Recent Posts

Recently, while looking at a JavaScript function intended to generate a cryptographically-secure random IV to be used in AES-GCM, I noticed something interesting which I immediately suspected was not unique to this project. Sure enough, Matt, my awesome colleague, sent me a link to a how-to article describing the process of generating random values in Node.js that included the exact same quirk.

Here is their example (with minor edits so as not to call out the author of that how-to post too explicitly):

The “snippet preview” functionality of the Yoast Wordpress SEO plugin was susceptible to cross-site scripting in versions before 2.2 (<= 2.1.1). This vulnerability appears to have been reported 2 years ago by someone named “badconker”, but the plugin author said that it was already patched. Unfortunately, it appears that this is not the case. If you are running this plugin, I recommend updating to the latest version.

I’m happy to announce the latest version of a project that the Security Engineering team at Rackspace has been working on: DefectDojo! DefectDojo is an open source defect tracking system that was created by our team to keep up with security engagements, but it can be useful for tracking any type of application testing. It supports functionality like Finding templates, PDF report generation, metrics graphs, charts, and some self-service tools for doing port scans, for example.

I noticed a while back that when I carelessly entered my login credentials to the form for registering a new user account on the front page of the DigitalOcean site, it would still log me in. Neato.

However, I was slightly less amused when I noticed that the login event didn’t show an IP address in my security history.

I reported this at the time the screenshot was taken several months ago. It appears they have recently fixed the issue.

Earlier today I wanted to explore using Growl / GNTP to listen for notifications from a remote server. I checked out the Growl developer bindings page, found the Python implementation, and started working on a simple app to send me notifications about various things.

I was planning on running this on my server so I could also interface with Twilio and accept callbacks, without having to expose a webserver on my local machine to the internet. To do this, I was going to accept remote notifications in Growl using a password. I realized pretty quickly this was a worse idea.

Innovation is accelerating and entropy is increasing (as always). Several huge scientific revolutions are peeking at us from the horizon of the future. Looking at how we’ve dealt with the Internet revolution, I’m not sure we’re ready for them.

What 3 revolutions am I talking about? When are they going to happen? It’s impossible to predict which of these revolutions will happen first, or exactly when, but I suspect that it is safe to assume that all of them will come to pass in the next 100 years. I won’t focus on providing every tiny piece of evidence and analysis of these phenomena in this post, but I will examine them in much greater detail in the future.

My last Nuggets post, “50 Linux Resources for Developers” was pretty well-received, so I figured I’d try to do the same thing I did there for Node.js. Hopefully something here gives you some inspiration to make the next great Javascript app. It’s not meant to be an all-inclusive guide to learning Node, but more of a look at my journey with Node and some things I’ve found useful which you might find useful as well.

These are some cool things you can do with Vim that save time and can help prevent mistakes from mouse selection. They’re mostly little things, but altogether they make up an editing environment that I simply love.

1. NERDTree ( Docs) file deletion

2. Easymotion ( Docs). Check out their example GIFs, and you’ll never see movement with the keyboard the same again.

3. Executing shell commands without changing windows

I recently paid for something online using what I considered a secure online payments processor, and they asked that I provide a password to create an account to complete the transaction. You will understand in a second (if you don’t already) why I was so angry when, a few seconds later, I got this:

I couldn’t believe it. Please enter a shorter password.

Why does this make me mad? Because it means one of three things:

Tonight on the program “Last Week Tonight” on HBO, John Oliver exhorted his audience to go file comments on the FCC website to address their proposed rules that many believe will destroy Net Neutrality. In visiting the page, it is clear that people are interested in commenting on this particular item.

A few more comments than usual. I suspect this didn’t happen in the 5 minutes between when John Oliver made his comments and when I visited the site. What if we look back in time? Did this all happen very quickly and overwhelm their servers?