Quick idea I had the other day. Session ID tokens are typically short strings of seemingly random characters. While they don’t typically change all that much during a session, it’s good practice to change the session ID every so often to help prevent against security attacks. If someone was to periodically change the session ID, and hide a short message in the ID values such that, when strung together, the message could be extracted, would that be a useful way of transmitting data in a hidden manner? I’m not sure of how much info you could reasonably hide in a series of short session IDs, but it seems like this would be possible.
Archive for the ‘Uncategorized’ category
Session steganography idea
July 1st, 2010Web sites need direct access to tech support
February 16th, 2009This isn’t the first time this has happened to me, just the most recent.
My wife likes to visit qvc.com. Their site is broken. More specifically, I think something is wrong with their DNS. I can’t really prove much of anything, other than DIGging from both my home in Raleigh and my servers in Dallas prove ineffective.
Details – qvc.com doesn’t come up, but www.qvc.com does. Right there is already a clue of either poorly managed DNS overall, or something’s gone wrong recently. I suspect the latter.
From community.qvc.com – the community area – many links (login and such) go to https://quality-s.qvc.com/… The quality-s.qvc.com domain never responds.
Digging at earthlink gives me:
dig @ns1.earthlink.net qvc.com
; <<>> DiG 9.4.2-P2 <<>> @ns1.earthlink.net qvc.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10778
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
;; QUESTION SECTION:
;qvc.com. IN A
;; ANSWER SECTION:
qvc.com. 22797 IN A 167.140.19.231
;; AUTHORITY SECTION:
qvc.com. 38628 IN NS ns2.qvc.com.
qvc.com. 38628 IN NS ns3.qvc.com.
qvc.com. 38628 IN NS ns1.qvc.com.
;; ADDITIONAL SECTION:
ns1.qvc.com. 22876 IN A 167.140.19.14
;; Query time: 88 msec
;; SERVER: 207.217.126.41#53(207.217.126.41)
;; WHEN: Mon Feb 16 13:59:34 2009
;; MSG SIZE rcvd: 111
and against quality-s in particular
dig @ns1.earthlink.net quality-s.qvc.com
; <<>> DiG 9.4.2-P2 <<>> @ns1.earthlink.net quality-s.qvc.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29238
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
;; QUESTION SECTION:
;quality-s.qvc.com. IN A
;; ANSWER SECTION:
quality-s.qvc.com. 22763 IN A 167.140.19.204
;; AUTHORITY SECTION:
qvc.com. 38585 IN NS ns1.qvc.com.
qvc.com. 38585 IN NS ns2.qvc.com.
qvc.com. 38585 IN NS ns3.qvc.com.
;; ADDITIONAL SECTION:
ns1.qvc.com. 22833 IN A 167.140.19.14
;; Query time: 123 msec
;; SERVER: 207.217.126.41#53(207.217.126.41)
;; WHEN: Mon Feb 16 14:00:18 2009
;; MSG SIZE rcvd: 121
What I can tell by this (I think) is that I should be using nsX.qvc.com (1,2 or 3).
Digging against any nsX.qvc.com for quality-s.qvc.com brings back:
dig @ns1.qvc.com quality-s.qvc.com
; <<>> DiG 9.4.2-P2 <<>> @ns1.qvc.com quality-s.qvc.com
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
So, what do you do when you find these sorts of problems? Who do you contact? QVC has a “contact us” form located – can you guess where? – on a link at quality-s.qvc.com. YAY!!!
I called their 800 number and tried to report the issue but it was of little (or no?) use. I twittered to ‘behindTheQ’ which is supposedly someone at QVC. That person is probably off today for President’s Day.
There needs to be some sort of directory that web tech depts can register themselves with to be able to take direct (or indirect – form submissions?) input from tech-savvy users. The regular ways of communicating in to a company generally direct to you sales or product/service support, with no way of getting real information to real people.
Just like a company needs to have a registered agent to be incorporated in most areas, perhaps a ‘registered agent’ concept for tech depts?
I had a similar issue back in 2001 (or 2002? or 2000?). Adobe.com’s domain name had been hijacked, and their DNS names were slowly going away. The main www.adobe.com was up, so most people didn’t notice anything, but weirder FTP server addresses were going away. I tried to contact anyone at Adobe I could, and had to deal with ‘help desk’ people saying “the website is fine sir – try rebooting your windows 2000 machine”. I asked if they could actually surf out to the public internet – yahoo, for example. “No sir,” was the answer. “So, you’re only looking at your own site from inside your building. Of course it works for you *there*. It doesn’t work *outside*.”. Hung up. Finally raised enough of a racket that someone from their legal dept called me back and said I was right, but asked me not to say anything – they were dealing with it. They couldn’t actually *tell* me it was a Chinese org that had hijacked it, but she hadn’t denied it.
Anyway, I’m not suggeting QVC has been hijacked. It’s just *broken*, and I don’t know how to let anyone *know*! I’m a customer, trying to make your company better, and I have *no way* of telling you how to do that! ARGH!
Banks, Troubled Assets, Congress and trust
January 28th, 2009Just read this at Yahoo:
“Financial stocks led Wall Street higher Wednesday on investor hopes the Obama administration will create banks to absorb the bad assets weighing down the financial system.”
Moderately good news short term, and a move I think will help us over the long haul. IF IT’S TRUE. I want to believe the Obama administration. They’re new, and have something to prove.
But weren’t we just here in September and October last year? Wasn’t the plan last October to have the federal government buy up “troubled assets” from banks to give their books that “clean slate” look? Instead, after approving hundreds of billions of dollars to buy troubled assets from banks, we simply gave the banks a bunch of money. Without interrogating them, or making them come up with a plan for the money, or any of the hoops Congress forced GM and Ford to jump through just a few weeks later.
I suspect this time we’ll see the actions that we tell Congress to approve *actually* happen, but it’s *really* hard to be trusting of anything these days. I heard a news report about this yesterday – a talking head style news report (commentary) and no one even mentioned that this was the exact same idea that was floated, voted on, and approved not 3 months ago.
grumble grumble grumble…
GroovyMag subscriptions
January 17th, 2009I’ve added a subscription process to GroovyMag.com, so anyone wishing to advanced purchase GroovyMag for the next year can do so. A number of people had inquired about this, but I was a little reluctant to add that functionality early on (mostly cause there was so much else to do at that point). So, if you’re interested in keeping up to date with Groovy and Grails, subscribe to GroovyMag today. 
Codemash update
January 8th, 2009Awesome presentations by people, and of course great conversations with people in the halls and such. I’m probably going to hit an open spaces or two tomorrow. Also, for webdevradio, going to catch up with some people I spoke to last year and see how they’ve progressed over the last year with all the webdev changes.
My “groovy/grails for non-java developers” went *ok*, but wasn’t as great as I’d wanted it to be. I tend to be my own worst critic, but I got past the nerves and got *most* of the points across that I wanted to.
If you want to catch up while you’re here, ping me on twitter or just ask around to find me. I’ll be here thru Sat morning, so if you’re around and want to have breakfast Saturday morning, let me know.
Best taxi service experience ever (in Raleigh/RDU)
January 8th, 2009Not much to say other that I had the best end to end taxi experience ever, using http://www.allamericanlimousinetransp.com/
Very long domain name, but great service. The owner (I think) asked me to email in specifics so he’d have them. No one has ever asked that before. I had some weird stuff – needed someone to meet and greet my wife at airport. Jimmy took care of the whole thing – they waited when my wife’s plane was delayed, and didn’t charge extra for it. Emailed a receipt to me this morning, called me directly when there was a change of driver, ensured he had all the right information.
Perhaps all of you have had that service all the time, but I never have. I’ve had people who can barely repeat back to me what I say without getting it wrong, delayed service, and mediocre attitudes from other taxi services over the years.
This was the best experience we’ve had in a long time. We don’t use taxis much, but would use them again in a heartbeat.
Back from christmas – new years eve alone this time
December 31st, 2008My wife is still in Australia – it’s already Jan 1 there, but we’ve still got another 15ish hours to go before 2009.
Not sure if I’ll go ‘do’ anything this year or not. Generally we (wife and I) don’t do much on NYE anyway, so doing anything without her might feel ‘wrong’ somehow. I might go grab some Bailey’s Irish something-or-other and have a few drinks tonight. Had some at my grandparents’ house and forgot how much I’d liked it! :p
Working on many small projects trying to get things tied up, and planning for GroovyMag Jan (tomorrow, hopefully), Codemash presentation (still working!) and PHP training (next monday!) Lots to do in the next few days!
Me griping about PHP :) (closures this time)
December 21st, 2008Yeah, that’s about all this post will be. I read an article from IBM developerworks on the upcoming 5.3 features, and something got my dander up: closures.
I first got acquainted with closures in Groovy last year, and love them. They make sense. The syntax is pretty easy, and feels natural in the language. Not so in PHP. Once again, inconsistencies are not just legacy issues in PHP – they are created anew for us to deal with for years to come.
Look at the example here:
class Dog
{
private $_name;
protected $_color;
public function __construct($name, $color)
{
$this->_name = $name;
$this->_color = $color;
}
public function greet($greeting)
{
return function() use ($greeting) {
echo "$greeting, I am a {$this->_color} dog named
{$this->_name}.";
};
}
}Given that ‘anonymous function’ inside the greet() method is a closure, WHY NOT NAME IT THAT? The PHP Reflection API was updated to include a “getClosures()” method, but what would you get? They keyword “closure” doesn’t exist, but could have. Instead we now have the keyword “function” looking like two different entities – it looks like a function call when used with the () directly after it, and also has its traditional function fname() syntax still available.
I have to teach this stuff, and being explicit with a closure keyword would have saved a lot of headaches to come in explaining this stuff to people. Additionally, it would have been less to type.
Compare
return function() use ($greeting) {
echo "$greeting, I am a {$this->_color} dog named {$this->_name}.";
};with
return closure($greeting) {
echo "$greeting, I am a {$this->_color} dog named {$this->_name}.";
};What’s more explicit, easier to understand, and fewer characters to type? Given the recent namespace separator debacle (using \ as a namespace separator, and justifying it because it’s “fewer characters to type”), I can’t really understand the rationale behind the closure syntax.
To be fair, the closure syntax RFC was up at http://wiki.php.net/rfc/closures and I didn’t comment in time. So, I guess it’s all my fault. 
Beauty and elegance have never been PHP’s strong suit, but it seems people went out of their way to make this unintuitive and bulkier than it needed to be. :/
On a more broad note, I really think the bulk of these changes (closures, namespaces, etc.) should have been put in php6 only, not in the 5.3 series. I understand the need for testing and such, but we’re implementing new functionality and defining how it is expected to work based on the current PHP5 Zend Engine. Whatever useful changes that might make a PHP6 faster/better/whatever can’t easily be implemented because the ‘new’ features are all dependent on a core engine that’s already 5 years old, which it itself was built with an eye towards backwards compatibility to PHP3. Strategically, it just feels like the wrong move. But hey, what do I know, right? I can’t write C code patches, so my views don’t really have much weight, do they?
Tivo should license their tech to the web space
November 24th, 2008Tivo should license their player/interface/tech to developers to create Flash/Silverlight/JavaFX implementations of Tivo-style playback and record.
I was discussing this with Wayne Sutton the other day, in anticipation of the Youtube Live event. I was watching Wayne speak on a webcam, and there were a group of us text chatting with him, and he was pontificating (as only Wayne can!) about stuff. I mentioned that there’s no Tivo-style interface for web “streaming video” sites. He seemed a bit taken aback at first, then agreed that it would be a good feature to have. He’d said *something* about what time the Youtube event was happening, and I’d missed what he said, but I had *no* way of going back and finding it.
Yes, we do have ‘playback’ *after* an event is streamed (if a producer archives it for streaming) but there’s nothing to let us pause or rewind a live streaming event. Yet we’ve been able to do that in the ‘old fashioned TV’ space for close to 10 years (via Tivo, and now other digital cable set top boxes).
I’ve pretty much 0 idea why this isn’t being done today. I also suspect that any tech that makes it easy to implement that (Flash/Flex, JavaFX, etc) would go a long way towards making that feature a ‘gotta have’, and encouraging migration to that platform to satisfy that demand.
GroovyMag promo video
November 9th, 2008I got to know iMovie a little this afternoon, and put together a ‘groovy’ promo video for GroovyMag. Have a look!
