May 15, 2015

The Trojan Emoji

Andrew Nacin, lead developer of WordPress, just finished a talk at Loopconf, where he talked about a series of related WordPress security fixes that spanned two years, with the final fix included into WordPress core under the guise of Emoji support.

The code has been in trunk since January, months before the release of 4.2. But it was there under the guise of Emoji support, as “noone had any idea what it did because it was 1,000 lines of the database abstraction layer to just remove invalid characters.”

Because of how opaque the vulnerability and the corresponding fix were, the team was able to spend a very long time working on and fixing the issue, all without exposing the vulnerability to the general public.

Beautiful. (via ma.tt)

May 14, 2015

Forgot to mention this yesterday: version 4.1 of the Most Popular Tags plugin has been released. This version adds support for vh and vw CSS font size units.

YouTube Overrides Konami’s Video Takedown

George “Super Bunnyhop” Weidman published “Kojima vs. Konami: An Investigation more than two weeks ago, in which he alleged an insider at the company had passed on information about the deteriorating relationship between Metal Gear designer Hideo Kojima and Konami.

“This may be the first time YouTube has quickly stepped in and reviewed a bogus copyright claim for a gaming video,” he said to me over email. “If that’s the case, then my situation my [sic] be breaking new ground, and this could be good news for YouTubers everywhere.”

Score one for the good guys.

May 13, 2015

Input Type Sandbox

Test onscreen keyboards, input types, patterns and attributes.

A great way to test just how inconsistent support for different types is across browsers.

Bloom Filter for JavaScript

I wrote a very fast bloom filter implementation in JavaScript called bloomfilter.js. It uses the non-cryptographic Fowler–Noll–Vo hash function for speed. We can get away with using a non-cryptographic hash function as we only care about having a uniform distribution of hashes.

The implementation also uses JavaScript typed arrays if possible, as these are faster when performing low-level bitwise operations.

stamp

Format dates and times based on human-friendly examples, not arcane strftime directives.

Such tools should be available for every language under the sun.

May 12, 2015

An oldy but a goody: save the following into a file called Hello.java. It will compile just fine and if you run it, it will print Hello, World! to standard output.

/*\u002A\u002F\u0070\u0075\u0062\u006C\u0069\u0063\u0020\u0063\u006C\u0061\u0073\u0073\u0020\u0048\u0065\u006C\u006C\u006F\u007B\u0070\u0075\u0062\u006C\u0069\u0063\u0020\u0073\u0074\u0061\u0074\u0069\u0063\u0020\u0076\u006F\u0069\u0064\u0020\u006D\u0061\u0069\u006E\u0028\u0053\u0074\u0072\u0069\u006E\u0067\u005B\u005D\u0020\u0061\u0072\u0067\u0073\u0029\u007B\u0053\u0079\u0073\u0074\u0065\u006D\u002E\u006F\u0075\u0074\u002E\u0070\u0072\u0069\u006E\u0074\u006C\u006E\u0028\u0022\u0048\u0065\u006C\u006C\u006F\u002C\u0020\u0057\u006F\u0072\u006C\u0064\u0021\u0022\u0029\u003B\u007D\u007D\u002F\u002A*/

This is because according to the Java Language Specification (JLS 3.2, specifically), Unicode escapes must be translated by the compiler before just about any other operation, including stripping comments.

Here’s what the code looks like prettified and with translated escapes:

/**/
public class Hello {
  public static void main(String[] args) {
    System.out.println("Hello, World!");
  }
}
/**/
May 11, 2015
May 8, 2015

Keurig says it was wrong to force users to buy single-serving pods

Last year, Keurig drew the ire of the Internet by incorporating a scheme similar to the Digital Rights Management (DRM) you see on e-books and video games into its Keurig 2.0 coffee maker. The next-generation machine forced users to brew with Keurig-approved coffee pods exclusively, using a digital scanner that looks for an ink marker on authorized K-cups. The company also discontinued its “My K-Cup” reusable pod, which meant that customers could no longer use their own coffee in a Keurig.

Good to see them finally acknowledge what a shitty idea this was.

May 6, 2015

Hound

Hound is an extremely fast source code search engine. The core is based on this article (and code) from Russ Cox: Regular Expression Matching with a Trigram Index. Hound itself is a static React frontend that talks to a Go backend. The backend keeps an up-to-date index for each repository and answers searches through a minimal API.

From the engineers at Etsy. To say this kind of tool is useful is a bit of an understatement.