BiteofanApple Archive About Code Microblog Photos Links
by Brian Schrader

The Cloudbleed Bug: An Overview

Posted on Fri, 24 Feb 2017 at 11:06 AM

Tavis Ormandy (Chromium Bug Tracker) →

It became clear after a while we were looking at chunks of uninitialized memory interspersed with valid data. The program that this uninitialized data was coming from just happened to have the data I wanted in memory at the time...

A while later, we figured out how to reproduce the problem. It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output...

We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.

A tweet you never want to see.

Never a tweet you want to see.

tptacek (Hacker News) →

The crazy thing here is that the Project Zero people were joking last night about a disclosure that was going to keep everyone at work late today. And, this morning, Google announced the SHA-1 collision, which everyone (including the insiders who leaked that the SHA-1 collision was coming) thought was the big announcement. Nope. A SHA-1 collision, it turns out, is the minor security news of the day.

Cloudflare Blog →

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence...

We are grateful that it was found by one of the world’s top security research teams and reported to us.

This broke late last night PST, and while Travis Ormandy and the hardworking team at Cloudflare have resolved the situation, the consequences of this bug are not small. Cloudflare is a very large CDN that sits in front of tens of thousands of sites and all of them are potentially affected.

My report

List of sites affected by Cloudbleed →

Comments with Cited References

Posted on Thu, 09 Feb 2017 at 12:29 PM

A while back I got into the habit of adding links to any source code that I copy from the web. It's a small addition but it's helped me a lot when I need to go back and fix bugs long after I've forgotten what I did or why.

// From:
extension Data {
    /// Create hexadecimal string representation of Data object.
    /// - returns: String representation of this Data object.
    func hexadecimal() -> String {
        return map { String(format: "%02x", $0) }
            .joined(separator: "")

This technique is also really useful if you encounter unsupported or buggy behavior in some framework or library and you write a weird workaround or unconventional solution. In those cases I don't just document that it is a workaround, I try to link to a place that explains or tracks the bug (like the GitHub Issue or Stack Overflow page).

switch identifier {
case "SpecialWaitStep", "OtherSpecialWaitStep":
    // Wait steps aren't backward navigable.
    return nil
    return getStep("...")

This way if anyone (future me included) needs to go back to fix that section of code, they'll at least know why that hack is there.1

1. Hell, maybe by then the issue has been solved and they can even remove your hacky code.

So Many Words Written, So Many More to Come

Posted on Mon, 06 Feb 2017 at 07:58 PM

Apparently I'm 236 words short of 50,000 total words written for my blog over 161 posts1. That's about 309 words per post on average. I was playing around with the site just now and just out of curiosity I ran this:

$ find archive/ -name "*.md"|xargs -I {} cat {} | wc -w

Now curious, I did some more digging to see what I could learn; here's a few different statistics:

  • Longest post:
  • Shortest post:
  • Most average length post:
  • If we count all the drafts I've never published (but still have) the grand total goes up to 64,088 words.
    • That's 14,324 words unpublished.
  • 154 different tags used on posts
  • Most used tags:
    • blog: 21 times
    • web: 14 times
    • space: 10 times
    • open web: 10 times
    • blogging: 10 times
    • python: 8 times
  • Least used tags:
    • D&D, FCC, OS X, alternatives, angular... (and 105 more)

Just for the occasion, I made up a pretty graph.

A graph of word count.

It's hard to believe that I've been blogging for almost 5 years on this site, and if you count my two blogs before this one, then it's been almost 6 years.

And in case you're wondering: yes, this post is just over 236 words. 🎉

1 Technically that 50,000 word count includes handcrafted HTML inside a post's markdown. It's not that much of a factor and I'm defending my claim because technically I wrote that HTML so there.

An Ode to the 13 Inch MacBook Pro

Posted on Sat, 04 Feb 2017 at 01:25 PM

I got my first Mac in 2010: A base model 13" Macbook Pro. Like lots of people I got it in my first year of college with Apple's Education Discount. I had it all the way through college until 2015 when I got my current 13" Retina Macbook Pro. In that time, I'd dropped it, fixed it, swapped out the spinning platter for an SSD, added RAM, and made it my own. I learned to program on it, I played PC games with it, and I built this website with it. I used every ounce of power that 2.4GHz Core2-Duo could spare.

In short: I loved that machine.

That Macbook Pro turned me into a Mac person. I justified buying it by saying that I'd build iPhone apps with it, but that never really came to pass. I did learn about Unix and Bash though, and that knowledge changed how I used computers forever. Back then I looked forward to 2 things every year: the new iPhone OS announcement and the Mac OS X announcement. I even took time off work one year to stay home and watch WWDC talks in a time before I'd ever worked on iOS apps professionally.

In short: I found what I wanted to do because of that Mac and it changed me forever.

My mac at a donut-shop in portland

In 2015 I got my current Mac. When I passed on my old 2010 MBP it was dented, missing a foot, and had no CD drive (I took it out to save weight and then lost it). Fresh out of college I forked over literally all of the money I had for a specced out 13" rMBP. Two and a half years later I can say, it's the best computer I've ever owned or used. I've taken it everywhere, and it's risen to every challenge I've thrown at it (except modern PC gaming but I don't play a lot anyway).

Excluding a few months when I experimented with building PCs in college1 and at my old day-job, my Macs have always been my primary and only machines, and now my 2015 rMBP is my work machine too. They've both been as flexible, durable, extensible, and powerful as I could ask.

The Part About Apple Nowadays

That long preamble was more than a nice stroll down memory lane. I may not have the pedigree of some mac users but I love the Mac and over the years I've seen Apple seem to forget how much people love, use, and need the Mac to do what they do, and it makes me sad. Maybe they're working on something awesome for the Mac and I hope if they are that it's as great as it can be, but it doesn't look that way from the outside.

I could stand here and say that I wish the 13" MacBook Pro had dedicated graphics card and quad-core CPU options (and I really do wish that), but after 7 years I just don't see that happening. I guess what I want is something to prove that the Mac is still worth something to Apple. The Mac community is strong enough to last for years without Apple updating much, but that's not something I look forward to, it's a last resort.

The Circle Be Unbroken

Growing up, my mom had (and still has) a 17" Titanium Powerbook G4, and she used it for almost 10 years, she was the first Mac user in the house, and though I used them in middle and high school I'd always had a Windows PC at home. In 2009 a coworker and long-time Mac user convinced my parents to get me an iPhone, and a few months later I bought my first Mac.

Since that time I've convinced my sister, several coworkers, friends, and many complete strangers to get Macs. I've always said the price was worth it, and even though I think that's less true now, I'd still recommend the Mac over the alternative. All of those people are using Macs today because some enthusiastic college student convinced them to get one, and he got his Mac and iPhone because of a passionate Mac user who convinced him back in 2010.

That old MacBook is till alive; it's my mom's laptop now. It's worked well for her until this year: she got a GoPro and needs to edit the video. That MacBook can do a lot of things, but rendering 1080p and 4K video comfortably isn't one of them. If and when she gets a new computer, I'll probably ask for that MacBook back. There's not much I can use it for, but just like my old iPhones, it'll be a nice thing to keep around for the memories.

1. I also experimented with Linux in college, but that went from recreational use to professional use.

California Bills to Safeguard Privacy from the Federal Government Advance

Posted on Thu, 02 Feb 2017 at 02:07 PM

Rainey Reitman for the EFF

New state bills that would create a database firewall between California and the federal government passed out of their respective Senate committees on Tuesday. Both are headed to the Appropriations Committee and then could soon see votes by the full California Senate. If passed, these critical bills would help prevent Muslim registries and mass deportations in California and would send a strong message to the Trump administration that Californians will resist his attacks on digital liberty.

This is some much needed positive Government-related news. I have no idea how legal it is for California to directly oppose Trump's ideas, but I'm all for them. California is the most powerful state in the U.S. by economy and population; let's see what happens when that power gets put to use.

I don't know how much control California has over Silicon Valley companies and their databases, but those are arguably the most important stores of personal data in the world.

Importantly, these pro-privacy policies will outlast President Trump. Once baked into California law, they’ll safeguard the over 38 million residents of California for generations to come.

At the bottom of the EFF blog post there's ways to contact your representatives and tell them you support this measure.

California Bills to Safeguard Privacy from the Federal Government Advance →

The Internet Won't Forget Climate Change

Posted on Sat, 28 Jan 2017 at 05:09 PM

A lot of you might have seen this post on Thursday.

The tweet about NOAA

I did, though I didn't put it in with my baby pictures, I put it here.

At is a full mirror of the contents of that FTP site. It has all of the CO2 and Aerosol data that NOAA has made available (all the way back to 1976). If you find this data useful, I'd love to hear from you.

If you're looking for other climate change related data sets, The Climate Mirror Project has lots of mirrors of NASA, NOAA, and other organizations. We will not allow this data to be forgotten. Climate change is real, it's a problem, and it's getting worse. Ignoring it cannot be the solution.

The Internet should not forget; we can't let it forget something this important.

A Slight Modification to Gordon Ramsey's Scramled Eggs

Posted on Tue, 10 Jan 2017 at 10:01 AM

If you haven't seen Gordon Ramsey's scrambled egg video, you should. It's been out for years now, but good cooking tips are always useful. Being in Southern California though, I make one slight modification: I use Sour cream instead of Crème fraîche. Originally I started doing this because I almost always have Sour cream on hand (again because Southern California) and while there's certainly a difference in flavor, it's a great substitute.

Scrambled Eggs

Gordon Ramsay's Scrambled Eggs →


Posted on Mon, 09 Jan 2017 at 04:57 PM

Like lots of other people have said, Manton Reece has started a Kickstarter for his microblogging platform. I've been on the beta for a while, and I've mentioned it before. What Manton is doing is really important, and not only should you support his work, but spread the word.

Do you remember how the web used to work? How the web was supposed to work?

In the earlier days of the web, we always published to our own web site. If you weren’t happy with your web host, or they went out of business, you could move your files and your domain name, and nothing would break.

Today, most writing instead goes into a small number of centralized social networking sites, where you can’t move your content, advertisements and fake news are everywhere, and if one of these sites fails, your content disappears from the internet. Too many sites have gone away and taken our posts and photos with them.

I want to encourage more independent writing. To do that, we need better tools that embrace microblogs and the advantages of the open web. We need to learn from the success and user experience of social networking, but applied to the full scope of the web.

Indie Microblogging: owning your short-form writing →

I've written lots of stuff about services like Manton's, and the Open Web in general. It's really important that we preserve not just the way the Web used to work, but as Manton says: the way it should work.

Alternatives to macOS

Posted on Tue, 03 Jan 2017 at 02:15 PM

Like lots of passionate Mac users, I've been keeping tabs on the "State of the Mac" discussions in the last few months. I don't feel like I'm as disappointed as most in Apple's hardware, but I do think that macOS could use some real attention as some annoying bugs have slipped into the last few updates to my Mac. I'm still using El Capitan and liking it a lot, and my 2014 13" Retina Macbook Pro is still my favorite computer ever. Overall I'm happy with my setup, but Apple's future for the Mac still worries me.

Wesley Moore (via Michael Tsai)

I deeply value the consistency, versatility, reliability and integration of Mac OS X and the excellent quality hardware it runs on...

Of course even if I make the switch there are a number of possible drawbacks, including but not limited to:

  • The time required to find replacements for all the software I use.
  • The lack of equally high standard replacements for software...

Elementary is stunning and definitely my favourite. It won’t appeal to everyone but their philosophies and direction really resonate with me. Specifically they have:

  • Human Interface Guidelines
  • A primary, native programming language (Vala, no Python and JS \o/).
  • A model for funding ongoing development (Bug bounties, Patreon, asking for payment when downloading).
  • Designers as well as developers on the team.

Just casually looking at Elementary, I have to say I really like the look of it. If I was going to switch right now, which I'm certainly not, I would use Elementary. Actually if I ever want a nice Linux GUI for anything, I'd probably use Elementary.1

The biggest switching cost for me is still the lack of comparable software on any other platform. The Mac's software ecosystem is fantastic (though a lot of people complain about how it could be so much more, it's still the best by a long shot). There just aren't alternatives for most of the fantastic software I have installed on my Mac. I need more than just a good terminal and web browser.

1 I've been using Linux Mint with Cinnamon for over a year at work and I recommend that too. Cinnamon feels more like Windows and it looks like Elementary feels more like a Mac.

Sony MDR Extra-Bass Bluetooth Headphones Review

Posted on Thu, 01 Dec 2016 at 11:12 AM

It's been a long time since I've had a pair of Bluetooth headphones. Years back I had a pair of no-name brand on-the-ear headphones, but they were pretty crappy and would drop out if I moved my head at all to the right. For years I've used Apple's EarPods when I'm out, and a pair of Audio-Technica Closed-back Headphones at work. They're not the most comfortable things, (I can't wear either of them for more than about 2 hours continuously), but they sound great for the price. That said, I've needed good headphones at home for a while, and I knew I'd be going on a trip to Japan this fall, so I'd need to eventually get some new headphones for the plane/train anyway. Eventually, I landed on the fantastically named Sony MDRXB950BT/B Extra Bass Bluetooth Headphones.

My preferred criteria for my new headphones was (in order of preference):

  • Under $200
  • Comfortable
  • Over-the-Ear
  • Bluetooth
  • Noise-Cancelling
  • Foldable

The Sony MDR Headphones fit most of those criteria:

  • Under $200 ✓
  • Comfortable ✓
  • Over-the-Ear ✓
  • Bluetooth ✓
  • Noise-Cancelling ✗
    • at least Noise Dampening ✓
  • Foldable ✗
    • Partially Foldable ✓

Right out of the gate I'll say that these headphones are extremely comfortable to wear, even for long durations, they look great, they pair easily with multiple devices with no random disconnects1, and the battery lasts quite a while. The Bluetooth connectivity seems stable enough and strong enough that I can reliably use the headphones with my phone in another room. Thankfully, the onboard controls are pretty simple and usable, and they don't feel cheap. Everything about these headphones from the ear cuffs, and headband, to the rotating hinges feels sturdy and well built to me.

Sadly there are a few things about the Sonys that don't feel on-par with the stuff I just mentioned. Most importantly, while they do sound decent (more than good enough for my needs) the audio quality isn't as good as I think it should be, and there's an audible hiss from them whenever they're on. It isn't really noticeable if something is playing, (even softly) but it is there, and occasionally I do pick up on it. Just for reference, I've had others listen for the hiss, and most can't hear it (maybe I just have good hearing). On the noise dampening side, the Sonys do block most ambient noise, and were enough for me on the plane, but they don't work any miracles.

Having used them for over two weeks now, including 2 10+ hour flights and multiple 3+ hour long train rides, I can say confidently that I really enjoy these headphones. The comfort alone is huge, and since I'm using them in mostly quiet settings or cafés the lack of noise cancelling doesn't usually matter. The sub-optimal bluetooth audio quality is a shame, but it's not bad. Notably these headphones have a "Bass-Boost" feature. It's not something I need or really want, especially since turning it on makes podcasts instantly unlistenable, but it does its job well.

I'm not an audiophile, but I can say that my Audio Techinicas are better sounding headphones, (and more accurate) but the Sonys are hundreds of times more comfortable, and since they're wireless, I'm fine with that tradeoff.

1 Having never used my Mac with Bluetooth headphones, I have no good baseline for comparison, but iTunes seems to be really buggy when playing over Bluetooth. Occasionally it will refuse to play music after the connection is established, and I have to quit and relaunch. It's ok, it's not like it's 2016 or anything.



Creative Commons License