Dog Run

Mar 30, 2020 1 min.

Today marks the beginning of my 4th week of social distancing, so I thought it might be nice to uplift spirits by writing about my aspirations to create a 3d game. Fig 1 I have obtained a copyright release from my employer for this effort based on the following project description: I would like to develop random dog agility courses and then play as the dog running through the course.

Tequila Screwdriver

Aug 29, 2016 1 min.

I had some leftover orange juice from my Sunday morning mimosas and an almost empty bottle of tequila - so I made something that wasn’t terrible. 2 oz tequila 2 oz orange juice 2 dashes of bitters 1 Tbsp grenadine Shake & pour over ice, topping off with club soda. Apparently this is basically a Tequila Sunrise but different. I’d like to think that the addition of club soda makes it more fun and refreshing!

Key pinning in Golang

Jun 13, 2016 2 min.

Key pinning is a technique that can protect clients from rogue or compromised certificate authorities [1, 2, 3]. If you have control over the client and the server, you can bake the server’s public key into the client and bypass (or supplement) trust in certificate authorities. Many mobile applications on iOS and Android do this using these libraries: AFNetworking TrustKit AndroidPinning The Chrome and Firefox web browsers also allow pinning with pre-loaded pins and support of the HTTP Public Key Pinning (HPKP) protocol.

keybase and github commits

Apr 18, 2016 2 min.

Now that Github visualizes signed commit, I wanted to start using my keybase pgp key to sign commits. Unfortunately my keybase key had a single uid of tam7t@keybase.io which is not actually a real email address. This prevented github from showing commits signed with that key as verified. Thankfully, it is easy to add a second uid to your public key and not have to struggle with keybase’s new key model.

SSH keys on a yubikey

Dec 27, 2015 3 min.

There is something oddly satisfying about having my private ssh keys only on a hardware device where they cannot be directly accessed. For the past 6 months I’ve been using a yubikey for SSH access to my servers and github. In this configuration the private key only exists on the yubikey and cannot be transferred to the host computer. All cryptographic operations that require the private key are preformed on the yubikey.

MailChimp Information Disclosure

Jun 27, 2015 2 min.

Earlier this year I was working on a MailChimp integration for my “Real Job” and spent the evening poking around their application. I found a few small things that, when combined, allow a man-in-the-middle to view a user’s entire MailChimp account data (including a lists of their subscribers and campaigns). Cross Site Request Forgery I first noticed that the account data export endpoint had no CSRF protections. The following HTML, served from any website, would trigger an export for users who are logged into MailChimp.

Cucumber Mint Margarita

May 4, 2015 1 min.

The warm weather this weekend in New York City put me in the mood for margaritas. This, combined with the 5 hours of pre-Kentucky Derby coverage, inspired me to make a mint version of a cucumber, jalapeƱo, cilantro margarita that I used to enjoy back in San Antonio. Here is the result. In your Boston Shaker, muddle: ~5 / 6 slices - Cucumber ~8 - Mint leaves 1.5 Tbsp - Agave Nectar (I used 2 Tbsp and it seemed a bit sweet) Add the juice of 1 lime and 4oz tequila (white).

Vimeo account takeover

Apr 3, 2015 2 min.

A while back I was playing around with the OAuth2 spec and discovered a flaw in how Vimeo associates Facebook accounts. Their Facebook connect callback URL was vulnerable to a Cross Site Request Forgery, allowing an attacker to connect their Facebook account with a victim’s Vimeo account. Background If you try to connect a Facebook account to your Vimeo account, Vimeo sends you to the following URL: https://www.facebook.com/v2.1/dialog/oauth?client_id=19884028963&redirect_uri=https%3A%2F%2Fvimeo.com%2Fsettings%2Fapps%3Faction%3Dconnect%26service%3Dfacebook&scope=email,public_profile,publish_actions,user_friends&state=f599e2d1b07d64214116415646a6a653 Once you accept the authorization prompt, Facebook returns an HTTP 302, redirecting you back to Vimeo’s redirect_uri along with a code that Vimeo uses to access your Facebook info and associate the accounts.

Golang range and pointers

Mar 18, 2015 3 min.

I’ve encountered bugs using pointers inside a range loop twice in the past few weeks. It seems like an easy/common mistake that is worth sharing. an example In this example a producer tries to pass pointers across a channel to a consumer. package main import "fmt" func main() { input := [5]int{1, 2, 3, 4, 5} c := make(chan *int, 0) // producer go func() { for _, val := range input { c <- &val } close(c) }() // consumer for val := range c { fmt.

Rails autoload and eager load paths

Jan 28, 2015 2 min.

How rails finds and loads classes when using autoload_paths and eager_load_paths can be pretty confusing. This post is the best that I’ve read on the topic, but there are a few things that I think are worth explaining more. autoload_paths This helps rails locate where an unknown constant is defined. So if it encounters the constant Foo::Bar::Baz, it knows to look for it in foo/bar/baz.rb That is why you only need to add lib/, instead of lib/**/*, to the paths.