Did Little Bobby Tables migrate to Sweden? 31

Posted by Jonas Elfström Thu, 23 Sep 2010 20:36:00 GMT

As you may have heard, we've had a very close election here in Sweden. Today the Swedish Election Authority published the hand written votes. While scanning through them I happened to notice

R;13;Hallands län;80;Halmstad;01;Halmstads västra valkrets;0904;Söndrum 4;pwn DROP TABLE VALJ;1

The second to last field1 is the actual text on the ballot2. Could it be that Little Bobby Tables is all grown up and has migrated to Sweden? Well, it's probably just a joke but even so it brings questions since an SQL-injection on election data would be very serious.

Someone even tried to get some JavaScript in there:

R;14;Västra Götalands län;80;Göteborg;03;Göteborg, Centrum;0722;Centrum, Övre Johanneberg;(Script src=http://hittepa.webs.com/x.txt);1

I'm pleased to see that they published the list as text and not HTML. This hacker/joker voter seems to think3 they "censored" his vote/script. I'm not so sure about that, a more reasonable explanation is that they couldn't enter brackets, quotation marks, and so on.

There are also a couple of URL:s to online retailers and three votes on a conspiracy friendly site. I chose not to link to any of those.

This time the pen and paper scripting attack failed. Let's hope it stays that way.


PS. Someone noticed that there are no votes from Stockholm in there right now (2010-09-24). I asked the Swedish Election Authority about this and it turns out that The County Administrative Board (Länsstyrelsen) gets two months to register all the handwritten votes. There's a good chance that those will bring more attempts like the ones above. DS.

EDIT 2010-09-24
Links:
Aftonbladet DN SvD Expressen SVT - all in Swedish.
Slashdot BBC Wired

1The name of the party, not a name of a person.
2Almost all Swedish voters use the preprinted ballots but you are allowed to write your own by hand.
3The site disappeared after this post was published.

A simple loop

Posted by Jonas Elfström Mon, 21 Jun 2010 19:56:00 GMT

There's more than one way to skin a cat and the same is true for looping in Ruby. This is a silly post with a silly number of ways to

print the integers from 1 to 10.

If you're a BASIC-programmer and are getting your feet wet with Ruby, you might end up with something like this.

1
2
3
4
while i<=10 do
   puts i
   i+=1
end


That and the following for-loop is not the usual Ruby way of looping.

1
2
3
for i in 1..10
 puts i
end


Instead rubyists often iterates over ranges or arrays with each.

(1..10).each {|i| puts i }


But for simple integer loops like this, we also have upto

1.upto(10) {|i| puts i }


and times.

10.times {|i| puts i+1}


Here's where I should've stopped but I can't help myself, I just have to show off with some Symbol#to_proc "magic".

(0..10).inject(&:p)


The above works because p is an alias of puts and & converts the symbol :p to a proc that is called with the numbers in the range as parameters.

The alias p also gives us, what I think has to be, the shortest possible way.

p *1..10


You could argue that it's a bad thing that there are so many ways to do something as simple as this. But I see no big problem here, if any at all, even though these are hardly all possible ways to loop over integers in Ruby.

Blog comment spam taken to the next level? 14

Posted by Jonas Elfström Wed, 19 May 2010 21:01:00 GMT

Only days after starting this barely visited blog the comment spammers showed up. I activated Akismet and it solved my problem for a while. Over time the spamming got worse and although almost no spam actually showed up on the blog, my fear of false positives still forced me to remove the spam manually. Not my idea of fun.

I then activated a very simple hurdle. I demanded JavaScript to be able to post comments. Well, not really, what Typo really did was to expect the HTTP header X-Requested-With: XMLHttpRequest. That worked flawlessly for about three years. Just six weeks ago I noticed the first spambots including the needed header to pass through. Almost all posted stupid drug ads that Akismet easily identified as spam. The situation was still under control.

Yesterday something completely new happened. I got a comment on an old post about my admiration of Ira Glass and This American Life. The comment seemed believable enough and it passed the spam filter. Still, the link at the end undeniably identified it as spam. Then there was another, and another, and up until now a total of six spam comments in the new and more advanced format. I'm still not sure if these are scripted but it seems an awful lot of work if they are actually manually typed.

And also these on a post about infinite ranges in C#:

I'm kind of bothered with the ones both referring to content of the post and at the same time mentioning that it's not about programming like most of my posts are.

Are these human or machine made? A clever combination? Also, if you happen to be a spambot and actually answer this then I guess I will have to congratulate you for passing the Turing test.

PS. They spammed from 110.0.0.0 - 110.255.255.255 so if you happen to have problems with the same spammers and aren't worried about blocking the Philippines then you know what to do. DS.

JavaScript hash table keys 2

Posted by Jonas Elfström Fri, 05 Mar 2010 16:42:00 GMT

In JavaScript you can add properties to objects dynamically. You can access those properties both by object.foo and object['foo']. The later is commonly used to use JavaScript objects as hash tables (associative arrays).

While implementing a simplistic unique random number generator I happened to use keys(obj). Unfortunately keys(obj) is part of ECMAScript 5. See chapter 15.2.3.14 in ECMA-262. The web browsers of today mostly implements ECMAScript 3.

Here's an implementation of keys(obj) for ECMAScript 3 browsers (tested in Google Chrome, IE8 and Firefox 3.5). If the browser already has a keys function then nothing will be done.

1
2
3
4
5
6
7
8
9
if (typeof keys == "undefined") 
{ 
  var keys = function(ob) 
  {
    props=[];
    for (k in ob) if (ob.hasOwnProperty(k)) props.push(k);
    return props;
  }
}


The simplistic unique random number generator looks like this

1
2
3
4
5
6
function uniqueRndNumbers(min, max, quantity) {
  var ht={}, i=quantity;
  while ( i>0 || keys(ht).length<quantity) 
    ht[Math.floor(Math.random()*(max-min+1))+min]=i--;
  return keys(ht);
}


This function has not undergone any serious testing. Also if the quantity is more than a fraction of (max-min) then another algorithm like the Fisher–Yates shuffle might be a better choice.

Ira Glass on Storytelling 2

Posted by Jonas Elfström Wed, 03 Feb 2010 22:48:00 GMT

When a new episode of This American Life is made available, that is the first thing I listen to. There are a lot of great podcasts out there but if I had to choose only one, I think I would go for This American Life (sorry RadioLab, I love you). Recently I learned that the host and producer of the show, Ira Glass, can be found on YouTube talking about storytelling. He covers how he thinks you should tell a story for a radio/TV show. I recognize how the show executes that narrative but it also doesn't take anything away from the fact it's excellent and that there are a lot of hard work and talent put into it.

Ira Glass on Storytelling #1

Ira Glass on Storytelling #2

Ira Glass on Storytelling #3

Ira Glass on Storytelling #4

Older posts: 1 2 3 4 5 ... 12