After too long away we’re back. More changes coming soon.

Carrier Lost

I caught myself trying to call someone that passed away and wish them a happy holiday. I took a scroll through my phone contacts to realize in the last 18 months there are way too many names in my phone that don’t ring true any more. Perhaps desperate for anything else to think about my mind ended up wandered to a UI designer trying to address the problem by showing a permanent offline status or some comical tombstone badge.

As our ability to record information and simulate interaction grows it is inevitable that we have the debate over whether we should be able to dial or interact with our simulated deceased. I mean who wouldn’t want to have another phone conversation with Aunt Martha, Abraham Lincoln, or Einstein? Ultimately, a infinite global persistent memory may radically shift one of our most human of traits, to bury our dead and move on. Will a future generation carry all of us forward unto the stars in a file marked humanity.dat? Asking any individual in the course of human history for advice? Strangely remembering all of us the same way we remember those who have passed before us?

Perhaps or perhaps not, but for today to all those we’ve lost this last year, your ultimate status may be unknown but you are never forgotten.

Worthy of Your Sword

Growing up in Western Pennsylvania I had the pleasure of meeting all types of characters. More to the point, everyone always wanted to give their version of how they “figured it out” or “how the world works”. When you start low to the ground any ladder up seems a good way to go. All of that “advice” in some way gets pouring into and filtered by a young mind. As for filters I have people like my parents and those I would call the few good influences around me to thank.

Years later I still find myself revisiting some of the advice given to me mostly to laugh at the absurdity of it. Nearly all of it is easily bucketed as disgusting, sexist, xenophobic, and some just down right insane.

Though there was one of the random tell it how it is that stuck with me all these years. I met a blacksmith who looked like he’d been used as an anvil for several decades. His side hobby was to salvage old spring steel and turn it into swords. As it turns out spring steel is great if you want to make a sword that is +5 damage against cinder blocks.

He finished showing me how his creations held up to all manner of abuse and then suddenly turned to me in a cold dead stare and said

“Be a man worthy of your sword.”

Phallic interpretation aside, I didn’t pay much mind to it at the time. I had grown used to everyone wanting to tell me how it is and responded with my usual “OK”.

I have no idea who this guy was or even his name. To be honest I don’t care what he ended up meaning, but what I’ve come to hold as for myself is.

If you’re going beat, shape, temper, and sharpen yourself into something dangerous, be both true to and responsible of what burden that carries.


Portland in the early morning is an entertaining place. The last time I was downtown this early a homeless man chucked a wine bottle at my head. Thankfully he missed but I felt the resulting shattered glass fly past my ear.

Today a man on a bike demanding at least 100 pennies in paper format escalated to verbal hostilities when I walked past him without saying a word. Informing me I am both small and made of fecal matter. I suspect this individual has bad vision or was in an altered state as even as a child I’ve never been called “little”.

Having no other observable data to go on it could have been they were both as upset as I was that the line for Voodoo Donuts snaked around the corner on both trips.

I normally enjoy my time in Portland. However, I think I’ll be avoiding 3rd and 5th in the early hours. I’m currently northbound on a train back to Seattle sans Maple Bacon Bar.

JavaScript ( (__ = !$ + $)[+$] + ({} + $)[_/_] +({} + $)[_/_] )

First off credit where credit is due.

Update 1: Well hello reddit and hackernews.

1) I didn’t write this JavaScript.
2) I didn’t find this JavaScript.

I saw it in a slide deck from BlackHat DC 2011. Called XSS Street-Fight. Most of the presentation was dry JavaScript /mod_security, but this caught my eye.


Care to guess what that does?

How about if I type it like this.


That’s right this is an alert() if it lands anywhere in
an executable section of JavaScript/dom it pops up the cookie.

Go ahead and put it in a script tag in your browser it will pop up a “1”

That’s when I couldn’t put this down.

First there are really two lines here.

($ = [ $=[]] [ (__ = !$ + $ )[ _ = -~-~-~$] + ({} + $)[_/_] + ( $$ = (
$_ = !” + $)[_/_] + $_[+$] ) ] )()

becomes sort()


becomes alert(1)

Let’s start to tear this apart.

$=[] is a blank array

$=[$=[]] is an array with a reference to an array.

So $ derefs to the value 0.

Now we have a 0 we can freely reference.

__ = “false”via (__ = !$ + $ )
_ = -~-~-~$

(The ~ operator in JavaScript means -(N+1) so -~ = +1
if $ = 0 then -~-~-~$ = 3

_ = 3

thus _/_ = 3/3 = 1

(__ = !$ + $ )[ _ = -~-~-~$]
“false”[3] = s

({} + $)[_/_]
(” object”)[_/_]
(” object”)[1]
” object”[1] = o

$$ = ( $_ = !” + $)[_/_]
$$ = ( “true”)[1]
“true”[1] = r

$_[+$] = “true”[0] = t

$_ = “true”null
$$ = rt via

($$ = ( $_ = !” + $)[_/_] + $_[+$] ))

!” = “true”
$_ = (true)
$_[1] = r
$_[0] = t
$$ = rt

Thus the first line becomes sort()

($ = [ $=[]] [“s” + “o”+ “r”+ “t” ] )()

Sort takes a function as it’s parameter to
execute thus firing the second line. It turns out this assumption was wrong on my first go. Scroll to the bottom for the updated explanation I quote from Benjaminsen .


$ = 0
_ = 3
__ = “false”
$_ = “true”
$$ = “rt”


[__[1] + __[3 + -1] + $_[3] + $$)(1);

[“false”[1] + “false”[3 + -1 ] + “true”[3] + “rt”] (1)

[ a + l + e + r + t ](1)


From Benjaminsen @ reddit.


We can further break that into

a = []          // Create array
b = a["sort"] // Get reference to sort method
c = b() // Execute sort outside the context of an array to return a reference to window
d = c["alert"] // Get reference to window.alert
d(1) // Execute window.alert with the argument 1

So what happens is





LolCat 5509 Part 1

About two years and a half ago I was looking for any type of high end Cisco equipment to learn on, fuzz, reverse, etc. As it turns out it isn’t the easiest thing to get your hands on a piece of affordable top end gear. After spending a few months looking for some new equipment I called off the search and began to focus on other projects.


Not long after I quit looking I got a call from a friend that was at a computer recycling shop near where I lived. He had two Cisco 5509s for $80. Willing to take my chances that I’d be able to fix or part them back to health I had them purchased and he was kind enough to deliver them to my door the next week.



I cut a notch into a standard power cable and both booted right up! No fuss, no debugging, and no logic analyzer needed. I consoled into the device and our eyes both went wide at the same time. They still had their running configuration.


We paged through line after line of config, kerb keys, password hashes, username -> port assignment, acls, it was all still intact.


Dumbfounded we looked at each other and called our friends at the company domain that was listed.


By dumb luck we both knew several of the individuals on their security team and emailed them pictures of what we had found.


Apparently this caused a fire drill of which I am never allowed to speak. Much of the credential information we had gleaned was still valid on large parts of their network.


Having talked to them about the aftermath. Three different processes had failed. The company was supposed to wipe the gear before it was deracked. The reseller it was sold to promised to wipe the gear before it was sold. The recycler claimed they also wiped everything that came in the door. All three processes happily failed leaving me with two LolCat5509s.


Two years later I have no need for 12u worth of switch anymore. I’ve decided to spiff up my remaining 5509 and return it to the company from once it came. Stay tuned for more updates of the Lolcat5509.

Ride the Pwnie Down the Rainbow

This last weekend at Toorcamp presented my current research on using CUDA to speed up more complex fuzzing operations like checksums and crypto algorithms. The slides are posted here.

Makerbot Part 3

Bre crashed out at my place before ToorCamp and gave me a hand working some of the bugs out of my Makerbot. It turns out most of my problems came down to my surface mount soldering needing a bit of work. I didn’t want to risk frying the ICs on the 11 makerbot boards so I did them by hand. Thus after hitting all of the pins again with a soldering iron all the electronics bugs went away.

Raven next to Goldie

It makes me happy that I got one of the models that required building the boards by hand.  Seems the next models will be prefabbed.  Bre spents a while getting the tension out of the z stage in the machine it turns out my screws needed a bit of love and he did a few hacks he learned taking his on the road. I gave him some feedback on the build process and docs.

Reven Boards

Weee into the morning we got our first extrusion out of Raven and success was ours!

First build extrusion

We both passed out for a few hours then the next morning Bre printed me a Makerbot Coin and I printed out a D20.

I print 20s!

This was an amazing amount of fun to get together, and I’m hoping to hack it up more soon stay tuned!

Makerbot Part 2

The second Round of  making the um.. makerbot has been underway. I’ve been put at a stand still while I wait for the motor that feeds the plastic in the extruder.

Small Dino: What relic is this? Big Dino: Relic?! Boy when I was your age this was top of the line plastic extruding nozzle. Relic HA Kids…

In the mean time I’ve made some good progress towards my goal and can’t wait to get this thing online.

Big Dino: For behold little one THE MONOLITH! Small Dino: *GASP*

Telecom Museum

I finally made it out to the telecom museum this week after being on my todo list for nearly two years.

Telecom Museum

We got the grand tour from a nice man who showed us some of the museums more creatively acquired pieces.

Telecom Museum

Hearing the mechanical switches and relays clicking and clacking as a call was being routing was an amazing experience. I could have only wished there was more volume of calls to hear the machines at full tilt. It must have been deafening to work in those rooms.

Telecom Museum

Amoung the dust I spotted a magnetic core memory module and our tour guide and I geeked out about early memory designs and weaving.

Telecom Museum


Get every new post delivered to your Inbox.