Category: Life

And with that, I conclude the last of the shoots with the main characters of Docks. I also got some footage for a featurette on the rundown of an atypical shoot. Next up: the small things which I can do, as well as work with five extras. I hope to wrap up filming by this weekend.

I was in last Thursday’s Globe and Mail, as part of an article on the throttling of bittorrent traffic that a number of ISPs are undertaking. What a crazy day that was – I was at work when the first email came through on my BlackBerry. Within hours, a photoshoot and interview time had been set. These guys sure waste no time.

Globe and Mail Article.

The other day I discovered a flaw with the University of Ottawa website. In essence, it allowed any one of it’s 30,000+ students to hijack their student directory page to upload malicious code. This was not in the realm of the theoretical, it had only taken me a matter of minutes to set-up the following fake phishing example. Whenever someone would visit my student page, they would be treated to a pop-up window that would ask them to log-in to their university account again.

Putting their mouse over the pop-up would produce a warning that the log-in prompt was a fake:

It’s classic cross-site scripting. It would be obvious to some that this was a phishing attempt, but not to everyone. The solution was simple too: sanitize text. I sent an email to the head webmaster of UOttawa, but she never got back to me. Great! With the person supposed to care not giving a shit, I decided to go through the regular support channels all students use. Lo-and-behold, they sent this:

Mr. McArdle,
Thanks for submitting the problem to us and for the information you gave us. Have you spotted any such record that have exploited the vulnerability?

I lied and told them no. I didn’t want to mention the demonstration I had made. Then I was worried it was a mistake. A week had passed, and the vulnerability was still in place. This morning, I got this:

Mr. McArdle,
Thanks for the feedback. I”ve assigned the problem to the group in charge of InfoWeb.

So hopefully, hopefully, they’ll do something about this. But what are the odds? I honestly don’t think anything will be done. That’s the problem about security: too few care. There’s lots of students at Ottawa U., and it wouldn’t take a genious to figure out what I did. And I’m a frickin’ physical geography student – not anything remotely close to computer science!

Update: I got the following message today…

Mr. McArdle,
Thank you for your astute observations and honesty and integrity in revealing the gap. This is a known bug and with a known solution and we are in the process of correction by [removed.]

Thanks again for reminding us of this urgency.

I’m currently in the process of switching the nameservers of many of the domains that I own. This means that you can expect outages here and there during the transitioning process.

Update: All done!

Quote of the Moment: <savant> likewise, the “pull out” method may work for bump keys, but not for birth control.

So I haven’t found a title for it yet, but my undergraduate thesis is on geospatial metadata files. More specifically, parsing them from their native language-centric presentation into something icon-centric. Replacing long strings of text with images that summarize the same. The end goal is to provide a means to quickly visually ascertain the essential characteristics of a geospatial dataset.

Surprisingly, this is rather novel research. To do it all, I’m currently developing a PHP-based solution running on Wapache. Wapache can best be described as a portable application that merges Apache, PHP, a built-in browser, and Windows GUI controls into a neat package with a light footprint. In essence: the perfect tool to create desktop webapps.

The development is slow, but steady going. Today was all about getting the app front-end fully functional. Getting the information on to the parsing stage. That’s now done and I’m now working on the XML elements extraction and parsing with PHP.

Below is a screenshot of the front-end: