Profile cover photo
Profile photo
Marc Chung
The man with the plan
The man with the plan

Marc's interests
View all
Marc's posts

Post has attachment
Code for America Brigrade

Post has attachment
Feynman would have been 94 today. Among his many areas of interest, the one on software comes to mind.

Here's what he wrote about how the onboard software system for the Challenger spacecraft.

Pay particular attention to the attitude towards high quality (only six errors have ever been found), the attitude towards testing (for safety reasons), and the approach to saving money (cutting scope, and not process)

It was written in 1986.


The software is checked very carefully in a bottom-up fashion. First, each new line of code is checked, then sections of code or modules with special functions are verified. The scope is increased step by step until the new changes are incorporated into a complete system and checked. This complete output is considered the final product, newly released. But completely independently there is an independent verification group, that takes an adversary attitude to the software development group, and tests and verifies the software as if it were a customer of the delivered product. There is additional verification in using the new programs in simulators, etc. A discovery of an error during verification testing is considered very serious, and its origin studied very carefully to avoid such mistakes in the future. Such unexpected errors have been found only about six times in all the programming and program changing (for new or altered payloads) that has been done. The principle that is followed is that all the verification is not an aspect of program safety, it is merely a test of that safety, in a non-catastrophic verification. Flight safety is to be judged solely on how well the programs do in the verification tests. A failure here generates considerable concern.

To summarize then, the computer software checking system and attitude is of the highest quality. There appears to be no process of gradually fooling oneself while degrading standards so characteristic of the Solid Rocket Booster or Space Shuttle Main Engine safety systems. To be sure, there have been recent suggestions by management to curtail such elaborate and expensive tests as being unnecessary at this late date in Shuttle history. This must be resisted for it does not appreciate the mutual subtle influences, and sources of error generated by even small changes of one part of a program on another. There are perpetual requests for changes as new payloads and new demands and modifications are suggested by the users. Changes are expensive because they require extensive testing. The proper way to save money is to curtail the number of requested changes, not the quality of testing for each.
Full Appendix F

Post has attachment
Street Fighter meets ping pong.

Reverse engineering malicious JavaScript.

A few days ago, I got an email with a PDF attachment. When viewing the PDF with Preview, there were only two blank pages. Curiously, I opened up the PDF with a plain text editor and guess what I found embedded in the PDF: (Don't worry, it won't break your computer)

A quick search reveals that Adobe Acrobat is the only PDF reader that executes JavaScript, so I wasn't worried about being compromised. Still curious, I thought I'd figure out what was happening by deciphering (or un-obfuscating) the code.

First, it's kinda cute how much crazy shit you can do with JavaScript. The first thing I did was unescape the HTML entity codes so that ...

&lt; became <
&#000119; became w
w(s&#46;join('')); became w(s.join(''));

... and so on, until I got the following:

Then I opened Chrome, launched the JavaScript console and proceeded to step through the code. (Whenever I reverse engineer these types of attacks it's almost always a bunch of work to obfuscate 'eval()'.)

Here are a few noteworthy entries

(1) The payload only executes when ...


... are equal to each other (in this case, when the variables === 'nct').

I'm not sure on which platforms this is or isn't true, but it does make you consider how popular and widespread JavaScript runtime engines have become.

(2) The next few lines splits a long string into an array and deciphers the array with the following Caesar cipher:

cc="+K_4{3 ;q-QpandD:/xM08u'W.iF}tr\"l^I%7]Ybkf=S[g?mL96svCo&lt;2E,*(yB5)jAVRUchwe1";

(3) After the array has been deciphered, it concatenates the array (into the payload) and runs it through eval.

Here's the rest of the documented code:

I'm pretty sure I did something wrong because the payload has typos, for example: 'return' is 'rcturn' and 'function' is 'funVtion'

You can see the deciphered payload here:

It looks like the string is further obfuscated, but before I continue, can anyone help me figure out why the payload has typos? You can view all four entries here:

Post has shared content
Explains how you pass around function literals. Results in cleaner code
Captain Obvious on Javascript: it's a functional programming language! Worth a read even if you're an experienced Javascript programmer just to refresh your knowledge.

Post has shared content
If you were out on New Years Eve in Phoenix, AZ, you were probably exposed to the poorest air quality for December 31st in the last 7 years.

The highest fine particles (PM-2.5) peaked at around midnight, which we presume is right around the same time that the fireworks went off.

So why the sudden spike? What happened this year?

I'll share some insight into what I think happened. Last year, HB 2246--the Arizona Fireworks law--passed legalizing state-approved or "safe and sane" fireworks. Now because of the timeliness of the bill's passing (on Dec 1st, 2010) not a lot of people heard about it in time to buy fireworks for 2010.

Of course, this changed in 2011, which evidently caused some pretty miserable side effects.

A quick post about Analytics and Google SSL.

A few days ago, I noticed that Google Analytics wasn't reporting keywords for Google (organic search results). Incoming keywords were replaced with '(not provided)'.

This has to do with Google's recent SSL changes--increased privacy for end-users, increased difficulty for inbound marketers. SEOmoz has one of the better write ups describing the situation:

Though, from the comments you'd think there were shenanigans going on.

"all of my top search keyword positions are now "Not Provided"."
"lost keyword information on a little over 2% of our visits and climbing."
"whatever happened to "do not evil"" <-- really?

The good news is that there's a quick fix: enable SSL on your own site. Yes, that's right. You'll need to buy an SSL certificate and install it on your site. You can also setup an htaccess or nginx config that 301 redirects http to https.

Here's why:

The referrer, HTTP_REFERER, is dropped when users move from an SSL website to a non-SSL website, which is the case when a user searches on and is taken to However, the HTTP_REFERER remains intact when users move from an SSL website to another SSL website.

If you want to see this in action, I've setup a quick demo.

1. Visit the demo page:
2. See that link? Click it. It's a specially crafted query that will return only the demo page.
3. Clicking on the first search engine result will take you to the demo page with the HTTP_REFERER intact. The keyword also shows up in Google Analytics.

Looking forward to SSL everywhere in 2012.

(Updated with a quick demo)

At a coffee shop overhearing a couple of people mentioning how Google Plus is complicated. One of them appears to be actually stressing out. Damn surprising.

Post has attachment
Love this organization

"[Khan] takes a dim view of the constructionist idea that students won’t really understand math unless they discover each principle on their own. “Isaac Newton would not have invented calculus had he not had textbooks on algebra.” Bill Gates is even more scathing: “It’s bullshit,” he says. “If you can’t do multiplication, then tell me, what is your contribution to society going to be?”"

Post has shared content
They've crossed the status and the private one-on-one streams
More useful-but-maybe-not-obvious features of Google+

* If you want to send a private message to someone, just create a normal post and share it only with them. Bam! Instant one-on-one conversation! If you want to make a post publicly visible but aim it specifically at someone, share it with them and also with Public (or also with your circles, etc).

* Speaking of sharing only with someone: If you type +<name> or @<name>, it shares the post directly with them, just like if you added their name in the sharing targets. You can also do this in a comment, to pull someone else into the conversation.

* Want to see who can see a post? Next to the dateline at the top of a post, you’ll see something like “Public” or “Limited.” “Limited” is a link -- click on it to see who has access.

* At the top right of each post, there’s a little circle-and-triangle menu. For your own posts, this menu lets you edit or delete the post, or disable commenting or resharing. For other people’s posts, it lets you link to the post, mute it, block the person completely, or report abuse.
Wait while more posts are being loaded