Hackszine.com

Most recent posts: page 6 of 6 1 2 3 4 5 6
Browse the complete archive by category or month.

May 18, 2008

Make custom fonts with FontStruct

Paul from the Compiler blog pointed out a cool flash application called FontStruct. It's basically a WYSIWYG editor for fonts, allowing you to easily create a TrueType font of your own design without having to learn your way through all the intricacies and difficulties of professional fontography.

The site includes a big gallery of Creative Commons licensed fonts that were created with the program. Whether you create your own or download an existing one that you like, it's a solid resource.

FontStruct [via Compiler]

May 17, 2008

Protect your luggage with a starter pistol

I can't say how realistic this is, and I probably won't be using the advice myself, but Jon Udell wrote about a plausible strategy for subverting the TSA rules into protecting your check-in luggage. The trick is to declare a firearm (in this case a starter pistol) which, by policy, forces your bag to be inspected in your presence and then locked in transit.

I'm given a little card to sign, the card is put in the case, the case is given to a TSA official who takes my key and locks the case, and gives my key back to me.
That's the procedure. The case is extra-tracked...TSA does not want to lose a weapons case. This reduces the chance of the case being lost to virtually zero.

It's odd that you can't request to have any check-in inspected and secured for flight in your presence. It'd only be worth the hassle for a few people, and it'd save them a lot of grief. Then again, why can't we expect the same level of accountability and professionalism from security-cleared baggage handlers and TSA officials as we can from anyone at DHL or Fedex?

Personally, I just bring any laptops and cameras with me in my carry-on. It presents its own hassle during screening due to the asinine "remove all electronics and put them in separate buckets" policy, but at least they show up on the other end of the flight.

Pack a starter pistol to deter luggage theft

May 16, 2008

Python pizza status

Nothing goes better with some Python hacking than a little pizza. Nick Jensen couldn't wait for his pizza to arrive to begin hacking, so he spent the 30 minute wait-time writing a Python script to track the pie's progress:

I discovered an interesting XML feed the other day when I ordered a pizza from dominos. After seeing a dumb commercial about what some idiots do in their 30 minute pizza-waiting time, I remembered hearing something about being able to "track" your pizza online. So what did I do during my 30 minutes you ask? I went on over to dominos website to check out this amazing tracking device. It turns out to be just a flash app hooked up to an XML feed and Tamper Data revealed it was coming from here.

The details and the Dominos python script are below. Suffice it to say that you can pull an XML status on your Dominos order by hitting http://trkweb.dominos.com/orderstorage/GetTrackerData?Phone=phonenumber (where phonenumber is your 10 digits). You can easily parse this from other languages if you're not the Python type.

You've got 30 minutes... to write a python script
dominos.py

May 15, 2008

Gmail notification cube

Jamie Matthews created a nifty notification cube that glows when his Gmail inbox has a message.

I was given a lovely glowing cube by the generous people at Linden Labs as a freebie at a job fair yesterday, and I decided that it was far too attractive to simply sit there on a shelf, pulsating forlornly until its batteries went flat. How about making it useful, while maintaining its visual appeal?

A simple python script runs on his computer, periodically screen-scraping his Gmail inbox looking for new mail. It then outputs a message to the serial port, indicating the mailbox status. On the other end of the serial connection is a Boarduino, which receives the message and toggles power to the cube.

You could start with his code and get a jump-start on doing something similar. It looks like this could inspire a fun project or two on a lazy afternoon.

How to make a Physical Gmail Notifier

May 14, 2008

Debian/Ubuntu users: update your SSL keys and certs

It was announced yesterday that sometime back in September 2006 a line of code was removed from the Debian distributed OpenSSL package. That one line of code was responsible for causing an uninitialized data warning in Valgrind. It also seeded the random number generator used by OpenSSL. Without it, the error went away, but the keyspace used by affected systems went from 2^1024 to about 2^15. Oh noes!

A large majority of Debian and Ubuntu systems are affected. To correct the problem, you'll need to not only update OpenSSL, but also revoke and replace any cryptographic keys and certificates that were generated on the affected systems. From the Debian security advisory:

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

For most people, this boils down to your ssh server's host key and any public key pairs used for remote ssh authentication. Any keys or certificates generated on the affected machines for SSL/https use also need to be revoked and regenerated. It's pretty ugly, really.

As far as teachable moments go, there's probably a lot to think about here. Software developers have this weird natural tendency to want to fix and reengineer things that aren't even broken. I'd go so far as to say that the desire to reengineer is inversely proportional to a programmer's familiarity and understanding of the code. I think it comes from our intense desire to make sense of things. It's the guru who's able to channel that hacker urge into solving new problems instead of creating new bugs out of old solutions.

DSA-1571-1 openssl -- predictable random number generator
OpenSSL PRNG Debian Toys (more discussion of the problem here)

May 13, 2008

drop.io - simple anonymous file sharing

Sometimes I need to send files to people that are too large to attach to an email. Inevitably, the solution is to upload it to an ftp or web server that I have access to and then send the recipient a download url. It's a pretty inefficient process, and unless you like your ftp server becoming an overwhelming mess of random downloads, you have to remember to go back and remove things at a later date.

drop.io is a web service that solves this sort of problem perfectly. You create a drop URL with a unique name, upload a file to it, and set an expiration time when it will be deleted, all in a single step. The drop folder can have both an access and an admin password, and you can choose what level of access (read, read/write, read/write/delete) the non-admin has. After you've created a drop folder, you can continue to add files and notes to it via the web interface or by email. Each drop also has a phone extension that will allow you to call in and record messages that are added to the drop. It's brilliantly simple.

What I like best is that aside from tracking IP for legal or terms of service violations, it's completely anonymous. You don't make an account to use the service. There is no profile. The drop folders aren't search indexable unless you choose to make them without passwords and publish the URL somewhere crawlable. You can renew the expiration period of the drop, but when it expires, it goes away along with its contents.

I like.

drop.io - Simple Private Exchange

May 12, 2008

Cross browser session data with Javascript

By storing data in the window.name property, you can store data between page loads and across domains without ever sending a cookie to a server. Thomas Frank created the sessvars.js library which makes use of this browser quirk, allowing you to store up to 2 MB of client-side session data.

This is really powerful for a few reasons:

client-side, you can store way more data than allowed by traditional cookies
none of the data is transferred explicitly to the server, minimizing bandwidth used for each page request
allows you to talk between pages in different domains

Keep in mind that anything you store via this mechanism will be visible to any other site that a person visits, so this is best for storing non-sensitive data that you want to retain between page loads. This would be great for caching returned AJAX data that you would otherwise have to refetch and reprocess.

Session variables without cookies

May 11, 2008

A VAX in your Linux box

Like many, my first introduction to the Internet came by way of a VAX/VMS server operated by the local University where I lived. A friend of a friend scenario landed me an account on the system, and after about a week I was hooked. It wasn't long before I signed up for a night class so that I could parlay an official student record into an account of my own (I was in high school at the time).

I was recently wondering about what's happened with OpenVMS. Is it still around? Will it run on normal PC hardware?

It turns out there are still a number of VMS devotees and hobbyists out there, and OpenVMS can still be found running not only on hobbyist legacy systems, but also in modern server environments where security, fault-tolerance, and uptime command a high premium over hardware cost and operating system popularity. There's even a freely available hobbyist license for OpenVMS, and you can get the installer media shipped your way for $30.

But what do you run it on if you don't have a VAX or Alpha in your basement? An emulator, of course! The SIMH emulator, created by the Computer History Simulation Project, is capable of emulating a DEC VAX and will run on a Linux, Windows or OS X host machine.

The most difficult thing, from what I've read, is that you need to jump through a number of hoops to get the OpenVMS license and media and the license needs to be renewed yearly. Phillip Wherry wrote a very extensive howto in 2004 that walks you through obtaining the media, building and configuring the SIMH emulator in Linux, and installing OpenVMS on your virtual VAX. If you want to run OpenVMS on Windows or OS X, there are pre-compiled SIMH binaries available for both platforms. The installation process should be the same for whichever host system you use.

Keep in mind that Phillip's howto was written in 2004, and I haven't gotten my OpenVMS hobbyist license yet, so I don't know for sure if there are any gotchas in there. The DECUS user group still seems to be alive and the company that ships the OpenVMS media is still taking orders, which is a pretty good sign. If any readers out there are currently running this setup, please give us an update in the comments. I'm excited to see some of my old DCL scripts running again, so I'm keeping my fingers crossed for good news here.

Running VAX/VMS Under Linux Using SIMH
SIMH VAX Emulator (Linux and Windows)
SIMH binaries for OS X
Encompass - DECUS User Group (Sign up for membership which is required for the license and media
Order Form For OpenVMS Hobbyist CD Media

May 10, 2008

Reading EXIF data from images in Javascript

Jacob Seidelin figured out a way to obtain EXIF data from images in Javascript, allowing AJAX applications to pull information about the make and model of camera used, as well as any aperture, focal length, or description information that may have been tagged to an image by the camera or a photo editor.

The exif.js javascript library scans through all IMG tags in your HTML document, looking for the custom exif="true" parameter to be set. The DOM image object doesn't contain the necessary raw image data, so XMLHttpRequest is used to fetch the image data. In Safari and Firefox, the responseText property contains the binary image data. This isn't available in IE, however, but Jacob was able to put together a VBScript alternative that is still able to pull the data from the response.

From your code, pulling the EXIF data for an image becomes as simple as this:

var theimg = document.getElementById("imageid");
alert("Image Make: " + EXIF.getTag(theimg, "Make") + "\nImage Model: " + EXIF.getTag(theimg, "Model"));

How cool is that? I expect we'll see this in every ajax photo gallery soon.

Reading EXIF data with Javascript

May 9, 2008

Processing.js - visualization library for Javascript

John Resig, of jQuery fame, released a port of the Processing visualization language for Javascript. Seriously, John is on fire:

The first portion of the project was writing a parser to dynamically convert code written in the Processing language, to JavaScript. This involves a lot of gnarly regular expressions chewing up the code, spitting it out in a format that the browser understands.
It works "fairly well" (in that it's able to handle anything that the processing.org web site throws at it) but I'm sure its total scope is limited (until a proper parser is involved). I felt bad about tackling this using regular expressions until I found out that the original Processing code base did it in the same manner (they now use a real parser, naturally).

The full 2D API is implemented, with the exclusion of some features here and there between browsers (Firefox 3 is pretty full featured). You can interact with the Processing API directly from standard Javascript. This lets you make use of these drawing features by simply instantiating a Processing object, and then calling its various drawing methods.

Another capability is to write code natively in the Processing language. This allows you to make use of extended language features such as method overloading and classic inheritance, though it looks like type information is pretty much ignored.

John has many of the demos from processing.org working. Most of them are going to peg your CPU, but this is some seriously cool stuff to see working in a first release.

Javascript just got a lot more interesting.

Processing.js
Processing: open source data visualization language

May 8, 2008

DIY multi-touch on OS X

Bridger Maxwell has been blogging his progress on creating a homebrew multi-touch platform in OS X. Prior to this, there's been a lot of activity around building multi-touch systems on Windows using the Touchlib library, but this is the first time I've seen a concerted effort on OS X.

The basic hardware is the same for both environments: LEDs surround a sheet of acrylic, causing a backscatter of IR when fingers are pressed to the screen. On the software side, though, the multi-touch interface is provided through Pawel Solyga's OpenTouch library. From the sounds of things, though, it's not super simple getting the interface messages from OpenTouch to your multi-touch enabled Cocoa apps:

Both OpenTouch and TouchLib send the touch data to other applications by sending Tangible User Interface Object (TUIO) network messages. TUIO is a protocol that is designed for transmitting the state of multi-touch systems. TUIO is built upon another protocol, Open Sound Control (OSC). While libraries for receiving TUIO messages are available in a few languages such as C++ or Java, there was not a solution for Cocoa applications. My first step was to build a library for receiving TUIO messages in Cocoa.
Because TUIO is built upon OSC, I looked for a library that could parse OSC messages. Unfortunately, I could not find one that would fill all my needs. WSOSC was a library that came close though. There were a few issues to work around (use NSData instead of NSString), but eventually I was able to use WSOSC to parse the OSC packets. When finished, my framework had the ability to parse TUIO messages and had a method to delegate the TUIOCursor objects it created to another application.

From the blog comments, it sounds like Bridger is planning on releasing this middle layer when it gets a little further along. At the moment, though, he's released a demo comic viewing application that uses his multi-touch project framework. If you're interested in developing multi-touch apps for OS X, some of the discussions on Bridger's blog would be a good place to start.

Bridger's Multi-Touch Blog
OpenTouch Library

May 7, 2008

Radio controlled lawn mower

It's finally starting to warm up where I live on the 45th parallel, which means it's just about lawn mowing season. It's not a chore I typically enjoy, but this RC lawn mower designed and documented by Terry Creer looks like it might be a kick.

Here's the best feature, from the project website:

THE METHODS OF CONTROLLING AN UNMANNED VEHICLE DETAILED BELOW ARE POTENTIALLY LETHAL. YOU CAN KILL SOMEONE, AN ANIMAL OR A ROSE GARDEN IF YOU ARE NOT CAREFUL.

Sign me up! That also goes for anything else involving combustion, electronics and spinning blades of lopping frenzy. Here's a video on YouTube. I'm not sure you're going to get those nice striped patterns without a lot of practice, but I'm also not sure that it really matters.

If you're keen on making your own, it's basically an electric wheelchair with the joystick control replaced with the receiver circuitry and the lawn mover hardware bolted to the frame. The site has all the circuit and mechanical details. You should be able to scrounge for parts and put one together for $450 or so - less if you don't count the mower you've already got that you'd rather be driving from the porch.

DIY Radio Controlled Lawn Mower

May 6, 2008

Using the Canon Hacker's Development Kit

Lifehacker's Adam Pash put together a nice overview for using CDHK, the firmware enhancement toolkit for consumer-grade Canon point and shoot cameras. With CHDK and a compatible Canon device, you can capture images in RAW format, display live RGB histograms while shooting, and even write custom UBASIC scripts to take time-lapse photos or capture lightning strikes. It does all this while running from an SDCard, so it doesn't require permanent modification to the camera's firmware.

Turn Your Point-and-Shoot into a Super-Camera
Canon Hacker's Development Kit WIki
UBASIC Script Programming

May 5, 2008

Cornell University's student microcontroller projects - Spring08

Another semester's worth of cool microcontroller projects has come to a close at Cornell University and Bruce Land sent us the results for the Spring 2008 ECE 4760 course:

Students in ECE 4760 at Cornell University were given the responsibility of choosing, designing and building a project using Atmel Mega32 microcontrollers. Over 30 projects this year include a trumpet MIDI contoller, a motorized guitar tuner, a eyeblink/head-motion computer controller, Biometric Authentication system, and a rocket inertial guidance system.

There are a number of projects worth commenting on, but I really thought the rocket guidance system that one of the teams created was a particularly smart idea. It's a bit of a misnomer - it's not the rocket that's guided during flight, but the post-flight payload. The microcontroller, an accelerometer and two stepper motors are employed to steer a simplified parafoil-style parachute on the descent, ideally delivering the payload to a specified location, such as the launch point.

It sounds like this particular project had some launch-day engine malfunctions, but the idea is great. Something like this could someday be used to help direct food payloads and other cargo drops to a specific, controlled destination.

I think this marks 10 years worth of great work that's been documented online for this course. As always, these projects are incredibly well documented, both on the hardware and software side.

Cornell University ECE 4760 Student Microcontroller Projects
Rocket Inertial Navigation System

May 4, 2008

Videos from past DEFCONs

I wasn't able to make it to last years DEFCON hacker/security conference, and DEFCON 16 isn't until later this summer. As you can imagine, I've been a little impatient for a good ol' info-security paranoia fix. Thankfully, it looks like a ton of videos from past conferences have been posted to the DEFCON site. This might be pretty interesting to even the die-hards in the crowd who religiously attend. Having been to a couple of these, it's pretty hard (read: impossible) to get into all the sessions you would like to hit.

The more recent content is encoded as mp4's. Unfortunately, you'll need Real Player to view much of the older content. It's better than nothing, though.

It also looks like there have been a number of sessions from DEFCON 15 encoded and uploaded to Google Video. I've included a link to a list of these below as well.

Defcon Media Archives: 1993 - Present
Links to DefCon 15 Session and Panel Videos on Google Video

May 3, 2008

Update the hacker map

When I created the "Hackers in Your Neighborhood" map last December, I wasn't sure what the response would be. I was really happy to see it end up being really positive, with lots of hackers and organizations adding their marker to the map.

I was just peeking in on its progress today and it looks like it's still alive with minimal vandalization and with lots of individuals and user groups making it to the list.

Some of the momentum has died down a bit, though, so now seems like a good time to do a little spring cleaning. Update your own record, if necessary, and make sure you list or update any hacker-friendly clubs or organizations that you know about. My hope is that this will make it easier for people to network and discover groups near them that they can participate in.

The same instructions still apply: Click the link to connect to the map, log in to your Google account, and you'll find an "Edit" button on the left. Clicking this will put the map in edit mode, where you can drag a new marker onto the map for yourself. Then just toss your name into the title and put your interests and project websites in the description field. If you're already on them map, select the marker you want to edit (try not to screw up others) and then update the text field.

For your personal icons, don't put it right on your address unless you really don't mind giving that info out. Centered on your city, town or neighborhood works fine too.

Some big goals for this round:

A club listed in every metropolitan area of the U.S. (red icon)
More resources for places to buy related parts or electronics ($ icon)
Coffee shops with free WiFi where fellow hackers are typically found (coffee icon)
Better representation in South America,
Africa, Eastern Europe, Asia, and Australia

Big shout outs go to the Philly Linux User's Group, which is the most recent addition to the map, the Twin Cities Robotics Club, who are doing a fine job representing my home base, and Raj, our sole hacker in all of India.

It goes without saying, but when you're done updating the map, try and track down an organization or a few interested folks in your area. You have your assignment. Now get out there and go put some brains together.

The Hackers in Your Neighborhood: Collaborative Hacker Map

May 2, 2008

HOWTO - embed fonts from a SWF into a Flex app

I haven't done any coding in Flex yet, but I came across this howto today that illustrates how simple it is to pull in a Flash SWF that has an embedded font and use it within the Flex application. Embedding the bold, italic, and bold-italic sets for a font allows you to use the standard <b> and <i> tags in an htmlText element that is using the embedded font.

As an aside, it appears that Flex even allows you to do a rotation on the text even when it's not using a standard system font. This is something that was a total pain with embedded fonts in Flash/AS2, requiring rendering the text on the fly as a bitmap and then rotating the bitmap version. Major headache.

I'm pretty excited to see that text effects like this have become so simple to achieve. Now, if only someone could figure out how to lighten the file size when you're trying to embed a traditional Chinese character set.

Embedding fonts from a Flash SWF file into a Flex application

May 1, 2008

Server-side Google Analytics

Peter van der Graaf did a little analysis of the URLs that are generated by the Google Analytics Javascript API and put together a very useful tutorial for building Analytics-enabled applications without the use of Javascript.

When you look at the analytics javascript code you see that it combines several sets of data into an image request. This image request sends the right data to Google (not the javascript). When you know what url you should use for the image, you can call the image directly and send the same data. Of course you need to be able to request the image url and that isn't easy from another image, rss feed or pdf. This is why we request it "server side".

You can add the code to the PHP that drives a blog site, for instance, and generate page views when your RSS feed is hit. You can even write a very simple script to proxy images and downloads, which will let you track hit data for all files on your site, not just the html pages viewed by a javascript enabled browser.

Taken a step further, you could even use this on the client side, triggering analytics views from standalone Flash apps or even desktop applications.

The one thing you need to keep in mind is that server-side analytics requests will appear to come from your server, not the client's machine. So while you can track page views and download events this way, you'll loose a lot of the information about your user base. Because of this, it would probably make sense to use a separate tracking ID for the server side events.

Google Analytics Without Javascript

April 30, 2008

Remember before you forget, but no sooner.

There's a fascinating article by Gary Wolf in this month's Wired titled "Want to Remember Everything You'll Ever Learn? Surrender to This Algorithm" about using software to help optimize an individuals memorization process.

We're all familiar with the notion that memorizing facts takes persistence, time and repetition. What isn't so obvious is that there's an optimum time to practice the recollection of facts you are trying to learn, and that time is precisely before you are about to forget that fact:

Practice too soon and you waste your time. Practice too late and you've forgotten the material and have to relearn it. The right time to practice is just at the moment you're about to forget. Unfortunately, this moment is different for every person and each bit of information.
...

Fortunately, human forgetting follows a pattern. We forget exponentially.

Wolf's article primarily discusses Piotr Wozniak's SuperMemo software, an application which is designed to take advantage of this insight. You fill it with a database of things you'd like to remember, and it attempts to model your retention curve for each of the facts while you use it, prompting you to recall information at just the right time to optimally burn it into memory.

Unfortunately, I couldn't track down an open source tool that does anything similar. Some of the legacy versions of SuperMemo appear to be freeware, and the full application itself isn't expensive, but I can't help but think this would make for a really cool open source package.

Software aside, I wonder how effective a person could become at general studying and fact retention by taking this insight into consideration. Are any readers actively using this tool or something similar? I'd love to hear your comments.

April 29, 2008

Stop XSS attacks with SafeHTML

If you allow user-contributed content in your site, you run into the problem of dealing with user supplied HTML in a safe manner. The most secure way of dealing with things, of course, is to strip or escape all HTML from user input fields. Unfortunately, there are many situations where it would be nice to allow a large subset of HTML input, but block out anything potentially dangerous.

SafeHTML is a lightweight PHP user input sanitizer that does just that. Just run any input field through the SafeHTML filter and any javascript, object tags, or layout breaking tags will be stripped from the supplied text. It also does a reasonable job of correcting any gnarly, malformed code, which is also a common problem with user-contributed data.

Using it is easy. Just instantiate the SafeHTML object and call its parse method:

require_once('classes/safehtml.php'); $safehtml =& new SafeHTML();
if ( isset( $_POST["inputfield"] ) ) { $inputfield=$_POST["inputfield"]; $cleaninput = $safehtml->parse($inputfield); }

This will take the posted "inputfield" parameter, strip any baddies, XHTMLify what's left, and the result will be stored in the $cleaninput variable. It's a simple addition to your code, and a lot more straightforward than trying to roll your own.

My only beef with the package is that it's written with a default allow policy, stripping out tags that are in its deleteTags array, but essentially allowing anything else through. If you'd rather only let through tags that you specifically want to allow, I'd recommend adding an allowTags array and adjusting the _openHandler method, adding the following after the deleteTags check:

if ( ! in_array($name, $this->allowTags)) { return true; }

You'll need to fill allowTags with everything you know to be safe and welcome, and you may miss a few that people will end up wanting to legitimately use, but this is easily corrected and the default deny policy is much safer in the long run.

SafeHTML - an anti-XSS HTML parser, written in PHP