The earliest memory I have of ‘programming’ is in the early/mid 90s when my father brought home a computer from work. We could play games on it … so of course I took the spreadsheet program he used (LOTUS 123, did I date myself with that?) and tried to modify it to print out a helpful message for him. It … halfway worked? At least I could undo it so he could get back to work…

After that, I picked up programming for real in QBASIC (I still have a few of those programs lying around), got my own (junky) Linux desktop from my cousin, tried to learn VBasic (without a Windows machine), and eventually made it to high school… In college, I studied computer science and mathematics, mostly programming in Java/.NET, although with a bit of everything in the mix. A few of my oldest programming posts on this blog are from that time.

After that, on to grad school! Originally, I was going to study computational linguistics, but that fell through. Then programming languages (the school’s specialty). And finally I ended up studying censorship and computer security… before taking a hard turn into the private sector to follow my PhD advisor.

Since then, I’ve worked in the computer security space at a couple of different companies. Some don’t exist any more, some you’ve probably heard of. I still program for fun too, and not just in security.

But really, I still have a habit of doing a little bit of everything. Whatever seems interesting at the time!

Ludum Dare 46: Tetris Sand

2020-04-17

It’s been a while since I’ve last done a Ludum Dare. I felt the itch though, so let’s do it again.

Ludum Dare is an online event where games are made from scratch in a weekend. Check us out every April and October!

The theme this time: Keep it alive

I don’t know if I’ll make it all the way through or actually finish a game. But I’m going to give it a try!

Command line AES with openssl (and tar)

2020-04-09

I had a script that would take a file and a passphrase and either encrypt it or, if already encrypted, decrypt it. It worked well enough and I got to play with the struct library. But it was home grown–so not compatible with anything–and didn’t properly validate anything. It worked well enough, but perhaps I could do something better.

Get kitten

2020-04-01

I upload a lot of images when testing for various things. And of course, I don’t want to use any of my own images. So what would I do instead?

Kittens!

$ get-kitten

Downloading a 640 x 480 kitten
Downloading to kitten-1.jpg

$ open kitten-1.jpg

Perfect.

Split a file with headers

2020-03-30

I have a bunch of files with Arabic content that I need to split into chunks so they can be better run in parallel¹. But by default, when I open them in a text editor, the encoding changes from windows-1256 to utf-8². I could use the Unix split command to break them into chunks, but I need to preserve the headers. So… how do I fix all this?

Write a script!

Wrapping xattr as a racket module

2020-01-29

I recently came across a question: how do you read extended file attributes in Racket. Not being actually that familiar with extended file attributes, I searched online. Nothing seems to currently exist (other than in the FUSE module, but that’s specific to FUSE), but there is a system level exectuable that one could wrap to do this. I haven’t done much¹ with Racket’s system or system* function before, so let’s give it a whirl.

Rack::Cors Configuration Tricks

2020-01-16

cyu’s Rack::Cors middleware is rather handy if want to control your CORS (Cross-Origin Resource Sharing) settings in a Ruby-on-Rails project. Previously, there was a fairly major issue where :credentials => true was the default (which you generally do not want), but there were also some more complicated tweaks that I wanted to make.

One problem I recently had to deal with was wanting to:

Allow CORS connections from arbitrary domains (this site functions as an API)
Do not allow CORS from http domains at all
Only allow cookies (Access-Control-Allow-Credentials) to be sent for sibling subdomains
Prevent cookies from being sent from specific sibling subdomains (that are actually run by a third party)
On development (non-production) versions of the site, allow credentials from localhost

work-on: A Quick Script for Context Switching

2019-05-07

I work on a lot of projects.

$ ls ~/Projects/ | wc -l
      29

$ ls ~/Projects/work/ | wc -l
      67

And that’s just what I have checked out at the moment. 😇

Prevent JavaScript links by parsing URLs

2019-05-02

If you have a website that allows users to submit URLs, one of the (many many) things people will try to do to break your site is to submit URLs that use the javascript: protocol (rather than the more expected http: or https:). This is almost never something that you want, since it allows users to submit essentially arbitrary code that other users will run on click in the context of your domain (same origin policy).

So how do you fix it?

First thought would be to try to check the protocol:

> safe_url = (url) => !url.match(/^javascript:/)
[Function: safe_url]

> safe_url('http://www.example.com')
true

> safe_url('javascript:alert(1)')
false

Forcing Secure Cookies Behind an ELB in Ruby/Rails

2019-04-30

As part of general security good practices, you should always (whenever possible):

use HTTPS to serve all requests
serve redirects to upgrade HTTP requests to HTTPS
set session cookies to secure and http_only
enable HTTP Strict Transport Security (HSTS)

Tiny Helper Scripts for Command Line MySQL

2019-04-27

Quite often, I’ll find myself wanting to query and manipulate MySQL data entirely on the command line. I could be building up a pipeline or working on a task that I’m going to eventually automate but haven’t quite gotten to yet. Whenver I have to do something like that, I have a small pile of scripts I’ve written over time that help out:

skiphead: Skip the first line of output, used to skip over headers in a query response
skipuntil: Skip all lines until we see one matching a pattern, used to resume partial tasks
commaify: Take a list of single values on the command line and turn them into a comma separated list (for use in IN clauses)
csv2json: a previously posted script for converting csv/tab delimited output to json
jq: not my script, but used to take the output of csv2json and query it further in ways that would be complicated to do with SQL

Admitedly, the first two of those are one liners and I could easily remember them, but the advantage of a single command that does it is tab completion. sk<tab>, arrow to select which one I want, and off we go. I could put them as an alias, but I don’t always use the same shell (mostly fish, but sometimes Bash or Zsh).