Year: 2010

SCOTUS: Florida handed out cruel & unusal sentences

 

The Supreme Court today ruled that juveniles cannot be sentenced to life without parole for nonhomocide crimes. Good. How does Florida fit in the picture? Seventy-seven of the 129 American juveniles sentenced to LWOP are in Florida. Either Florida’s teens are the most evil in the nation or something in the CJS is wrong. Today it’s slightly less wrong.

Fun fact: Florida eliminated parole in 1983.

Update: I’m hesitantly changing my mind on this decision. I think good will come of the attention it (and FL’s CJS) receives, but I don’t think it was necessarily correct. Whether the victim(s) of a crime happen to all survive—even if left for dead—is as much an arbitrary delimiter as whether the offender was just shy of 18 when the crime was committed. The case before the court presented one of the obvious examples of FL’s sentencing inflation, but the decision isn’t going to fix that. FL prosecutors can continue to request just barely short of life sentences. If anything will “fix” it, it’ll be the cost of continuing to build prisons.

Scathing AP Editorial on U.S. Drug War

 

AP IMPACT: US drug war has met none of its goals

This writer is obviously on fire about this issue, and while I appreciate the fact that it will expose more people to the wider effects and history of our drug policy, it’s simply unfair to claim that the drug war has met no goals. If the goal of drug prohibition was to completely wipe out drug usage, then sure, complete failure, but many people support prohibitions to keep prevalence of usage below a certain threshold, and they do work for that. The data in Drug War Heresies pretty clearly suggests that commercialization increases use, and illegality provides a non-zero deterrent to purchase and to use for a large part of the population. In that aspect, prohibitions very much likely have kept usage down.

That said, there are a lot of goals to public policy, and in the grand scheme of things, basing a drug policy mostly on reducing the prevalence of mainly marijuana use has had some horrible outcomes that have gone mostly unmeasured and unreported. Thankfully that’s starting to change.

I hope to give my thoughts on the White House’s new “strategy” soon. The Good: some real improvements in goal-setting, promotion of  proven ideas in parole/probation reform. The Bad: More federal dollars towards drug law enforcement; no explicit goals of measuring/reducing the use of militaristic SWAT-style policing; more, more, more foreign meddling shown mostly to cause a lot of harm to foreigners with little evidence of utility in the U.S.

Skate 3 Could Use a Light

 

Skate 1 was and remains awesome. EA delivered an amazing city in Skate 2, but tinkered with the mechanics, breaking a perfect thing in my opinion. I eventually re-bought S2 and it’s OK, but returning to S1 always feels like switching to a pair of well-worn in skate shoes—skating is easier when you can feel the board and not slip around it. S2 brought better filming options (downloadable content $$$!), but turning now looks terrible, as do no-complies and most of the other junk they added.

Dan Drehobl with cigarette in Skate 3

For S3 it looks like the Black Box team have broken new ground to bring you…skating with cigarette.

Dan Drehobl’s a great skater—who in interviews wishes he could quit smoking—but after playing the S3 demo, I wish whatever time was spent modeling his cigarette would’ve been squeezed into bringing back the feel of S1. Was Skate really missing darkslides, underflips, and an “easy” mode? The Skate world continues to look less like the real world and more skate park.

And what’s with killing the Skate Reel upload servers for a game only 3 years old? Can I get more bitter and nostalgic?

Bookmarklet and PHP to prevent Shibboleth-related Firefox Lockouts

 

Reason this might be useful.

/*
 * Remove all _shibstate cookies if there are too many of them. This usually
 * occurs due to Firefox session restores. Unfortunately we don't know which is
 * the active state cookie, so we have to delete them all, but this is a lessor
 * crime than locking the user out with server errors.
 *
 * In an app a good time to call this is when a user is not logged in or has an
 * expired app session. This way we can cleanup their cookies before forwarding
 * them to the shib login process. Also after logout you'll want to call this
 * with parameter 0 to always remove them.
 *
 * @param int $allowableStateCookies if the number of _shibstate cookies
 * exceeds this, they will all be removed.
 */
function Shibboleth_preventFirefoxLockout($allowableStateCookies = 10)
{
    $stateKeys = array();
    foreach ($_COOKIE as $key => $val) {
        if (0 === strpos($key, '_shibstate')) {
            $stateKeys[] = $key;
        }
    }
    if (count($stateKeys) > $allowableStateCookies) {
        foreach ($stateKeys as $key) {
            setcookie($key, '', time() - 3600, '/');
        }
    }
}

Here’s a bookmarklet that essentially does the same thing: Fix Shibboleth Lockout

Google’s School for Hackers

 

Google is offering programmers their own personal sandbox application—called Jarlsburg—and hints of how to exploit the common vulnerabilities purposefully left in it. Although Google is basically walking folks through how to attack apps, publicizing this info is a necessary evil in order to build safer programmers. We have to start thinking of each line of code, cookie, HTTP request, and configuration option as another attack surface.

The table of contents lists the who’s who of vulnerabilities (though there are a lot more out there). Several of these attacks no one would’ve even dreamed of a few years ago, so the sad reality is that the web is chock full of vulnerable “legacy” apps just waiting to be exploited—unless we can fix them in time.

  • Cross-Site Scripting (XSS)
    • XSS Challenges
    • File Upload XSS
    • Reflected XSS
    • Stored XSS
    • Stored XSS via HTML Attribute
    • Stored XSS via AJAX
    • Reflected XSS via AJAX
    • More about XSS
  • Client-State Manipulation
    • Elevation of Privilege
    • Cookie Manipulation
  • Cross-Site Request Forgery (XSRF)
    • XSRF Challenge
    • More about preventing XSRF
  • Cross Site Script Inclusion (XSSI)
    • XSSI Challenge
  • Path Traversal
    • Information disclosure via path traversal
    • Data tampering via path traversal
  • Denial of Service
    • DoS – Quit the Server
    • DoS – Overloading the Server
    • More on Denial of Service
  • Code Execution
    • Code Execution Challenge
    • More on Remote Code Execution
  • Configuration Vulnerabilities
    • Information disclosure #1
    • Information disclosure #2
    • Information disclosure #3
  • AJAX vulnerabilities
    • DoS via AJAX
    • Phishing via AJAX
  • Other Vulnerabilities
    • Buffer Overflow and Integer Overflow
  • SQL Injection

Another Great Drug War Moment

 

From Radley Balko:

In February, I wrote the following about a drug raid in Missouri:

SWAT team breaks into home, fires seven rounds at family’s pit bull and corgi (?!) as a seven-year-old looks on.

They found a “small amount” of marijuana, enough for a misdemeanor charge. The parents were then charged with child endangerment.

So smoking pot = “child endangerment.” Storming a home with guns, then firing bullets into the family pets as a child looks on = necessary police procedures to ensure everyone’s safety.

Just so we’re clear.

Now there’s video, which you can watch below. It’s horrifying, but I’d urge you to watch it, and to send it to the drug warriors in your life. This is the blunt-end result of all the war imagery and militaristic rhetoric politicians have been spewing for the last 30 years—cops dressed like soldiers, barreling through the front door middle of the night, slaughtering the family pets, filling the house with bullets in the presence of children, then having the audacity to charge the parents with endangering their own kid…

There are 100-150 of these raids every day in America, the vast, vast majority like this one, to serve a warrant for a consensual crime.

But Jonathan Whitworth won’t be smoking that pot they found in his possession. So I guess this mission was a success.

Uh-Oh: Firefox’s Unique Session Cookie Behavior

 

By now, Opera’s invention of restoring tabs automatically is available in most browsers, but unlike every other browser, Firefox’s restored tabs retain session cookies for the domains of the saved tabs Firefox restores all session cookies as if the browser were never closed. This is handy in some ways, but dangerous in others:

It’s fooling web developers by breaking a very old and widely-known convention. Since Netscape’s original spec (around 1994) a cookie with an empty/missing expires was to be discarded “when the user’s session ends” (later clarified as “when the user agent exits” in RFC2109), and thousands of prominent web pages describe “session cookies” this way.

A common session design pattern uses a persistent cookie to establish low-level identity info and a session cookie for full authentication. Developers may not know that their full auth period may be lasting days or weeks, including trips to insecure wifi spots, browsing by multiple users, etc.

It’s fooling users. No one thinks of a single browsing “session” as encompassing several days of browser usage just because the same tabs were open, and users frequently read that they need to simply exit their browser to ensure their session is ended.

Recommendations

  • Be aware that Firefox session cookies can linger for days, despite the user having closed their browser.
  • Manage session timeouts on the server-side and/or via HMAC-signed timestamp values in the cookie contents (don’t let the client decide how long a session should last).
  • If you can, include secure in the cookie header. Firefox does not restore HTTPS session cookies. Realize that in later FF versions, “secure” cookies also are restored.
  • If you give out session cookies with unique names, have your application clean these up when they’re no longer needed. If you don’t, your Firefox users could suffer from…

Cookie Accumulation Torment

This annoying situation occurs when Firefox gains so many local cookies that the web server begins to deny all your requests. Deleting some or all these cookies is the only way to fix the issue because—yay—the problem session cookies persist across browser, and even OS, restarts.

Big Shibboleth Implications

If your Shibboleth-authenticating app maintains its own session, make sure that the “sign out” function searches for and deletes the local Shibboleth cookies (or that the SP sets only “secure” cookies). Otherwise this could happen:

  1. Jane “signs out”, closes Firefox, and lends her computer to Sally.
  2. Sally opens Firefox and clicks “sign in”.
  3. Sally is instantly authenticated into Jane’s account!

Jane’s application session was over, but Firefox allowed her Shibboleth session to live on.

Also, since Shibboleth gives out uniquely-named session cookies (prepended with _shibstate), failing to clean these up will lead Firefox users to the aforementioned torment. If the user has an app open all day every day, count on her gaining at least one cookie per day.

Real Shocker: Drug Enforcement Increases Violence

 

Remember Calderón’s It’s-OK-if-criminals-kill-criminals argument? In light of the new study that finds increasing drug enforcement increases violence, our last drug czar weighed in:

The former drug czar, John Walters, said the researchers gravely misinterpret drug violence. He said spikes of attacks and killings after law enforcement crackdowns are almost entirely between criminals, and therefore may, in a horrible, paradoxical way, reflect success.

If only we could regulate more behaviors with so much bloodshed.

[via Pete Guither]

New Bass

 

Ibanez AGB140 Bass

Craigslist comes through with a huge step up from my crummy Precision bass knockoff. Sounds golden, great action (a joy to play), even volume & tone all across the fretboard. Love it.