Cult of Done

August 30th, 2010 | 8,675 views | 4 Comments » |

Dear Members of the Cult of Done,

I present to you a manifesto of done. This was written in collaboration with Kio Stark in 20 minutes because we only had 20 minutes to get it done.

The Cult of Done Manifesto

  1. There are three states of being. Not knowing, action and completion.
  2. Accept that everything is a draft. It helps to get it done.
  3. There is no editing stage.
  4. Pretending you know what you’re doing is almost the same as knowing what you are doing, so just accept that you know what you’re doing even if you don’t and do it.
  5. Banish procrastination. If you wait more than a week to get an idea done, abandon it.
  6. The point of being done is not to finish but to get other things done.
  7. Once you’re done you can throw it away.
  8. Laugh at perfection. It’s boring and keeps you from being done.
  9. People without dirty hands are wrong. Doing something makes you right.
  10. Failure counts as done. So do mistakes.
  11. Destruction is a variant of done.
  12. If you have an idea and publish it on the internet, that counts as a ghost of done.
  13. Done is the engine of more.

from Bre Pettis – The Cult of Done. Via Soleio.

4 Comments | Leave a comment » More posts about: Stanford

Using CSS3 to add reflection to an iframe

August 28th, 2010 | 9,454 views | 11 Comments » |

Mozilla just landed a really cool new extension to the CSS background-image property in the Firefox 4 nightlies. The new extension allows you to use arbitrary DOM elements as background images. The syntax looks like this:

#iWantBackground {
    background: -moz-element(#sourceElementID);
}

-moz-element lets you use virtually any element as a background, including iframes and canvas elements. I wanted to play around with it a bit, so I hacked a quick demo of an iframe with a live-updating reflection. It borrows heavily from the code in this excellent article.

Demo
(Works in Firefox 4)

Read the rest of this entry »

11 Comments | Leave a comment » More posts about: Hacks

Detect Proxy Usage in Firefox

August 22nd, 2010 | 6,159 views | 13 Comments » |

I recently read about an interesting browser information leak on ha.ckers.org and decided to code up a proof-of-concept.

It allows a malicious website to detect whether the user is browsing through a proxy or not by using image tags. Proxies are often used by corporations, political dissidents, and privacy conscience Internet users because they can provide additional security or anonymous Internet browsing.

Here’s how the exploit works:

Firefox uses square brackets [ ] to denote IPv6 addresses, but this notation also works to describe IPv4 addresses (I’m not sure exactly why).

So, if we embed an image with src=”http://[74.207.246.197]/pic.jpg” into a page, Firefox automatically resolves [74.207.246.197] into the IP address 74.207.246.197.

However, if the user is browsing through a proxy, this automatic resolution doesn’t happen. Instead, Firefox asks the proxy to do a DNS lookup for the “domain” [74.207.246.197], which obviously fails since it’s not a valid domain name.

Most proxies don’t know how to handle the bracketed domain, so the DNS lookup fails. I’ve tested this on Tor (popular proxy for anonymous Internet browsing), PHP Proxy and CGI Proxy (the top two web-based proxies), and Proxify (popular commercial web proxy).

So, if the image fails to load, we know that the user is browsing through a proxy. Add some Javascript to detect when the image fails to load and you’ve got a working proxy detector.

Demo
(Works in: Firefox 3+. Update: Looks like it works in Safari 5, too.)

This, of course, assumes that the user is not blocking cross-domain requests. Also, my implementation requires Javascript to be enabled, but that’s not a necessity.

Here’s the code I wrote:

<script type="text/javascript" charset="utf-8">
    function setUsingProxy() {
        proxy = document.getElementById('proxy');
        proxy.style.display = 'block';
        no_proxy = document.getElementById('no_proxy');
        no_proxy.style.display = 'none';

    }
</script>

<div id="proxy" style="display:none;">
    You are accessing the Internet through a proxy (corporate proxy, VPN, or <a href="http://www.torproject.org/">Tor</a>).
</div>

<div id="no_proxy">
    You are accessing the Internet directly. No proxy.
</div>

<img src="http://[74.207.246.197]/organize.jpg" style="height:0;width:0;display:none;" onerror="setUsingProxy()">

This attack only affects Firefox, as far as I can tell.

Credit for the idea: Ha.ckers – Quick Proxy Detection

13 Comments | Leave a comment » More posts about: Hacks
Fork me on GitHub