Thomas Stig Jacobsen’s constant why

The last couple of days I’ve been fooling around with Google Wave and it’s so called “Gadgets”. In relation to this I  couldn’t help trying out some simple XSS and XSSR techniques which I’ll now show you and hopefully the Google Wave developers so they can secure the Gadgets – creating a even better product. These gadget tests was made in the Google Wave preview and not in the Sandbox because I’m still waiting for being granted access to the Sandbox. When I acquire access to the Sandbox I’ll follow up on this blogpost. Lets get started with the fun shall we?

So  I started with stealing a basic example, cleaned it down, leaving only the raw gadget. From there I used the “gadgets.util.registerOnLoadHandler(init);” functionality to load potentially malicious code onLoad of the Gadget. This can be used to prompt the viewer of the Gadget for eg. login information. The normal trusting user wouldn’t suspect this risk since it was prompted by Google Wave, right?

Passing on I’ve created a couple of buttons in the Gadget which called a couple of Javascript function which did a couple of different things, one simple alerted the user, just to show that you could do anything.

One button changed window.top.location, sending the user to a completely other site, away from the “protecting” environment of Google Wave.

One button got the viewers Google Wave ID (an email), his/hers display name and his/hers thumbnail url. This could maybe be used to created fake accounts on websites, compromising the viewers exclusive use of his/hers email. Of course the email could also be harvested and sold to spamming bad guys with a lot of “Great deals on Viagra”.

The last button I created in this little Gadget example did also change the window.top.location but this time not to an url but instead to some data:text/html – base64 encoded. This could be used to show ads or propaganda to the viewer without a possibility to block a specific url, since this was content defined in the Gadget’s code itself.

This is what I’ve been doing the last day or two I have you read this and spread the word and of course leave a comment or a trackback. As said I’ll be back with more Google Wave security when I get access to the Sandbox

My Gadget can be viewed and tested at this URL:

http://e-x-e.dk/labs/waveHack/hack1.xml

My brother just got a new Playstation 3 for Christmas and since he is away to London right now I thought I would also have some fun with it

Anyway, I wanted to watch a movie and that’s no problem when we got a NAS at home but the DLNA server of the device is setup to only take content from the music folder on the device (for some reason the DNLA server in the NAS can only provide content from one folder). So I had to find another way to push content to the PS3 system. I knew I wanted to use the network connection since the whole house is build on this network anyway, and secondly I’m rather lazy. Furthermore I really wanted to take advantage of the build-in DNLA streamer/player in the PS3 so I had to setup some kind of DNLA server on my laptop or other kind of computer.

I Googled around the interwebs and found Java PS3 Media Server at Google Code. It’s an awesome project which I hope continues. Well the project looked really nice and I downloaded and installed the server only my laptop which easily should be able to serve the content seen from a processor (Intel Core 2 Duo, 1.8 GHz) and memory (3 GB) point of view.

First I tried to stream some random video content and is ran smoothly but when I choose a bit more demanding kind of content the stream just couldn’t keep up with the demand. I firstly tried to lower the transcoding settings and looked at the network load at the same time. This is what I found:

Note that I boosted the transcode buffer maximum size up to 600.0 MB.

Streaming audio

I set the default quality of audio streaming down from 640 KBit/s to 320 KBit/s and I did that first of all because I wanted to keep my portability and not needing a network cable plugged into both the laptop and the PS3 which both were operating wirelessly. Secounly I didn’t need all of that quality since I rip my CD’s at 320 KBit/s and the transcoding was going into AC3 which means that even at a low bitrate I would get rather good quality out of the Samsung LE32B535 which is connected to the PS3. I also changed the number of audio channels from a whooping 5.1 (6 channels) to stereo (2 channels) again because I wanted portability and I wasn’t streaming to any surround sound system.

When buffering a song the network load hits properly just maxes out. When the starting buffer is full and streaming normally the network load is just around 125.000 byte/sec (0.96 Mbit/sec) which I think is really good (when filling rest of the buffer). Keeping the normal network load under 1 Mbit/sec. means that nearly every wireless setup will be able to stream smoothly.

Streaming pictures

Not much to say here to be quite frank. The times it takes for the pictures to load is of course dependant of the size of the pictures and of course the maximum network speed.

Streaming video and problems

Good software always have a butt, and this one got a bad one of those. My network connection couldn’t keep up with the request of data and therefore the video was a real pain the in ass to watch. Well this only happen with some movies. I tried ripping in different bitrates at 1800 kilobyte/sec. the video stuttered every some seconds, but at around 1150 kilobyte/sec the network connection could keep up, but only just (stutters sometimes). So the real pain in the but is the network speed, I would recommend using cables (at least 100 megabit/sec. of course) when streaming stuff to your PS3 using this software. You could use at lower bitrate but then it wouldn’t really be fun to watch on a full HD monitor, right?

I think you should try it out In my tests both my PS3 and my laptop was in the other range of the wireless access point. When I get the time I’ll try the same tests with both devices connected to the network with cables.

Microsoft back in the day release a small paper on how to minimize the effect from the antivirus software on the operating system’s performance. Let me point out that the paper was released in July 2007.

But despite the fact of this almost (in computer and internet terms) prehistoric release date TrendLabs’s writer David Sancho still found it relevant to comment on it December 21, 2009. Hole smoke, talk about late timing.

The paper is written about which files you can let your antivirus software not scan in order to increase the performance of your operating system. The decrease of performance is due to file locking. Microsoft recommends that if you are having performance issues cost by the antivirus which is caused by these locked files. It’s a quick and rather dirty fix, which is also what David Sancho wants to point out.

David Sancho got the point when he say the following:

In line with this, we advise users to educate themselves fully about these recommendations before taking any action.

I states that the biggest risk to the consumers computer and internet security is the consumer themselves. As security professionals we need to secure the consumers from themselves because, sadly, they don’t have a clue of what they are doing or what they are agreeing when visiting malicious and non-malicious websites. This of course, is badly generalised but if you as a security concerned programmer wants to create the most secure environment for your user, you’ll have to secure the user from the user itself.

Back to the Microsoft paper. Microsoft as a huge influence on the users should consider more carefully what they are releasing to the public and most of all they should re-read their own papers at least every year in order to make sure that they are giving their users the best kind of advise and in that way contributing to a more secure environment for the normal user.

What do you think of all this? What should Microsoft do to create a more secure envirnorment? Or should the users be more poweruser like?

The Microsoft paper can be found here.

The blog post by David Sancho can be found here.

So right now I’m writing a rather huge project in school about “mathematical chaos theory in conjunction with traditional statistics in relation with a chemical experiment”. It’s REALLY exciting and fun (in a very geeky way). When working with numeric chaotic datasets it’s really handy to show the dataset in a graphical way. I of course choose to use the Google Chart API and created a simple sample application based on the “Valentine's Grouse”. The application can be altered by editing the GET parameter called “k”.

The application

The application with the “k” parameter set to “2.9”

The application is programmed in PHP and the source code can be seen here.

So If you read my previous post about the fact that Joomla sucks and why Joomla makes me so frustrated you properly thought I would be nice with some solutions on the problems stated.

So I created some hacks as answers, here goes:

A custom menu-maker operating in only one sub-level because that is what I needed. But if you need infinite sub-level just create a function from the code beneath.

 
$menu = JSite::getMenu();
foreach ($menu->getItems("parent", "0") as $item) {
	echo "
<li><a href="\"/$item-">link\">" . $item->name . "</a>";
	if ($menu->getItems("parent", $item->id)) {
		echo "
<ul>";
		echo "
 
";
		foreach ($menu->getItems("parent", $item->;id) as $subItem) {
			echo "
<li><a href="\"/$item-">link\">" . $subItem->name . "</a></li>
 
";
		}
		echo "
 
";
		echo "</ul>
 
";
	}
	echo "</li>
 
\n";
}

Please note that the menu items and the sub-level items is objects and not arrays of data.

So I got this job from a customer: setup a design from a sliced PSD file into some CSS formatted XHTML. Fair enough, that couldn’t be that hard – and it wasn’t. The real pain the in ass is NOW:

I have to set the darn thing up so it can run in Joomla! I’ve heard good things about Joomla in the past and I thought it would be a pleasure to do so. But I was wrong – boy was I wrong?!

First of all I got this horizontal menu at the top. I made it so it beautifully supports sub-items, nicely done in jQuery and in CSS. But since Joomla can’t generate the menu correctly itself I now have to hack Joomla and the menu in order to get the right view. It could have been nicely done if just Joomla offered some kind of advanced template functions like: “getMenuItems($menuId)”. I guess I’m just frustrated, I’ll move on to the some of the other stuff I guess – or so I thought.

I thought I could setup the place where the content goes but nooooooo. The div where the content goes is very specific with paddings, margins and width but I thought that putting in some content wouldn’t fuck that up but I was wrong again. Because for some unknown reason Joomla had to create nested divs, tables and what not inside my perfect CSS. And I can’t really hack this part because the “content holder” that Joomla uses is reused by all of it’s freaking components. I begin to wonder if it would be easier and faster to create this freaking thing from scratch!

I just gave up for today with a little hope though all of these freaking problems today. Because I maybe found a secret weapon within Joomla, an API – yes you read right! An API! The holy grail for a lot of developers as myself which do not accept the second best solution. But now I got a new problem! Only like 5 or 10% of this holy grail is documented in their API reference wiki.

Please comment or contact me if you got some solutions to some of my problems, if you are a Joomla geek or if you also got problems with Joomla and want to get it of your chest – just like I just did

I just created a working portfolio for well – work. In order to make a bit more easy to find I brought the domain thomasstigjacobsen.dk to hold the portfolio. So please visit it and see what I’ve done.

Note to the non-speaking visitors: the portfolio is in Danish right now but I’ll create some links to easily view the portfolio in other languages with some help from Google Translate

That’s all for now, see ya folks.

… so we can learn how to pick ourselves up.

These were the words from the butler of the notorious young Batman when he fell into empty well and he saw his biggest fear, which would also become his enemies biggest fear. Ironic and yet very powerful.

I’m no Batman and I’m not writing this on the bottom on an empty well as a “SAVE ME”-note. I were just disappointed in myself and therefore I’m now picking myself up, yet again. This was a fall like no other and right now it hurts more than anything else I’ve ever experienced yet I’ve had a bruised body and love life in the past.

I know how I can pick myself up again and in a quick manner because I know what and who I truly love. Therefore I do not need to sit with my head hanging low, I can rise and yet again live strong until I again fall and then – pick myself up yet again, stronger and strong for each and every time.

So, why do we fall? So we can learn how to pick ourselves up.

So after a not of attention after my first release of the Twitter Add-on for Google Chrome I decided to rewrite the whole thing today.

This has resulted in some dramatic changes and improvements. But I’ve also got some things I would like to investigate further to improve the extension further.

Why doesn’t the extension (toolstrip) catch backspace key press but it does catches a normal key press like an enter key press or a simple letter?

Furthermore I’m considering letting an “enter” key press in the input field call the TwitterMe() function instead of letting the button (id=”submitMe”) doing so.

If you got some thoughts on this please comment this post.

Now for the changes and improvements of the new version of the extension. As Aaron suggested in my last post as a comment to the first and earlier version I let the Twitter-icon be a controller for toggling the visibility of the input and button. This works quite well after I decided to use jQuery as the JavaScript framework in this extension. I would have liked to expand the extension in the height but I couldn’t get Chrome to “dynamically” change the height of the toolstrip, only the width. I think the below quote should be rewritten if it’s only possible “dynamically” change the height of the toolstrip.

The toolbar automatically detects how much space a toolstrip needs and reflows. So you can resize your toolstrip dynamically if you need a little more room temporarily. - http://dev.chromium.org/developers/design-documents/extensions/toolstrips

Aaron also asked why I didn’t use a XHR call to the (brilliant) Twitter API instead of using the server-layer and that me research the possibilities of such a solution. After some investigation it’s now working fantastic.

Furthermore I decided to kick out the username and password fields since they were ruining the flow of extension. Your username and password is now to be entered in the “twitter-interface.html” which now also is XHTML Strict 1.0 valid (if that matters anyway).

Underneath I’ll include the download link to the new version as well as some new screenshots. Have fun and comment please!

Download link: http://e-x-e.dk/labs/chrome-twitter/twitter-addon_v_0_2.zip

Did you enjoy this post? Have a look at the post before, in this post there are some more information about installing the add-on (extension): http://www.e-x-e.dk/2009/05/29/labs-twitter-add-on-extension-for-google-chrome/.

Did you like this post, take a look at the new post and the new version of the add-on (extension): http://www.e-x-e.dk/2009/05/30/labs-twitter-add-on-extension-for-google-chrome-new-version-new-post/.

So, today I saw some article about the Google Chrome add-ons (extensions as they also call them). And since I’m a Chrome user myself I decided to play along by creating a small basic extension for Chrome.

I went along and created a small extension which would update a persons status on Twitter (and possibly also Facebook - through the Twitter application). It works in a really simple fashion using a client-part and a server-part. I had to do so since Google Chrome doesn’t support native cURL yet. So this is how it works:

Client-part: A simple form containing the status, username and password which is posting to a php file (post.php).

Server-part: The server-part consists of the post.php and the twitterAPI.php. The post.php handels the post from the client and calls the function (in twitterAPI.php) which does a cURL post to the Twitter API. The function returns a fresh form ready to update the status after entering the new status and the password (username has been passed on after the return). The twitterAPI.php is a modified edition of the original work of Antonio Lupetti (http://woork.blogspot.com/2007/10/twitter-send-message-from-php-page.html)

For testing I just used the commandline option by editing the shortcut:
Target:
    "path_to_the_chrome.exe" --enable-extensions --load-extension="The_path_to_the_addon_folder"

    fx.
    "C:\Users\Thomas Stig Jacobsen\AppData\Local\Google\Chrome\Application\chrome.exe" --enable-extensions --load-extension="C:\Users\Thomas Stig Jacobsen\Documents\Chrome addons\twitter"
Start in:
    "path_to_your_chrome_application_folder"

    fx.
    "C:\Users\Thomas Stig Jacobsen\AppData\Local\Google\Chrome\Application"

I’m allowing anyone to use my server as the server-part (there is no kind of logging, I’m using the files that you can download underneath).

All the files can be found here:

http://e-x-e.dk/labs/chrome-twitter/twitter-addon.zip

Screenshot: