Posts by: bsterne

Update to CSP Bookmarklet January 20th, 2011

It was pointed out to me that my CSP bookmarklet was using a feature added in ECMAScript 5, Object.keys, and thus did not work in older browsers. I added a bit of code to address this:

Object.keys = Object.keys || function(obj) {
  var keys = [];
  for (var key in obj) {
    if (obj.hasOwnProperty(key))
  return keys;

Browsers that don’t natively support Object.keys will now have that functionality added when the bookmarklet runs. Go ahead, give it a try: Recommend CSP

As before, the full source is posted for you to browse as well.

Content Security Policy Recommendation Bookmarklet October 14th, 2010

I wrote a bookmarklet that analyzes the content on the current page and recommends a Content Security Policy based on the types of content it finds on the page and the sources of that content. The implementation also takes into account resources that are dynamically added to the page by JavaScript.

For instance, today I learned that ReCAPTCHA loads script both from, but also from Note to self: figure out why Google needs to know about every ReCAPTCHA load.

You can test it out by clicking the following bookmarklet: Recommend CSP

If you find it useful, drag it to your bookmarks toolbar and you can use it from any web page. Feel free to check out the bookmarklet source as well.

In the future, I would like to add notifications for potential inline script violations.

Productivity music for work September 8th, 2010

There are times at work when I like to put on my headphones and play some music (usually instrumental) or white noise to avoid distraction while I write code or do some other task that requires concentration. I never thought to do both at the same time… until now!

Next time you want a nice anti-distraction music cocoon try opening in separate tabs:

  1. A nice Jazz Piano or Classical station
  2. A pleasant rainfall soundtrack

If you are still distracted after that Google has some information that might help you.

Jetpack: Unread Messages in Gmail App Tab August 13th, 2010

One of the new features in Firefox 4 is the App Tab which lets users persist a tab that they use continuously. Firefox shrinks the tab down to just the favicon and places it in a special area for these tabs which generally aren’t closed by the user. The feature is great, but one of the side effects is that Gmail App Tabs don’t show anymore the part of the <title> that indicates unread messages.

That’s where my new Jetpack (a cool new, lightweight (and secure!) way to write Add-ons) comes in.

Go install Unread Gmail Favicon from AMO and the favicon for that tab will indicate the number of unread messages when you have them like so:

Hacked my DEF CON 18 badge July 30th, 2010

I was only able to stay for part of the first day of DEF CON this year, but I’m glad I did. One of the things they’ve done for the last five years or so is put microcontrollers in the badges, and put in little Easter eggs for people to search for. This year’s had a Ninja Party mode which was locked by default, but you could unlock it by placing a series of 15 tumblers in the correct position.

They published the source code for the badges on the CD they gave out at registration (so perhaps I’m stupid for loading the CD on my laptop rather than smart for reverse engineering the badge). I opened up DC18_Badge.c and, searching for “Ninja” (the code was commented nicely), quickly found the following two C functions:


int dc18_ninja_validate(uint32_t val) 
    uint16_t a, b;
    a = (uint16_t)(val & 0xfff);
    b = (uint16_t)(val >> 12);
    if((a ^ b) == 0x916) 
        return 1;
    return 0;

// encode tumbler states into
// 24-bit value
    uint32_t x = 0, j = 1;
    uint16_t i;
    for (i = 0; i < TUMBLERS_PER_IMAGE;
        x += tumblers[i] * j;
        j *= 3;
    return x;

So the trick was to find the number that made (a ^ b) == 0x916 and then figure out the tumbler positions to represent that number. I wrote two small Python functions to automate those tasks. To find the number that would unlock Ninja Mode, I wrote this loop. I added a print statement to show how far into the search we were, thinking it might take some time to find it, but it popped out 6423 in no time at all:

while 1:
    a = i & 0xfff
    b = i >> 12
    if i % 10000 == 0:
        print "# a: %d, b: %d, i: %d" % \
            (a, b, i)
    if a ^ b == 0x916:
        print "DONE: %d" % (i)
    i += 1
DONE: 6423

Now all that was left was to figure out the tumbler positions to represent 6423. Clearly, dc18_encode_tumblers tells us how to do that. I whipped up this little function to convert the tumbler positions to a decimal number:

def enc_tumblers(tum):
    x = 0; j = 1;
    for i in range(15):
        x += tum[i] * j
        j *= 3
    return x

>>> enc_tumblers([1,1,1,1,1,2,2,2,

I was going to write another loop to increment the tumbler array I was passing to enc_tumblers, but my first guess was so close that I just manually entered the settings until I found the winning configuration:

>>> enc_tumblers([0,2,2,0,1,2,2,2,

Once I had the configuration, I put the tumblers in the appropriate positions: 0 - up, 1 - middle, 2 - down. After that, well, I guess I'm a ninja now: