Category: Life

I was in last Thursday’s Globe and Mail, as part of an article on the throttling of bittorrent traffic that a number of ISPs are undertaking. What a crazy day that was – I was at work when the first email came through on my BlackBerry. Within hours, a photoshoot and interview time had been set. These guys sure waste no time.

Globe and Mail Article.

The other day I discovered a flaw with the University of Ottawa website. In essence, it allowed any one of it’s 30,000+ students to hijack their student directory page to upload malicious code. This was not in the realm of the theoretical, it had only taken me a matter of minutes to set-up the following fake phishing example. Whenever someone would visit my student page, they would be treated to a pop-up window that would ask them to log-in to their university account again.

Putting their mouse over the pop-up would produce a warning that the log-in prompt was a fake:

It’s classic cross-site scripting. It would be obvious to some that this was a phishing attempt, but not to everyone. The solution was simple too: sanitize text. I sent an email to the head webmaster of UOttawa, but she never got back to me. Great! With the person supposed to care not giving a shit, I decided to go through the regular support channels all students use. Lo-and-behold, they sent this:

Mr. McArdle,
Thanks for submitting the problem to us and for the information you gave us. Have you spotted any such record that have exploited the vulnerability?

I lied and told them no. I didn’t want to mention the demonstration I had made. Then I was worried it was a mistake. A week had passed, and the vulnerability was still in place. This morning, I got this:

Mr. McArdle,
Thanks for the feedback. I”ve assigned the problem to the group in charge of InfoWeb.

So hopefully, hopefully, they’ll do something about this. But what are the odds? I honestly don’t think anything will be done. That’s the problem about security: too few care. There’s lots of students at Ottawa U., and it wouldn’t take a genious to figure out what I did. And I’m a frickin’ physical geography student – not anything remotely close to computer science!

Update: I got the following message today…

Mr. McArdle,
Thank you for your astute observations and honesty and integrity in revealing the gap. This is a known bug and with a known solution and we are in the process of correction by [removed.]

Thanks again for reminding us of this urgency.

I’m currently in the process of switching the nameservers of many of the domains that I own. This means that you can expect outages here and there during the transitioning process.

Update: All done!

Quote of the Moment: <savant> likewise, the “pull out” method may work for bump keys, but not for birth control.

So I haven’t found a title for it yet, but my undergraduate thesis is on geospatial metadata files. More specifically, parsing them from their native language-centric presentation into something icon-centric. Replacing long strings of text with images that summarize the same. The end goal is to provide a means to quickly visually ascertain the essential characteristics of a geospatial dataset.

Surprisingly, this is rather novel research. To do it all, I’m currently developing a PHP-based solution running on Wapache. Wapache can best be described as a portable application that merges Apache, PHP, a built-in browser, and Windows GUI controls into a neat package with a light footprint. In essence: the perfect tool to create desktop webapps.

The development is slow, but steady going. Today was all about getting the app front-end fully functional. Getting the information on to the parsing stage. That’s now done and I’m now working on the XML elements extraction and parsing with PHP.

Below is a screenshot of the front-end:

Aaaand this was the last major shoot! Wee!

There’s more to do of course, but now its just a few lines here and there with individuals. The lead has one more scene to do, but we’re waiting for it to snow (why? a secret at this time.) I have to film a number of things myself, but that can be done whenever on my time.

This is in the nick of time too. Not only is it getting bloody cold out there, but the days are getting real short. This is all equating in a smaller window with which to shoot each day. In today’s shoot, all the scenes featuring the antagonist were done.

How I feel: