Categories
internet programming

Troy Hunt: Promiscuous Cookies and Their Impending Death via the SameSite Policy

Yet another potentially breaking change on the web. This time round it involves cookie handling (in the upcoming Chrome 80). The objective is to close off a class of attacks known as CSRF (cross-site request forgery). Expect other browsers to follow suit.

… any websites you’re responsible for that are passing cookies around cross domain by POST request and don’t already have a SameSite policy are going to start misbehaving pretty quickly

Source: Troy Hunt: Promiscuous Cookies and Their Impending Death via the SameSite Policy

Categories
programming

How to Build Good Software

A break from the usual articles on cybersecurity. This is a good article that talks about the problems of software development and some strategies for mitigating them:

  • starting simple
  • focussing on the problem
  • iteration
  • spending time between expanding features and reducing complexity

Software has characteristics that make it hard to build with traditional management techniques; effective development requires a different, more exploratory and iterative approach.

Source: How to Build Good Software

Categories
internet programming security

unCaptcha: A Low-Resource Defeat of reCaptcha’s Audio Challenge

CAPTCHA is almost ubiquitous in today’s web applications and an extremely popular CAPTCHA implementation is Google’s, namely reCaptcha. reCaptcha provides an audio version for visually-impaired users. Researchers manage to make use of free speech-to-text services to defeat audio reCaptcha.

unCaptcha: Talk is cheap in defeating reCaptcha

Source: unCaptcha: A Low-Resource Defeat of reCaptcha’s Audio Challenge

Categories
bug programming

24-core CPU and I can’t type an email (part one)

When software doesn’t behave as expected, it can be really difficult to find out why. In this case, someone experienced an odd hanging problem while using GMail on his powerful computer and decides to investigate. Read on for all the gory details.

…I was just engaging in that most mundane of 21st century tasks, writing an email at 10:30 am. And suddenly gmail hung. I kept typing but for several seconds but no characters were appearing on screen. Then, suddenly gmail caught up and I resumed my very important email. Then it happened again, only this time gmail went unresponsive for even longer.

Source: 24-core CPU and I can’t type an email (part one)

Categories
programming

Nibble Stew – a gathering of development thoughts: “A simple makefile” is a unicorn

Unicorn as in the mythical creature, not what VC’s think about.

Like every sentence that has the word “just”, this is at best horribly simplistic but mostly plain wrong. Let’s dive in more detail into this. If you look up simple Makefiles on the Internet, you might find something like this page. It starts with a very simple (but useless) Makefile and eventually improves it to this:

Source: Nibble Stew – a gathering of development thoughts: “A simple makefile” is a unicorn

Categories
programming

Turning Design Mockups Into Code With Deep Learning

At the current stage it could help front-end developers in some of the grunt work in converting design templates into code. Some would go further to think that it will eliminate web development jobs. That is certainly not the case, as modern websites are not static “pages” but more like applications. Someone will still need to design the behaviour and logic.

In this post, we’ll teach a neural network how to code a basic a HTML and CSS website based on a picture of a design mockup. Here’s a quick overview of the process:

Turning Design Mockups Into Code With Deep Learning

Categories
3D programming

[github] kosua20/herebedragons

Someone implemented the same 3D scene using different API/frameworks. Interesting from a learning point of view. But as someone commented in HN, some implementations could be made to look the same given enough effort.

This repository contains multiple implementations of the same 3D scene, using different APIs and frameworks on various platforms. The goal is to provide a comparison between multiple rendering methods. This is inherently biased due to the variety of algorithms used and available CPU/GPU configurations, but can hopefully still provide interesting insights on 3D rendering.

[github] kosua20/herebedragons

Categories
programming

Starbucks should really make their APIs public. – Tendigi

See how closed API reverse engineering typically happens.

Now that I was able to sign and fingerprint my login requests, I combined everything into a small Node.js module that allows some basic Starbucks API functions. The good news is that it’s (mostly) hosted here on GitHub!

Voilà! Programmatic coffee.

Source: Starbucks should really make their APIs public. – Tendigi

Categories
programming sysadmin

AWS and Azure in Plain English

If you are not an architect-level user of AWS you will probably be lost in the ever growing list of AWS services. The non-obvious names (Cognito, Athena, anyone?) for the services doesn’t help. Now someone is attempting to provide a – sometimes tongue-in-cheek – explanation of those services. Well, it’s not exactly plain english, but good attempt anyway. An Azure version is also available.

  1. AWS in Plain English
  2. Azure in Plain English
Categories
programming

Programming bug costs Citigroup $7m after legit transactions mistaken for test data for 15 years

Like I always say, all (non-trivial) software have bugs. It’s a matter of when and if they are discovered. If you’re lucky, the bugs may only result in financial loss. In more serious cases, safety and security can be compromised.

When the system was introduced in the mid-1990s, the program code filtered out any transactions that were given three-digit branch codes from 089 to 100 and used those prefixes for testing purposes.

But in 1998, the company started using alphanumeric branch codes as it expanded its business. Among them were the codes 10B, 10C and so on, which the system treated as being within the excluded range, and so their transactions were removed from any reports sent to the SEC.

Source: Programming bug costs Citigroup $7m after legit transactions mistaken for test data for 15 years