and Ruby curricula. I first came across Code First: Girls through Beverley, one of Three Rings‘ volunteers who happens to work for them, and I’ve become a fan of their work. Unfortunatley my calendar’s too packed to be able to volunteer as one of their instructors (which I totally would if it weren’t for work, and study, and existing volunteering, and things), but I thought this would be a good opportunity to be helpful while I had a nominally-“spare” day.

The coffee lounge on the administration/marketing floor of Twitter's offices in Soho.
Twitter’s offices, by the way, are exactly as beautiful as you’d hope that they might be.

Our host tried to win me over on the merits of working for Twitter (they’re recruiting heavily in the UK, right now), and you know what – if I were inclined towards a commute as far as London (and I didn’t love the work I do so much) – I’d totally give that a go. And not just because I enjoyed telling an iPad what I wanted to drink and then having it dispensed minutes later by a magical automated hot-and-cold-running-drinks tap nearby.

Twitter's reception with its "tweet wall" sculpture.
I’m not sure I ‘get’ the idea of a sculpture of tweets, though. Wouldn’t a “live display” have been more-thematic?

And that’s not even all of it. This coming Thursday, I’m back in London again, this time to meet representatives from a couple of charities who’re looking at rolling out Three Rings. In short: having a direct line to London on my doorstep turns out to be pretty useful.

British Rail branded poster from an abandoned tunnel under Euston Station, circa 1960s.× Our tour group gathers around the corner from Euston Station.× Disused lift shaft under Euston Station.× The coffee lounge on the administration/marketing floor of Twitter's offices in Soho.× Twitter's reception with its "tweet wall" sculpture.×

Article posted at UTC on .

3 comments

We Need to be Better

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

My post You Don’t Have to Do It has been getting an inordinate amount of attention in the last few months. As is often the case about anything in my life, I have mixed feelings about this. On the one hand, I really do think that polyamory isn’t for everyone, that while it’s a way…

Repost posted at UTC on .

No comments