Don’t get Intellectually Lazy

by Stepto
No Comments

Every once and a while any good security professional gets reminded of just how pervasive you have to let your security paranoia be when designing tools and systems.

Case in point, we discovered a minor issue in the tool we created to do Xbox LIVE complaint enforcements. It caused the tool UI to hang when displaying profile field complaints. Gamertags and everything else was humming along just fine. We were kind of scratching our heads over it.

Without going into too much detail on architecture, the tool has a UI component that renders complaint data to our agents so they can review it, and an enforcement component that enforces the decisions. I designed these to be separate since the UI component for profiles and gamertags is basically taking in a complaint stream consisting of a large amount of user created data.

Granted, that data is text only, but my theory was that if anything happened on the UI side, it would be isolated to that side only. The enforcement engine is on a completely different machine and only accepts set limited non-variable input. The UI is rendered for low rights IE 7 and the agents process the complaints on restricted user accounts on Vista. The entire toolset is also isolated from the LIVE service itself.

Yay for me.

Until someone put script in their Bio field and someone else complained about it. The UI design hit script where it didn’t expect to see it and halted. [EDIT: since I got asked, no the script was not malicious in nature, it was just a simple display of a bad word]

Thankfully it only caused our UI for profiles to hang until we (quickly) figured it out. This was a good "Fail safe". It didn’t interrupt enforcements or represent any threat at all to the service since the enforcement tools are totally isolated from the LIVE service, but when we discovered the problem boy was my face red. How many times have I dealt with issues involving trusting input to let something like this happen. Michael Howard would point at me right now and laugh.

So here’s a case where overall design took into account best practices (I knew to isolate variable user generated input) but I only trusted myself to think about the threat model and didn’t define specifically what bad input would consist of. I got a little intellectually lazy, but thankfully thanks to design this wasn’t a threat of any type other than an annoyance. Let that be the lesson I was reminded of so you don’t have to be!

(and yes we now vet the data stream for a variety of nasty text bits)

Trip Report: 2008 Sasquatch Music Festival (Part 2)

by Stepto
No Comments

On day two Lance Bubo and I left early since we knew we would not be staying the whole day. By the time we got to the Gorge and waited out a brief morning rain shower we discovered that the Lawn’s economic policy had shifted yet again, from paper currency based off a beer standard to currency instead based off your ability to be a complete jerk to other people on the lawn. The unit, a "Butthole", was trading at 2.13 Ouncies to the Butthole. The value of the Dollar was still plummeting, it being worth .14 of a Butthole.

I’m not making this up.

For people who don’t understand the population of the lawn at any given music festival/concert amphitheater experience, I have included a helpful taxonomy of its denizens. These are all the various people you will encounter at some point in your time on the lawn:

Lawn Ornaments

These are the people who are so ridiculously hot they give off an almost Greek god like vibe as they move around, usually on their way to their seats in the reserve section, but sometimes I think just to taunt everyone else with their own self knowledge of their hotness. The men are generally tan and muscled, with hair and eye colors that stand out. There might be facial scruff or not, but they tend to be so hot that even if you don’t like that you’ll inevitably hear "it sure looks good on that guy." The women are all in between the best boundaries of curvy or lithe and wearing just that perfect thing to strike the balance between showing too much and showing just enough. Sometimes you get a force multiplier of three girl lawn ornaments hugging, holding hands, or otherwise falling all over each other in which case everyone forgets they are even at a concert.

People instinctively draw away from their path when they move through the crowd, and as they pass all heads swivel to watch them go.

Being no Brad Pitt myself, deep down I hate these people, but they sure are fun to watch. It’s also hard to get pictures of them, because unless you are paparazzi, they are too hot to show up on film…

Lawn Show

These are the people that, for whatever reason, are there to put on a show for you. In the case of Sasquatch it was "Jumping Guy". Now normally, Jumping Guy could have fallen squarely in Lawn Ornament classification if he had not been so absolutely intentionally silly and entertaining. He would spend enormous amounts of time jumping up and down and trying to get the crowd around him to do the same thing. Of course the most the crowd was willing to do was simply throw up their hands like him in time with his jumps, which only served to encourage him to work harder. He literally spent most of the day jumping. Up and down. Really fast. All the time. As someone said behind us on the lawn "Jumping Guy over there makes me a better person just by existing."

I will also include in the Lawn Show for Sasquatch the herd of people wearing animal hats. There were a lot of them and we spent a lot of time trying to spot how many different animal hats there were. There were at least a dozen or so. There’s just no other way to explain them other than this:

Photo Credit: Kympossible

Lawn gnomes

The opposite of the Lawn Show are the Lawn Gnomes. They want to be like the Lawn Show, but fate has dealt them a cruel hand. They have the rhythm, they know the beat, but they are carrying a hundred or so pounds too much to really do anything effective with it except endanger themselves and others. As a result you get the almost train wreck dynamic of watching them gyrate wildly as people around them scatter to avoid the inevitable slip and fall. And when they do fall it almost always resembles a hefty bag filled with beef stew being dropped from a height of four feet. It’s not going to burst, probably, but no one can really avoid watching it happen.

This guy wasn’t quite as big as most lawn gnomes, but he shouldn’t have been dancin’ nonetheless.

Photo Credit: Kympossible

Lawn Trash

I like to sit on the lawn when I go to a show with a lot of friends because it gives you an expansive view of the venue, and you can chat and general enjoy a more communal experience with people you like. Lawn Trash exists to destroy that experience. These are the people who talk loudly over the concert, such that as the music gets louder they get louder. Or who arrive so shitfaced that they immediately fall on people or otherwise make a huge nuisance of themselves. This was summed up with perfect cutting sarcasm by Kympossible when two pieces of lawn trash rolled around behind us, collided with several people, attempted to make out, then kind of realized they were being lawn trash.

"OMG we are like…sooooooo trashed" the woman says. There’s an imperceptible pause before the dry and perfectly timed "Really?" from Kymberlee. It was one of those so perfectly delivered moments, all of us actually kept an ear out for its recurrence.

We got to hear it a couple more times as there was more lawn trash than usual at this show. Hence the economic power of the Butthole in currency trading.

Lawn Grass

These are the stoners. The odd part is that they go from being invisible to being all over the place very quickly. You get the first hint of something, probably clove, before you start to smell the pot. Then next thing you know, there’s a guy sitting next to you with a gallon ziplock bag of green, a small blowtorch, and a pipe with a bowl that looks like it could hold most of a 40. He then starts to generate enough pot smoke that you don’t remember the rest of the night, just waking up a few hours later naked except for a blanket, a fistful of Buttholes in your hand, and Kympossible’s other pitch perfect comment in your ears: "Fucking hippies."

All of these folk were pretty much already out in force on the lawn when Bubo and I arrived so we decided to hit the comedy tent to see Tim Meadows of SNL, and more recently Walk Hard: The Dewey Cox Story fame. For those who have been waiting, here’s where the graphic pantomimed monkey rape occurred.

The UBC Comedy tour had it’s own tent with Air Conditioning and a bar set off to the side nestled in between the three stages setup for the festival. This meant in general you could hear music at all times in the tent, but overall you could hear the comedians pretty well. It was hit and miss right up until Jerry Minor took the stage. He started off pretty Bill Cosby family friendly, doing a bunch of simple monkey jokes and riffing off asking the audience their favorite monkey. Before long he was wondering aloud if it was possible to have sex with a monkey.

Here’s where the pantomime begins, as he walks us through a date with the monkey. It starts off with wine and a roofie, then he proceeded to pantomime the monkey giving him a blow job. It was at this point that the audience kind of realized the lead up was just the safe material. That only now did we realize the restraints on this ride are as much to trap us as they are for our safety. He starts to get graphic with the dirty talk with the monkey then gets rough as the monkey changes its mind then, three feet away from an entire row of people he graphically pantomimes raping and strangling it, ending with "why monkey? Why did you make me kill you monkey?" Then gets up and finishes his routine.

It’s important to note that the audience was laughing so hard during this entire spectacle that no one could breath, both at the audacity of what he did and the graphic nature of how detailed he did it. His final comment lest anyone judge his comedy was that he just raped and strangled a monkey in front of an audience that did nothing but laugh loudly and didn’t lift a finger to help it.

I thought it was brilliant.

Refreshed from the spectacle of violent monkey rape, there was really nothing that could energize the crowd further except maybe seeing Matt Besser dressed as the pope swinging a tied, apparently used, condom over the crowd screaming in a German accent "oh NOW you don’t trust the condom" as everyone scattered and ducked to get out of the way lest it burst.

After all that, Tim Meadows was a disappointment, although he started off his routine by noting he’s terrible at standup. So at least our expectations were set. After that Bubo and I rejoined everyone on the lawn.

The highlight of the day music wise for me was The Presidents of the United States of America, the last show before we left. They were really terrific. I had no idea they had a new album coming out, all the new tunes they played were great.

Although I wanted to stay for Death Cab for Cutie, Bubo and I decided to head back at a decent hour since it’s a 2.5 hour drive back to Seattle. We got home just before 9 and squeezed in some Rock Band before crashing.

All in all it was a really awesome experience with my friends.

I just don’t know where I am going to be able to exchange all these Buttholes back to Dollars.

Trip Report: 2008 Sasquatch Music Festival (Part 1)

by Stepto
No Comments

One of the things you don’t really expect to see during the course of a day is violent graphic pantomimed monkey rape.

At least, not so early in the afternoon.

But I’m getting a bit ahead of myself. This memorial day weekend I was joined by Lance Bubo, Kympossible, Erika and Adrian, and Shyama (coolest name EVAR btw) in a trek out to the Sasquatch music festival at the Gorge.

Wait wait don’t stop reading, come back, come back. I promise I won’t go on one of my long winded philosophical descriptions of how wonderful the gorge is etc etc. I promise. Really.

Instead, through the power of Web 2.0 service pack 4’s multihued dot technology, I can show you!

Photo Credit: Erika

As I’ve mentioned before the Gorge is located approximately 180 miles from anything at all. So our first order of business was to drive up US 2 to Wenatchee where our hotel was. Wenatchee is about 45 minutes from the Gorge. Ellensberg is closer, but all the hotels there were booked. After checking in then hitting the Bell for lunch we were off.

The music festival itself had a ton of acts I wanted to see. Since Bubo was up from Portland we decided we’d most likely leave late Sunday so he wouldn’t face a total of six hours in a car on Monday. (In retrospect we should have arranged better and stayed to see more of the acts but the ones we saw were all great.)

Upon arrival (it was several people’s first time at the Gorge) we staked out our place on the lawn. Immediately I was struck by something…

Photo Credit: Erika

I just can’t quite place it…

Photo Credit: Erika

Something…familiar…

Photo Credit: Erika

I never did figure out what it was. But we were well stocked with food and water and stuff. It was sunny, it was beautiful, and as I twittered sitting there in one of my favorite places on earth, all was right with the world.

Except we didn’t have any beer dammit. The mere possibility of cold, refreshing beer was suddenly important, critical! We went to the concession stand. Thankfully we were able to secure a low interest loan from the vendor against all our physical possessions so that we could afford the beer. Eleven (11) dollars a can for "Domestic" beer (Coors) or Twelve (12) dollars a can for "Premium" beer (Heineken).

The extremely high cost of the beer and the long lines you had to wait through to get it resulted in the beer actually increasing in value once you left the concession stand. This quickly led to a barter system where ounces of beer rapidly became worth more than dollars and thus became the basis for obtaining cigarettes, pot, sexual favors, etc. Soon a paper currency developed based off the beer standard, the "Ouncie", and it wasn’t long before Fiat money capitalists were arguing moving off the beer standard and backing the value of the Ouncie with just pure military power.

But I digress.

We got there in time in the afternoon to hit the tail end of Beirut on the main stage. We hung out a bit for Ozomatli, who I thought were really good, but then The National was replaced by The Fleet Foxes.

A word about The Fleet Foxes. They are not fleet. Within seconds of their taking the stage half the audience was asleep and the other half was rapidly figuring out how silly a beer based economic standard was, causing a rapid crash in the Heineken futures trading market, which rapidly spread to other so called recession proof markets like the Margarita credit consortium. Seriously these guys are supposedly the cool new sound but they were just the totally wrong band to have on the late afternoon slot. You could actually hear snoring over the wailing of the beer traders and the glacial pace of the playing of the band. Awful.

It was over the horrible playing of the Somnambulant Foxes that we heard some crazy good Johnny Cash. In fact, someone over there had the Yeti stage rockin’ and rollin’ with that Cash. We were startled to discover it was Vince Mira, a 16 year old kid from Seattle who apparantly was born with Johnny Cash’s exact voice. I want to make this absolutely clear, this kid didn’t just sound like Johnny Cash, he was absolutely indistinguishable from Johnny Cash. This set off a firestorm of theories on our part that maybe Johnny Cash was like Bhuddha and was constantly reincarnated into new forms like the Dalai Lama. Thus having explained the phenomenon we had the best chicken strips I’ve ever eaten.

The New Pornographers made up for the Catatonic Foxes. I thought it was odd they didn’t play "Electric Version" which is the song that’s in Rock Band. But I really enjoyed the entire set. They’ve got a really great sound and I wish more of their stuff was in Rock Band.

This guys shirt says "I’d rather be snorting cocaine off a hooker’s ass". He even manages to look nonchalant wearing it. I hear later on he cleaned up in the Jack Daniel’s Hard Lemonade hedge fund.

Photo Credit: Shyama

By the time MIA took the stage the sun was lowering enough to cool the air which created pockets of rain. They circled around the lawn without directly hitting us.

Photo Credit: Erika

That wouldn’t last for long. When Modest Mouse came on it was sprinkling steadily and the wind had picked up. Having been up late the night before, I was starting to crash so I catnapped during the Modest Mouse set (See what I did there?), being awoken by the bemused light of several flashbulbs as Shyama, Erika and Kympossible chided me for sleeping, and I quote, "during a fucking Modest Mouse set!"

Photo Credit: My loving friends.

When 10pm rolled around for the R.E.M. set the rain and wind were now steady. The lights over the stage were actually swinging in the wind. To the band’s credit they came out and played, and played well. But six or seven songs in, the weather won out and we returned to our hotel rooms to crash.

I’ll post about day 2 a bit later, including the aforementioned monkey rape, my taxonomy of lawn denizens, and more crazy fun.

Ahhh the Internet Echo chamber

by Stepto
No Comments

In regards to the gentleman whose legal name is "Richard Gaywood" who we FNC’d earlier. Each day people try to combine "Richard" ("Dick") with various words and phrases to create ToU violating content. In this case, the individual was not trying to do that, it was their real name.

It’s unfortunate that this just happens to be the individual’s name. However there’s no context to explain to someone who might see it in a leaderboard or on Xbox.com that no, they aren’t trying to be clever, that’s their real name. In addition, the Code of Conduct also forbids the use of full names as a Gamertag:

Don’t give out information that personally identifies you (such as your real name, address, phone number, credit card number, etc.) while you’re playing. This includes voice chat and the names you create for your gamertag or mottos. This information could be used by other players for illegal or harmful purposes. Also, don’t give out the personal information of other players.

Emphasis mine. We give you a “name” field if you wish to put your real name in, that field isn’t autopresented on things like leaderboards, etc. like the gamertags are.

And to answer one last point, there is no "Script" or automated process here. We receive complaints from the community, review them against the terms of use, and take action if needed. It’s an impartial process we apply equally across many forms of content.

And for those who inevitably inform me that there are far worse tags on LIVE, *REPORT THEM*. :>

Games I suck at, but like to play

by Stepto
No Comments

1. Geometry Wars

Seriously. Not one damn achievement. But it’s so much fun.

2. Beautiful Katamari

I don’t know what it is but I am not a good roller. I have a lot of trouble targeting the right size stuff for my katamari and I end up bouncing off the big stuff and taking the penalty.

3. Marble Blast Ultra

I got better in the end but overall it was a far harder game than it should have been for me as a game player. Maybe because it’s controls are similiar to Beautiful Katamari?

4. Pac Man Championship Edition

I love this game. This game is so much fun. WHY CAN’T I BE BETTER AT IT?

5. Call of Duty 4 Veteran Difficulty

It’s much better than the normal difficulty and much more pulse pounding. And yet I suck.