Dan Q

Blog

Replacing “love” with “butt” in song lyrics

Seeing as it’s almost Valentine’s Day and by way of proof that I’m not always so serious as to write about important topics like WordPress’s CAPTCHA implementation or how I became a brony, here are some of the highlights of a conversation that Ruth and I just had (tapping in to our inner 12-year-olds, I guess: some alcohol might have been involved) about song lyrics that are immeasurably improved if you replace the word “love” with “butt”. Here are some of my favourites:

  • Greatest Butt Of All – Whitney Houston
  • Can You Feel The Butt Tonight? – Elton John
  • Shower Me With Your Butt – Surface
    Eww.
  • Big Butt – Fleetwood Mac
  • I Would Do Anything For Butt (But I Won’t Do That) – Meat Loaf
  • Too Much Butt Will Kill You
    “Torn between the butter and the butt you leave behind.” Yes, you can totally turn “lover” into “butter”, but it’s the addition of the word “behind” that made me snortle.
  • Thinking Out Loud – Ed Sheeran
    “Will your mouth still remember the taste of my butt? Will your eyes still smile from your cheeks?”
  • Butt Song For A Vampire – Annie Lennox
  • Bleeding Butt – Leona Lewis
    “Keep bleeding. Keep, keep bleeding, butt. You cut me open”
  • How Deep Is Your Butt? – Bee Gees
  • Addicted to Butt – Robert Palmer
    “It’s closer to the truth to say you can’t get enough. You know you’re gonna have to face it: you’re addicted to butt.”
  • One – U2
    “Did I disappoint you, or leave a bad taste in your mouth? You act like you never had butt and you want me to go without.”
  • Lay All Your Butt On Me – ABBA
  • Butt Stinks – The J. Geils Band
  • Tainted Butt – Soft Cell
  • Can’t Help Falling In Butt – Elvis Prestley

Okay, now I’ve got that out of my system we can carry on as normal.

Article posted at UTC on .

No comments

After Section 702 Reauthorization

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

After Section 702 Reauthorization – Schneier on Security (schneier.com)

For over a decade, civil libertarians have been fighting government mass surveillance of innocent Americans over the Internet. We’ve just lost an important battle. On January 18, President Trump signed the renewal of Section 702, domestic mass surveillance became effectively a permanent part of US law. Section 702 was initially passed in 2008, as an…

Repost posted at UTC on .

No comments

Web! What is it good for?

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

https://adactio.com/journal/9016 (adactio.com)

You can listen to an audio version of Web! What is it good for?

I have a blind spot. It’s the web.

I just can’t get excited about the prospect of building something for any particular operating system, be it desktop or mobile. I think about the potential lifespan of what would be built and e…

You can listen to an audio version of Web! What is it good for?

I have a blind spot. It’s the web.

I just can’t get excited about the prospect of building something for any particular operating system, be it desktop or mobile. I think about the potential lifespan of what would be built and end up asking myself “why bother?” If something isn’t on the web—and of the web—I find it hard to get excited about it. I’m somewhat jealous of people who can get equally excited about the web, native, hardware, print …in my mind, if it hasn’t got a URL, it’s missing some vital spark.

I know that this is a problem, but I can’t help it. At the very least, I have enough presence of mind to recognise it as being my problem.

My problem, too. There are worse problems to have.

Repost posted at UTC on .

No comments

TFW a Twitter bot solves a video game mystery

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

TFW a Twitter bot solves a video game mystery | The Video Game History Foundation on Patreon (Patreon)

Official Post from The Video Game History Foundation: Something pretty fun happened yesterday that I wanted to share with you all: a bot on Twitter accidentally provided the clue that finally solved a 28-year-old mystery about a DOS game that never shipped.Yesterday, the VGHF Twitter account was tagged in a thread by @awesomonster, who was frantically

Something pretty fun happened yesterday that I wanted to share with you all: a bot on Twitter accidentally provided the clue that finally solved a 28-year-old mystery about a DOS game that never shipped.

Yesterday, the VGHF Twitter account was tagged in a thread by @awesomonster, who was frantically trying to figure out the origins of a screenshot:

StarTribes: Myth of the Dragon Lord

Repost posted at UTC on .

No comments

An Oxford book store is cashing in on the success of The Good Place by selling the moral philosophy and ethics books Chidi references in the series.

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

An Oxford book store is celebrating the success of The Good Place by selling the moral philosophy and ethics books referenced by Chidi Anagonye (William Jackson Harper) in the series – and its efforts are going viral.

The popular NBC and Netflix series aired its season two finale last week, and to commemorate that, Oxford’s Broad Street branch of Blackwell’s has put up a book stand titled ‘Chidi’s Choice’.

If you’ve not been watching The Good Place then, well: you should have been.

Repost posted at UTC on .

No comments

GDPR and Google Analytics

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

GDPR and Google Analytics (adactio.com)

Do you have permission for those third-party scripts?

Enforcement of the European Union’s General Data Protection Regulation is coming very, very soon. Look busy. This regulation is not limited to companies based in the EU—it applies to any service anywhere in the world that can be used by citizens of the EU.

Jeremy Keith raises some interesting points: when informed consent is required to track an individual, who is responsible for getting your users to “consent” to being tracked with Google Analytics and similar site-spanning tools? You? Google? Nobody? I’ve spent the weekend talking through only a handful of the woolly edges of the GDPR, especially regarding the liabilities of different companies (potentially not all of which are based in the EU) who are complicit in the collection of data on the same individuals but who have access to that data in different forms.

It’s complicated, yo. For the time being, I’m making sure that companies for which I have responsibility err on the “safe” side of any fuzzy lines, but I’m sure that others won’t.

Repost posted at UTC on .

No comments

My Blog Now Has a Content Security Policy – Here’s How I’ve Done It

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

My Blog Now Has a Content Security Policy – Here's How I've Done It (Troy Hunt)

I've long been a proponent of Content Security Policies (CSPs). I've used them to fix mixed content warnings on this blog after Disqus made a little mistake, you'll see one adorning Have I Been Pwned (HIBP) and I even wrote a dedicated Pluralsight course on browser security headers. I'm a

I’ve long been a proponent of Content Security Policies (CSPs). I’ve used them to fix mixed content warnings on this blog after Disqus made a little mistake, you’ll see one adorning Have I Been Pwned (HIBP) and I even wrote a dedicated Pluralsight course on browser security headers. I’m a fan (which is why I also recently joined Report URI), and if you’re running a website, you should be too.

But it’s not all roses with CSPs and that’s partly due to what browsers will and will not let you do and partly due to what the platforms running our websites will and will not let you do. For example, this blog runs on Ghost Pro which is a managed SaaS platform. I can upload whatever theme I like, but I can’t control many aspects of how the platform actually executes, including how it handles response headers which is how a CSP is normally served by a site. Now I’m enormously supportive of running on managed platforms, but this is one of the limitations of doing so. I also can’t add custom headers via Cloudflare at “the edge”; I’m serving the HSTS header from there because there’s first class support for that in the GUI, but not for CSP either specifically in the GUI or via custom response headers. This will be achievable in the future via Cloudflare workers but for now, they have to come from the origin site.

However, you can add a CSP via meta tag and indeed that’s what I originally did with the upgrade-insecure-requests implementation I mentioned earlier when I fixed the Disqus issue. However – and this is where we start getting into browser limitations – you can’t use the report-uri directive in a meta tag. Now that doesn’t matter if all the CSP is doing is upgrading requests, but it matters a lot if you’re actually blocking content. That’s where the real value proposition of a CSP lies too; in its ability to block things that may have been maliciously inserted into a site. I’ve had enough experience with breaking the CSP on HIBP to know that reporting is absolutely invaluable and indeed when I’ve not paid attention to reports in the past, it’s literally cost me money.

Repost posted at UTC on .

No comments

Bypassing WordPress / Jetpack’s “Prove your humanity:” CAPTCHA

One of the most-popular WordPress plugins is Jetpack, a product of Automattic (best-known for providing the widely-used WordPress hosting service “WordPress.com“). Among Jetpack’s features (many of which are very good) is Jetpack Protect which adds – among other things – the possibility for a CAPTCHA to appear on your login pages. This feature is slightly worse than pointless as it makes it harder for humans to log in but has no significant impact upon automated robots; at best, it provides a false sense of security and merely frustrates and slows down legitimate human editors.

WordPress/Jetpack's CAPTCHA, asking for the solution to "9+10="
Thanks, WordPress, for slowing me down with a CAPTCHA that a robot can solve more-easily than a human.

“Proving your humanity”, as you’re asked to do, is a task that’s significantly easier for a robot to perform than a human. Eventually, of course, all tests of this nature seem likely to fail as robots become smarter than humans (especially as the most-popular system is specifically geared towards training robots), but that’s hardly an excuse for inventing a system that was a failure from its inception. Jetpack’s approach is fundamentally flawed because it makes absolutely no effort to disguise the challenge in a way that humans are able to read any-differently than robots. I’ll demonstrate that in a moment.

Jetpack security settings: "Protect" switch
Don’t just disable this, though! Other “Protect” features make sense. If only you could disable just the one that doesn’t…

A while back, a colleague of mine network-enabled Jetpack Protect across a handful of websites that I occasionally need to log into, and it bugged me that it ‘broke’ my password safe’s ability to automatically log me in. So to streamline my workflow – as well as to demonstrate quite how broken Jetpack Protect’s CAPTCHA is, I’ve written a userscript that you can install into your web browser that will completely circumvent it, solving the maths problems on your behalf so that you don’t have to. Here’s how to use it:

  1. Install a userscript manager into your browser if you don’t have one already: I use Tampermonkey, but it ought to work with almost any of them.
  2. Install Jetpack Maths Solver.

From now on, whenever you go to a page whose web path begins with “/wp-login.php” that contains a Jetpack Protect maths problem, the answer will be automatically calculated and filled-in on your behalf. The usual userscript rules apply: if you don’t trust me, read the source code (there are really only five lines to check) and disable automatic updates for it (especially as it operates across all domains), and feel free to adapt/improve however you see fit. Maybe if we can get enough people using it Automattic will fix this half-hearted CAPTCHA – or at least give us a switch to disable it in the first place.

Update: 15 October 2018 – the latest version of Jetpack makes an insignificant change to this CAPTCHA; version 1.2 of this script (linked above) works around the change.

Article posted at UTC on .

5 comments

Improving URLs for AMP pages

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Improving URLs for AMP pages (Accelerated Mobile Pages Project)

TL;DR: We are making changes to how AMP works in platforms such as Google Search that will enable linked pages to appear under publishers’ URLs instead of the google.com/amp URL space while maintai…

TL;DR: We are making changes to how AMP works in platforms such as Google Search that will enable linked pages to appear under publishers’ URLs instead of the google.com/amp URL space while maintaining the performance and privacy benefits of AMP Cache serving.

When we first launched AMP in Google Search we made a big trade-off: to achieve the user experience that users were telling us that they wanted, instant loading, we needed to start loading the page before the user clicked. As we detailed in a deep-dive blog post last year,  privacy reasons make it basically impossible to load the page from the publisher’s server. Publishers shouldn’t know what people are interested in until they actively go to their pages. Instead, AMP pages are loaded from the Google AMP Cache but with that behavior the URLs changed to include the google.com/amp/ URL prefix.

We are huge fans of meaningful URLs ourselves and recognize that this isn’t ideal. Many of y’all agree. It is certainly the #1 piece of feedback we hear about AMP. We sought to ensure that these URLs show up in as few places as possible. Over time our Google Search native apps on Android and iOS started defaulting to showing the publishers URLs and we worked with browser vendors to share the publisher’s URL of an article where possible. We couldn’t, however, fix the state of URLs where it matters most: on the web and the browser URL bar.

Regular readers may recall that I’ve complained about AMP. This latest announcement by the project lead of the AMP team at Google goes some way to solving the worst of the problems with the AMP project, but it still leaves a lot to be desired: for example, while Google still favours AMP pages in search results they’re building a walled garden and penalising people who don’t choose to be inside it, and it’s a walled garden with fewer features than the rest of the web and a lock-in effect once you’re there. We’ve seen this before with “app culture” and with Facebook, but Google have the power to do a huge amount more damage.

Repost posted at UTC on .

No comments