Posts

Anyone who read my post yesterday is probably confused by 1) this domain name and 2) my mention of it being my “first post”. This blog is a reboot of my previous site (where the older posts came from). I’m starting over in hopes that it will incentivize me to take blogging seriously again. This post will explain my plans for this blog, and with any luck, convince you to come along for that ride. I had imagined writing a longer and more thoughtful introduction, but events have conspired to force my hand. When in doubt, start.

It’s never a good time to suddenly find yourself jobless. But it’s never a bad time to evaluate your skills, your goals, and where you’re headed.

We all want to be a valued member of a winning team on an inspiring mission

• Graham Weston

It’s easy to get complacent after a few years in a good job. You tell yourself, “I’m doing such important work! We’re making so much progress! I love my team!” You’re churning out pull requests, responding to emails and Slack messages, burning through your JIRA backlog.

I’ve become somewhat obsessed with Pokemon GO since I started playing it, and I’ve been trying to cobble together a mental guide for how to be successful from a hodge-podge of sites, people I’ve met while playing the game, and some of my own experiences. Here’s what I’ve got so far. Items in red are ones I’m less sure of.

Finding Pokemon #

1. The panel at the bottom right tells you what Pokemon are near. 3 feet = far, 2 feet = nearby, 1 foot = close, none = very close

Have you ever logged onto Facebook to find “Recommended Friends” that you didn’t expect to see? Maybe someone you briefly met on Tinder, or a co-worker you hate? I think many people are unaware that, by default, the Facebook app on mobile devices automatically imports your contact list, continuously (this includes, so far as I can tell, every piece of information about them that you have stored).

I started noticing this a long time ago, but I sense that there are many who just assume Facebook is omniscient and don’t give it another thought. There are many reasons you may not want to give up this power, and so far as I can tell, the only way to stop importing this information is to delete the Facebook app from your phone. If anyone is aware of a specific privacy setting one can use to disable this behavior, leave a comment on this post!

(About) 425 days ago (at the time of this writing) I started scraping Hacker News via its shiny new API. And then I promptly forgot about it. That is, until I noticed my cronjob had been throwing errors constantly for a few weeks:

Instead of fixing anything, I just commented out the cronjob. But now I feel somewhat obligated to do at least a rudimentary analysis of this data. In keeping with my extreme negligence/laziness throughout this project, I hacked together a few bash commands to do just that.

The AddToAny Share Buttons  WordPress Plugin was, until recently, vulnerable to a DOM-based cross-site scripting issue. The file in question is hosted on the author’s site, so you’re not vulnerable anymore (you’re welcome). If you just want the vulnerability details, go here . Now for the story of this bug.

This particular journey started with an email from XSSposed , a site intended to allow security researchers to responsibly report cross-site scripting issues in sites that don’t run formal bug bounty programs like those seen here . Having never heard of it before, I was immediately suspicious. I like the concept of bug bounties just fine, but I was a little surprised to learn that I had unknowingly opened one on my site.

At the risk of spoiling a somewhat-well-known XSS game, I want to share an XSS vector I had never thought of before it forced me to. The premise of this level was, essentially, that you couldn’t use any letters whatsoever in the attack vector, and you had to call alert(1).

So, without further ado, here it is:

What a mess, right?! What the hell are we doing here? Let’s take it piece-by-piece.

I recently hacked together a little 300-line bash script to manage my dotfiles called dot-man . Basically, it will let you manage your dotfiles in a git repository, and you can run it every so often to keep your local / remote dotfiles up to date.

Install is as simple as:

Let me know what you think! You can find me on Twitter @ccneill .

Recently, while looking at a JavaScript function intended to generate a cryptographically-secure random IV to be used in AES-GCM, I noticed something interesting which I immediately suspected was not unique to this project. Sure enough, Matt, my awesome colleague, sent me a link to a how-to article describing the process of generating random values in Node.js that included the exact same quirk.

Here is their example (with minor edits so as not to call out the author of that how-to post too explicitly):

The “snippet preview” functionality of the Yoast Wordpress SEO plugin was susceptible to cross-site scripting in versions before 2.2 (<= 2.1.1). This vulnerability appears to have been reported 2 years ago  by someone named “badconker”, but the plugin author said that it was already patched. Unfortunately, it appears that this is not the case. If you are running this plugin, I recommend updating to the latest version .