Today

In which Lukas Reschke explains step-by-step how he got remote code to execute in Atom via Cross-Site Scripting (the specific vulnerability he found was patched in v1.21.1).

Atom happens to be the single most popular Electron project on GitHub. I suspect that, were a study to be done, an large number of Electron apps would be found to be vulnerable to XSS attacks in some shape or form. What makes this angle of attack particularly bad for Electron apps is that injected JavaScript, just like the JavaScript the app’s developer wrote, has full access to the NodeJS core. Lukas demonstrated this by launching the Calculator app via a child process; its not hard to think up something far more destructive (or discreet) to run once you have this much access though:

One easy way to [execute malicious JavaScript code], in this case, is by accessing the window.top object and use the NodeJS require function to access the child_process module. The following JavaScript call would open the Mac OS X calculator:

window.top.require('child_process').execFile('/Applications/Calculator.app/Contents/MacOS/Calculator',function(){});
14 December 2017

A paper by Lance Spitzner from back in 2003 in which he explains honeytokens, their huge power to simplicity ratio, and provides some good examples.

My highlights

The term honeytoken was first coined by Augusto Paes de Barros in 2003 on the honeypots mailing list.

[…]

A honeytoken can be a credit card number, Excel spreadsheet, PowerPoint presentation, a database entry, or even a bogus login. Honeytokens come in many shapes or sizes, however they all share the same concept: a digital or information system resource whose value lies in the unauthorized use of that resource. Just as a honeypot computer has no authorized value, no honeytoken has any authorized use.

[…]

For example, the credit card number 4356974837584710 could be embedded into database, file server, or some other type of repository. The number is unique enough that there will be minimal, if any, false positives. An IDS signature, such as Snort, could be used to detect when that honeytoken is accessed. Such a simple signature could look as follows.

alert ip any any -> any any (msg:"Honeytoken Access - Potential Unauthorized Activity";   content:"4356974837584710";)  

This concept can easily be extended beyond databases. File, web, or email servers can all have honeytokens embedded into them. Anything that has data can easily have additional bogus data added, bogus data that becomes our honeytoken.

13 December 2017

The UX of vague user input and educated guesses

I got an Amazon Echo Dot a couple of months ago — my first voice assistant and the only one I’ve used. I’ve found it to be largely underwhelming on the software front. Maybe I just set my expectations too high because of all the wonderful things the people I follow have been saying about it since its release. The following is neither a rant about nor a full review of the software. It is merely my thoughts on how a specific though frequently used bit of functionality could be improved.

Like many, I keep my Echo in the kitchen. It’s the ideal environment for voice assistants in general and the Echo in particular to shine. Want to play or pause music whilst your hands are covered in flour? Shout at the Echo. Need to add something to the shopping list? Shout at the Echo. Need a timer? Shout at the Echo. Want to be reminded about something? Shout at the Echo.

It’s that last interaction and the ones like it that I feel have huge room for improvement.

Scene: It’s early afternoon and you’ve just received a text from a friend asking if you’re up for a gym session that evening. You are, so you ask your Echo to remind you about it later.

You: “Alexa, remind me to go to the gym at five-thirty.”

A perfect response to this would be something along the lines of “Okay, I’ll remind you”. What we get instead is…

Alexa: “Is that five-thirty in the morning or in the afternoon?”

…which is a reasonable enough clarification to ask for. The issue I have with it is that every time the user forgets to specify whether the reminder is intended for the morning or the afternoon, they are blocked at this point and have to wait for Alexa to stop speaking in order to respond.

The UX of this can be vastly improved by making an educated guess based on the context. What do we know? We know that it’s early afternoon. We know from previous reminders that the user tends to schedule activities of this nature for late afternoon / early evening. Depending on whether or not the user specifies the name of the gym, we may even know that said gym doesn’t open until 9am. From that context, an educated guess can be made that the user means 5:30pm.

Alexa may well get the occasional guess wrong though, which is why you’d append “Did you mean 5:30am?” to the confirmation. That way instead of the above we wind up with this.

You: “Alexa, remind me to go to the gym at five-thirty.”

Alexa: “Okay, I’ll remind you at 5:30 this afternoon. Did you mean 5:30am?”

…and if you did mean “am”…

You: “Yes.”

Alexa: “Okay, I’ll remind you at 5:30am instead.”

With this new way of specifying morning or afternoon, the user can stop listening at the end of the first part of the confirmation if Alexa guessed correctly. Only if the guess was wrong does the user need to have any more interaction with the device, thus completely avoiding both the lingering necessary before “morning” or “afternoon” can be clarified and the need to clarify at all.

At this level, interaction changes that can save the user multiple seconds every time aren’t a dime a dozen. Pick that low hanging fruit.

12 December 2017

Canarytokens is a very cool looking tool built by Thinkist that allows you to easily — and freely — generate and monitor honeytokens.

These tripwires can be set off in a number of ways of your choosing, from a simple GET request all the way to triggering when a specific query is run on your MySQL database. SELECT * FROM user_passwords for example.

A number of helper tools are provided for use with Canarytokens, all of which are described in the linked blog post. The two that seem most interesting to me are the aforementioned MySQL trigger and the FileWatcher trigger which notifies you when a specific file is read.

Canarytokens is open source and self-hosting is made easy thanks to an official Docker image.

11 December 2017

Worry Fatigue

A few years ago, many a tech executive was known to wear the same outfit day in, day out. Perhaps it’s still a thing, I don’t know. Either way, this behaviour was justified as an effort to reduce decision fatigue, a term that denotes the deterioration of ones decision making as more and more decisions are made throughout the day.

I’ve had something that I’m dubbing “worry fatigue”1 on my mind for the past few days. This post is an attempt to clarify some of my thoughts on the matter.


For you to get a perspective on where I’m coming from, it’s worth noting that I’m a country boy through and through. At the ripe old age of 23 I’ve lived a total of about 3½ years in a city — a fairly small one at that.

Looking back on those 3 and a bit years, I now recognise a number of worries that were facts of my day to day city life and the accumulated effect they had on me. (Perhaps “worries” is too strong? “Concerns” maybe. I’ve yet to find the right word.)

These ranged from “did I bolt the door?” being the first question that popped into my head as soon as I started to relax and drift off to sleep, all the way to keeping an eye on the drunk walking towards me as I head home at night. From “I wonder how much the (already ludicrous) rent is going to go up by this time?” to feeling greasy by the time I got to work because the city was so polluted and dirty. The list goes on.

As with the decision making, it isn’t any single one of these small worries that has some great affect on you. Rather, it’s the accumulation of them over time. While decision fatigue is generally talked about in terms of days, I think these worries take a longer time to build up into something psyche-affecting.

For me that time period was about 2½ years. 2½ years of city life saw me ready to get on a plane, train, or automobile. Anything that’d get me out.

It took another year for me to finally put my foot down and say enough’s enough, but I did indeed get out. I went back to the country.


I’ve been home less than a year and a half and I am, not to be too melodramatic, a completely different person (physically, yes, but more to the point of this post) mentally.

Outside of work, my daily worries now more or less amount to “have the animals been fed?” and “what fencing did they manage to break last night?”. I can’t remember the last time I locked the front door at night. I’ve left the keys in the car ignition, the car door, and the house door overnight more times than I’d care to admit. It’s not even on my mind it matters so little. I can actually look up and see the stars at night.

The claustrophobia of the city and the draining “background concerns” it brings have been lifted. I’m as happy as I’ve ever been.

I’ve written on here before about big city tech life not being for everyone. This doesn’t just affect people who work in technology though. Whoever you are and whatever you do, sometimes it’s good to be reminded that there are other options available2. Step 1 is to put your foot down.


  1. I’m sure there’s already a proper name for what I’m about to talk about, but where’s the fun in that. [return]
  2. Though admittedly those of us who work in tech are at an advantage thanks to the embracement of allowing employees to work remotely. [return]
10 December 2017

Redesign preview

Knackered my foot at practice on Friday so I’ve spent the weekend tinkering with various projects including a potential update for my site. Nowhere near done but I’m pleased with how the header came out.

9 December 2017

This post was written in MarsEdit and is destined for a static blog that’s generated by Hugo. Once I click “Send to Blog” the rest should be handled by the server, which’ll create the markdown file, regenerate the site, sync the new markdown file to Google Drive and finish up by pinging Micro.blog so that the post shows up in a timely manner. Let’s see if this works…

8 December 2017

Progress report on Hugo + MarsEdit: all post frontmatter is being parsed, loaded and saved correctly, posts are displayed in the correct order & post editing works.

6 December 2017

My imagination or do blogrolls seem to be slowly creeping their way back onto people’s sites? I’ve seen quite a few recently, but that may just be down to the fact that I’ve been visiting more blogs written by IndieWeb folk.

5 December 2017

Heard about miniflux on Micro.blog a couple of day ago and spent some time installing it on my own server this evening. Impressed so far. It’s not pretty but it’s very fast, and its compatibility with the old Fever API means that it can be used in the likes of Reeder and I never have to see the web UI.

4 December 2017

I set Firefox 57 — the new version with the overhauled browsing engine — as my default browser this morning, replacing Chrome.

The same 4 extensions are installed on every browser I use: Ghostery, uBlock Origin, HTTPS Everywhere and a fourth that provides Vim keybindings. In Chrome, that plugin has always been Vimium.

Vimium is available for Firefox, but it isn’t yet compatible with version 57. In fact, after looking around a little, most Vim keybinding plugins seem to be incompatible with version 57.

My search eventually led me to Saka Key, the pot of gold at the end of the rainbow. It’s fast (not that that was ever a problem with Vimium), open source, configurable, well designed (that was a problem with Vimium), and supports the same bindings as Vimium1. It even has a Chrome version.


  1. Vimium’s bindings aren’t the default ones. To use them, go to “Add Ons” → “Saka Key” → “Preferences” and choose “vimium” from the dropdown next to the “Keybindings” heading. [return]

The scripts I use for blogging with Vim and Hugo

Nearly 4 months ago to the day I setup a publishing workflow for this site that allows me to create, update, and delete content via Google Drive. It’s a setup that has worked flawlessly for me.

In my quest to streamline the blogging process as much as possible, I also wrote a couple of scripts around the same time. The first to create a new post, the second to publish the post currently open in Vim. These too have worked very well, so let’s take a look at them.

Continue Reading →

2 December 2017

Can’t remember the last time winter started so harshly here. Dropped to -9°C last night. Currently -8°C and falling with high winds to boot.

698e5ee94d

23 November 2017
You can keep up to date with new posts by subscribing to the RSS Feed or by following me on Micro.blog.