hacking gadgets at town hall, originally uploaded by this is emily

oooo .. i'm inimitable :-)

Stephen Judd has written up a good summary of Pipe's talk on browser/webclient security - read the original for more explanation - but here's his summary mquoted:
<!--break-->

• Traditionally, security focussed on protecting servers, and assumed that clients were not desirable targets.
• This isn’t true. Your PC is a desirable target:
  • You use your PC to do things of interest (like online banking)
  • Your PC can be used to attack other PCs.
• Your browser runs code (JavaScript) from untrusted sources.
• Browsers carefully run this code in a “sandbox”, with no access to your computer’s disk or to memory outside the browser, in the belief that this will protect your PC from malicious code. This won’t work:
  • First, your browser can do interesting things like make naughty requests to hack into other PCs.
  • Second, there are plenty of things that you do care about in your brower’s memory (like your online banking session) which are totally accessible from within the sandbox.
• Many sites (wrongly) allow users to inject Javascript into pages other people can see. That Javascript can seize control of your browser when you visit such a site. (This is called “cross-site scripting”).
• It is no use expecting sites you visit to protect you. Even when the owners are told about cross-site scripting problems, they often can’t be bothered fixing them. Among them are plenty of high-profile sites which you might well visit.
• That injected Javascript can:
  • “phone home” to a master server;
  • upload any data accessible from within the sandbox;
  • make naughty requests of other computers;
  • download further instructions from the master.
• There are already automated tools out there to do all this.
• Conclusion: any time you run a browser with Javascript on, and you visit a site with injected Javascript, your browser is no longer under your control. It will cough up details of any existing secure sessions and make requests elsewhere on behalf of its new controller. YOU ARE PWNED.

i’ve been running with javascript (and other frilly bits) turned off for years – at first because some strange need to check out the accesibility of websites i built and how other sites handles their supposed “graceful degredation”

Websites abound that work mostly without javascript, and then suddenly there is one form amongst a hundred that only submits on change (such as flickr’s recent activity page, that’s the only bit i can’t use without javascript when there’s no really need for it).

Firefox now has some extensions to pick and choose what javascript you run… I’ve used opera for almost 15 years now, and it’s has, for as long as i can remember, let me enabled script (and plugins and java etc) on a per domain basis.

Generally i runs with script off, and enable it on a couple domains, but when i hit a site that claims is _NEEDS_ it, i’ll alt tab over to firefox. If it’s gonna steal cookies / or browser memory, it’ll only find what i’ve got in firefox, and that isn’t much.. still it’s something and i’ve be horribly pissed off to lose them.

So many sites, with nothing really special going on, that use javascript just to submit a form! E.g. twitter's update form. That's a site full of submissions from untrusted people and they make me use javascript.

It’s just plain stupid and shows they don’t understand the inherent risk of that javascript.

That big pile of accumlated data from years of using your snapper card, who owns it?

Snapper card are smart cards in use by wellington buses. You use these for payment for your trips, and all other fares except the one trip cash fares have been phased out, so if you commute you gotta use snapper or start paying a forture / carrying cash.

CC licensed photo by Alan Macdougall

Imagine all the bus trips, the shops you go past, the amounts you spend/topup. Google have proven the value of such information in their targeted adverts. Amassed enough data, it has a value, and who owns it? Can they sell it? Need they tell you if they sell it?

Today the New Zealand Privacy Commision told snapper they ought to revise their privacy policy (computerword.co.nz)

There are incentives to register your card -- being able to see an audit trail and claiming lost funds when you lose your card -- but even if you take the risk and don't register they're still building a good profile of nameless you and your movements.

My own thoughts: We can't be complacent and assume someone else is looking out for our prvacy. While I might trust the folks who run snapper today (and I don't yet), do i know for sure i'll trust the folks who buy them out in 2 years time? For myself I would rather they collected no information at all -- beyond a short period of time (maybe 4 weeks), then I want my data gone, erased, unretrievable and/or completely unable to be matched up with me, because it's proven even the most trusted can screw up. In much the same way no-one can find out who voted for New Zealand First last election (though that's possibly a bad example).

Then there's nothing to lose, and nothing to sell.

in the first week of September, i'm flying up to Auckland. There's a Girl Geek Dinner there as part of Microsoft Tech Ed. It's free if you have a tech ed ticket, or $90 if you don't.

I'm doing master-of-ceremonies duty along with Amanda Jackson -- Microsoft were kind enough to give me a free ticket to the whole conference, so i'm checking them out.

First bit of culture shock was this statement:

Speaker shirts can also be collected from the Speaker Preparation Room. Speaker shirts must be worn at all time. Black trousers or Chino style pants are required – no jeans please!

I don't own either black pants (that aren't jeans) nor Chino style pants. I really didn't think geeks owned these things. Even at my most formal it's jeans + business jacket.

So what to wear?

The August Girl Geek Dinner was a ball of fun - good food, good company, tech talks, geeky music.

There was a bit of a hiccup with the prize draws, as our lovely bar staff put their names in the draw, and then as chance would have it they won 3 of them! Most of these were re-drawn on the night (it wasn't make so clear it was a redraw later, and not a new prize).

The next dinner, we're hoping will be a highschool edition. We're meeting with Tech angels from Wellington Girls High School, and then later yet more groups from around Wellington.

After that, the welly GGD team hopes for another dinner in late october or early november. I'm still hoping to have a robotics theme to this. If you know robotics people, please tell me about them

I've uploaded a perl module to cpan - Net::Twitter::Search

i needed it to fix up my twitter bot script - the first twitterbot to start using it is @tenz8 (Microsoft Tech Ed 2008).

The whole perl script that calls thIs module and powers the bot, it available in my git repo. To get a copy do this
1. install git (it's called git-core in debian distros)
2. git clone http://git.shiny.geek.nz/twitter/searchbot/

What i love about perl is mostly cpan! Almost everything you want to do, there's a module that 90% of the work for you.

The first of the spring seedlings are ready to go in the garden, but I'm gonna wait another week -- the first reason is i have a horrible head cold and i'm busy feeling sorry for myself. The second reason is all this hail we've had this week is probably not over yet.

see hail:

The seedlings ready are more lettuce, cabbage, snow peas and some green beans.

Drupal is an example of a project with one commiter per branch -- there's is only one person who will be putting code into the DRUPAL-5 branch in CVS. Like wise for all other stable branches.

CVS only has the concept of commiter. All commits on that branch appear to be authored by that one person. The result is, we don't know who wrote what code anymore.

Other version control system have authors. So, while Bob did the commiting, it is recorded that Jane actually is the Author. You can go further and say that Pete did that design work and Sally did the Testing.

Git is my favourite of these.

When a project uses Git correctly, then I can find who wrote what.

Witness right now I have simpletest framework missing some functionality I want (namely assertRaw()). I can copy this from Drupal unit testing classes (based on simpletest) to the Simpletest project as a patch, but Drupal is GPL licenced, and Simpletest is LGPL. I'm not a lawyer. The simplest way of making sure this is okay is for me to holler on irc and say "Hey John, those 3 lines of code you wrote for Drupal can I have your permission copy those to a LGPL project?" -- easy enough to get a Yes and move on. Alas, drupal's CVS cannot tell me who wrote this 3 line function..

(it's 3 lines of code, 11 lines of comments.. <3 drupal's doxygen fettish )

check out the cil project -- it's very new, has only 1 commiter (Andy) but already on ohloh.net you can see 5 contributors. They don't have any access to the main repository and yet their contributions are still recognised.

p.s. No SamV !! No!

i'm curious who is reading my blog.

How did you find me? What are you looking for? How many gadgets do you have on your person?

I do this alot with my palm:
1. take photos with DSLR
2. put camera card into palm
3. send photo by email

This is the only method i've found for getting photos from my camera into my ipodtouch so i can email them..
1. take photo with DSLR
2. photos saves to Eye.fi
3. Eye.fi connect to wifi, uploads to https://eye.fi
4. the eye.fi server pushes to flickr
5. I go to my flickr account with my ipod
6. Save photo from safari
7. Send photo my email

alas this requires being online with wifi (the final email step queues for later sending on both palm and ipod)

Some shameless self promotion by me:
http://www.up.org.nz/gadgets-games-geeks-08

Free software advocate Richard Stallman is in New Zealand for a limited time to speak about copyright and share his experiences establishing the world’s first free user operating system.

A pioneer in ICT circles, US-based Stallman controversially started a movement based around sharing source code back in the 1970s when programming was still in its infancy and launched the development of the GNU operating system (www.gnu.org) in 1984.

Coined ‘Free Software’, Stallman’s aim was to allow the freedom to copy GNU and redistribute it, as well as to make changes either large or small – unlike single-user commercial operating systems. The GNU/Linux system is now used on tens of millions of computers around the world.

For his efforts, Stallman has received the ACM Grace Hopper Award, a MacArthur Foundation fellowship, the Electronic Frontier Foundation's Pioneer award, and the Takeda Award for Social/Economic Betterment, as well as several honorary doctorates.

Presenting alongside Richard Stallman at Gadgets, Games and Geeks is Brenda Wallace (Catalyst). Exhibitors include Snapper, Bookhabit, Mukuna, Magnum Mac, Altspace, 920, Vision, Tentacle Media, Filibuster Films, Xero, Epic Beer, and Tone Magazine.

The Gadgets, Games and Geeks Expo is happening Wednesday 13 August, 2008 at the Wellington Town Hall Councl Chamber. The Richard Stallman seminar runs from 2.30pm - 5.00pm and the main event starts from 4:30pm.

Also - i'm rather excited that Epic Beer is gonna be there... mmmm... I like Epic

On Tuesday 5th August, 70 geeks gathered in the Emperor Suite at Chow from 6pm till late.

Each guest received a bag of goodies including a bottle of Epic Lager, laser cut decorated USB keys from Shift, Cafenet tokens and discount vouchers from Wanda Harland, amongst other things.
 
Sandy Mamoli spoke about the basics of Ruby on Rails; what to use it for, when to not use it. Jo Hall introduced us to Tech Angels, and described being a female Computer Science Student. Stacey Walker described "impostor syndrome". Sarah Wiig & Band played music, including a song about a Robot.
<!--break-->
This is largely thanks to our wonderful sponsors:

More photos: http://www.flickr.com/photos/taniwha/sets/72157606574704827/

This morning a group of us (Martin, Tim, Leonie, Callum, Tabitha, Stephen and I) gathered at the Southern cross for brunch and an OLPC testing session. It involved following a test script to check what works, and what doesn't.

Tesult: 2 confirmed bugs, 11 new bugs filed, lotsa apps tested , lotsa existing bugs gone.

<!--break-->

New barcamps are created on barcamp.org.nz from time to time - and it's hard to get the word out without resorting to evil spamming techniques and cross posting to a multitude of mailing lists.

So I turned on the Twitter module within barcamp.org.nz (it runs drupal).

Now you can follow edits on that site, on http://twitter.com/barcampnz

There is also the existing RSS feed, and ical feed

Delicious hoppy goodness.

AND!! I've discovered Mojo Invincible has a shipment of Epic Pale Ale arriving today. They also have a guy from Nelson named Dan playing music tonight.