phwd phwd

I did a bit of initial OAuth research this week for FxA (Firefox Accounts). It was interrupted by more pressing stuff (bugs bugs bugs), but thought I'd post my incomplete work-in-progress notes for whenever I get back to this.

Notes come from Getting Started with OAuth 2.0, which I accessed via Safari.

my next steps:

look carefully at a number of JS SDKs
think in terms of a generic OAuth abstraction for FxOS
but begin by building the simplest possible solution for FxA on FxOS
- we really need implicit grant,
and a proxy server that could handle redirects on behalf of serverless apps,

OS X Screencast to animated GIF

This gist shows how to create a GIF screencast using only free OS X tools: QuickTime, ffmpeg, and gifsicle.

Instructions

To capture the video (filesize: 19MB), using the free "QuickTime Player" application:

2015-01-29 Unofficial Relay FAQ

Compilation of questions and answers about Relay from React.js Conf.

Disclaimer: I work on Relay at Facebook. Relay is a complex system on which we're iterating aggressively. I'll do my best here to provide accurate, useful answers, but the details are subject to change. I may also be wrong. Feedback and additional questions are welcome.

What is Relay?

Relay is a new framework from Facebook that provides data-fetching functionality for React applications. It was announced at React.js Conf (January 2015).

XSS-game by Google

Welcome, recruit! Cross-site scripting (XSS) bugs are one of the most common and dangerous types of vulnerabilities in Web applications. These nasty buggers can allow your enemies to steal or modify user data in your apps and you must learn to dispatch them, pronto!

At Google, we know very well how important these bugs are. In fact, Google is so serious about finding and fixing XSS issues that we are paying mercenaries up to $7,500 for dangerous XSS bugs discovered in our most sensitive products.

In this training program, you will learn to find and exploit XSS bugs. You'll use this knowledge to confuse and infuriate your adversaries by preventing such bugs from happening in your applications.

There will be cake at the end of the test.

In August 2007 a hacker found a way to expose the PHP source code on facebook.com. He retrieved two files and then emailed them to me, and I wrote about the issue:

http://techcrunch.com/2007/08/11/facebook-source-code-leaked/

It became a big deal:

http://www.techmeme.com/070812/p1#a070812p1

The two files are index.php (the homepage) and search.php (the search page)

	{
	"700554543387711": {
	"id": "700554543387711",
	"latest_version": {
	"id": "455210147987840",
	"article_canonical_url": "http:\/\/www.buzzfeed.com\/expresident\/steps-to-instantly-improve-your-day",
	"article_version_number": 2,
	"cover_media": {
	"__type__": {
	"name": "DocumentVideoElement"

	require 'openssl'
	require 'base64'
	require 'json'
	require 'httpclient'

	http = HTTPClient.new(:agent_name => useragent)
	key = "" #The Private key
	login_info = {:guid => "00000000-0000-0000-0000-000000000000",
	:password => "PASSWORD",
	:username => "USERNAME",

	viewer() {
	messenger_contacts {
	deltas.after(Nzg1NDY3Nzk1OjEzODc5Njc0NTE=).contact_profile_type(user) {
	page_info {
	end_cursor
	}, nodes {
	added_edge {
	time, node {
	id, graph_api_write_id, phone_entries {
	is_verified, primary_field {

	<html>
	<head></head>
	<body onload="go()">
	<div id="log_div"></div>
	<script>
	function my_log(message) { document.getElementById('log_div').innerHTML += (message.toString() + "<br />"); }

	// wiretap
	(window.addEventListener \|\| window.attachEvent)('message', function(e) { console.log('wiretap: ' + e.data); my_log("wiretap: " + e.data); }, false);