Section: Posts

June Dogrun Progress

Jun 14, 2020 2 min.

I have a playable demo of DogRun! Complete the obstacle course as fast as possible using these controls: Action Key Forward w Backward s Left a Right d Jump space Restart r This was built using the Godot game engine and all of the assets were built with Blender. Future improvements include more obstacles: a seesaw, a fabric tunnel, and maybe a bridge.

The Dog Lives

May 7, 2020 1 min.

I’ve been working hard on #dogrun all April and finally have something to share! It’s pretty incredible the amount of free resources online to learn 3d modeling and game development. Jayanam on Youtube has been very helpful reference material when dealing with Godot, and since I remain committed to making this game Hand Crafted In Brooklyn I’ve also invested in some 3d modeling courses. It turns out your model looks more like a dog if you use a reference image.

Dog Run

Mar 30, 2020 1 min.

Today marks the beginning of my 4th week of social distancing, so I thought it might be nice to uplift spirits by writing about my aspirations to create a 3d game. Fig 1 I have obtained a copyright release from my employer for this effort based on the following project description: I would like to develop random dog agility courses and then play as the dog running through the course.

Tequila Screwdriver

Aug 29, 2016 1 min.

I had some leftover orange juice from my Sunday morning mimosas and an almost empty bottle of tequila - so I made something that wasn’t terrible. 2 oz tequila 2 oz orange juice 2 dashes of bitters 1 Tbsp grenadine Shake & pour over ice, topping off with club soda. Apparently this is basically a Tequila Sunrise but different. I’d like to think that the addition of club soda makes it more fun and refreshing!

Key pinning in Golang

Jun 13, 2016 2 min.

Key pinning is a technique that can protect clients from rogue or compromised certificate authorities [1, 2, 3]. If you have control over the client and the server, you can bake the server’s public key into the client and bypass (or supplement) trust in certificate authorities. Many mobile applications on iOS and Android do this using these libraries: AFNetworking TrustKit AndroidPinning The Chrome and Firefox web browsers also allow pinning with pre-loaded pins and support of the HTTP Public Key Pinning (HPKP) protocol.

keybase and github commits

Apr 18, 2016 2 min.

Now that Github visualizes signed commit, I wanted to start using my keybase pgp key to sign commits. Unfortunately my keybase key had a single uid of tam7t@keybase.io which is not actually a real email address. This prevented github from showing commits signed with that key as verified. Thankfully, it is easy to add a second uid to your public key and not have to struggle with keybase’s new key model.

SSH keys on a yubikey

Dec 27, 2015 3 min.

There is something oddly satisfying about having my private ssh keys only on a hardware device where they cannot be directly accessed. For the past 6 months I’ve been using a yubikey for SSH access to my servers and github. In this configuration the private key only exists on the yubikey and cannot be transferred to the host computer. All cryptographic operations that require the private key are preformed on the yubikey.

MailChimp Information Disclosure

Jun 27, 2015 2 min.

Earlier this year I was working on a MailChimp integration for my “Real Job” and spent the evening poking around their application. I found a few small things that, when combined, allow a man-in-the-middle to view a user’s entire MailChimp account data (including a lists of their subscribers and campaigns). Cross Site Request Forgery I first noticed that the account data export endpoint had no CSRF protections. The following HTML, served from any website, would trigger an export for users who are logged into MailChimp.

Cucumber Mint Margarita

May 4, 2015 1 min.

The warm weather this weekend in New York City put me in the mood for margaritas. This, combined with the 5 hours of pre-Kentucky Derby coverage, inspired me to make a mint version of a cucumber, jalapeƱo, cilantro margarita that I used to enjoy back in San Antonio. Here is the result. In your Boston Shaker, muddle: ~5 / 6 slices - Cucumber ~8 - Mint leaves 1.5 Tbsp - Agave Nectar (I used 2 Tbsp and it seemed a bit sweet) Add the juice of 1 lime and 4oz tequila (white).

Vimeo account takeover

Apr 3, 2015 2 min.

A while back I was playing around with the OAuth2 spec and discovered a flaw in how Vimeo associates Facebook accounts. Their Facebook connect callback URL was vulnerable to a Cross Site Request Forgery, allowing an attacker to connect their Facebook account with a victim’s Vimeo account. Background If you try to connect a Facebook account to your Vimeo account, Vimeo sends you to the following URL: https://www.facebook.com/v2.1/dialog/oauth?client_id=19884028963&redirect_uri=https%3A%2F%2Fvimeo.com%2Fsettings%2Fapps%3Faction%3Dconnect%26service%3Dfacebook&scope=email,public_profile,publish_actions,user_friends&state=f599e2d1b07d64214116415646a6a653 Once you accept the authorization prompt, Facebook returns an HTTP 302, redirecting you back to Vimeo’s redirect_uri along with a code that Vimeo uses to access your Facebook info and associate the accounts.