Implementing Mozilla’s Content Security Policy

June 30th, 2009

I recently discovered this page, which describes Mozilla’s solution for prevention of XSS (Cross-Site Scripting) available as a Firefox Extension.  Here’s the HTTP response from my site:

hank@tardis:~$ wget -S http://www.ralree.com
--2009-06-30 09:52:13--  http://www.ralree.com/
Resolving www.ralree.com... 74.54.115.108
Connecting to www.ralree.com|74.54.115.108|:80... connected.
HTTP request sent, awaiting response...
 HTTP/1.1 200 OK
 Date: Tue, 30 Jun 2009 13:49:54 GMT
 Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a Phusion_Passenger/2.1.3
   mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
 X-Powered-By: PHP/5.2.8
 X-Pingback: http://www.ralree.com/newblog/xmlrpc.php
 Last-Modified: Tue, 30 Jun 2009 13:49:21 GMT
 X-Content-Security-Policy: allow self; img-src *; object-src *.ralree.com
  *.ralree.info; script-src *.ralree.com *.ralree.info pagead2.googlesyndication.com
  friendfeed.com; style-src *.ralree.com *.ralree.info
 Content-Length: 57457
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8

As you can see, my content security policy is sent as an HTTP header on all HTTP responses from my site.  I basically stole an example from this page.  I’ve attached it in the .htaccess file in my site’s root, before everything else in there, like so:

<IfModule mod_headers.c>
Header set X-Content-Security-Policy "allow self; img-src *; object-src *.ralree.com *.ralree.info; script-src *.ralree.com *.ralree.info pagead2.googlesyndication.com friendfeed.com; style-src *.ralree.com *.ralree.info"
</IfModule>

I highly recommend everyone with commenting activated on their blog enable this, since XSS is a serious pain.  This seems to work very well on Site5, where mod_headers was simply enabled out of the box.

, , , , , , ,

US Customs and Border Protection Proposes Knife Import Ban

June 13th, 2009
This knife is a switchblade apparently...

This knife is a switchblade apparently...

Customs and Border Protection has moved to ban import of all knives with springs, or knives that can be opened with one hand. This is ridiculous, as these are no more dangerous than any other knife. All it will do is make these knives more expensive, and hurt knife manufacturers, which will destroy jobs (because jobs are all that matter these days, I had to work that in somehow). I’ve handled quite a few knives that have assisted opening, and I find them much easier to handle than knives that have no assist. Get ready to see new US knife sales hit an all time low as the better knives are traded underground. Just my 2 cents.

, , , ,

Democratic representative introduces amendment to waste paper

May 1st, 2009

Rep. Luis Gutierrez (D-IL) this proposed amendment:

(d) MINIMUM TYPE-SIZE AND FONT REQUIREMENT FOR CREDIT CARD APPLICATIONS AND DISCLOSURES.-

All written information, provisions, and terms in or on any application, solicitation, contract, or agreement for any credit card account under an open end consumer credit plan, and all written information included in or on any disclosure required under this chapter with respect to any such account, shall appear-

(1) in not less than 12-point type; and
(2) in any font other than a font which the Board has designated, in regulations under this section, as a font that inhibits readability.

Interesting – I wonder how much extra paper that would waste every year, and how many more trees would be required to make it happen. Is readability really a problem? If one is blind, he/she can probably find help to read the terms (yes, they can). Funny enough, nothing this guy’s ever sponsored or co-sponsored has passed – so he’s zero for 44 as of today.

, , , , , , , ,

Is it time for the Electric Car?

April 29th, 2009

A reader asked about the Chevy Volt in comparison to the Honda Civic, which is a wonderful question. The Volt people claim that it can go 40 miles on just batteries, which is perfect for most people’s commutes provided they can plug in at work (or not for the really lucky ones). So, it’s obvious that there is no fuel consumed by the vehicle in these first few miles of driving, but I’m going to look at how much fuel is consumed to create those 8.8 kilowatts of electricity it takes to go 40 miles. First, the 8.8 number comes from Chevy’s claim that the gas engine kicks in at 30% battery charge, and the battery will only charge to 85% from the wall outlet, meaning it goes 40 miles on 55% of the battery capacity (16 KW), which equals 8.8 KW.
Read more…

, , , , , , , , , , , ,

Buying a fuel-efficient used car versus a new Prius

April 28th, 2009

As one who drives a 2000 Honda Civic, which in many real-world driving tests gets almost exactly 30 MPG consistently (I keep pump logs), I wonder if I would actually create a net reduction in gas consumption by buying a Prius or other car. Now, I’m assuming a new Prius, but buying a used one is perfectly valid, and is outside the scope of this article. If you want to do that, more power to you – that’s a good choice hands down. Yet, most people I know would opt for a new one. Based on various seemingly valid estimates, it takes 113,322,000 BTUs to create and import a brand new Prius. It takes 0 BTUs to park a used Honda Civic on a lot until someone buys it.

So, for the data used to obtain this, I looked all over for real road tests of the Prius fuel economy.  This one seemed to fit well with everything else I’d been reading, giving an average range of 42.6-45.2 MPG.  So, I’m going to say 43 MPG.

The Prius uses enough gas to create 2639.53 BTUs per mile.  The Civic: 3783.33.  At these rates, and coupled with the initial component of the BTUs used to manufacture and import the Prius, we come up with the following:

2639.53x + 113322000 = 3783.33x

x = 99075.01

Graphing this in gnuplot, we get the following:

plotSo, one would have to drive almost 100,000 miles to get an advantage over simply buying a used Civic.  Interesting.  Here’s the GNUPlot Plot File for anyone that’s interested.

, , , , , , , , ,

Creating Beautiful Panoramas Easily in Linux

April 26th, 2009

Recently, I’ve gotten pretty into photography.  I bought a digital SLR, a Nikon D40X, which I love.  I also went to Germany recently, which gave me many opportunities to take some really pretty pictures.  Many times, I couldn’t capture the scene in just one picture, so I had to take some panoramas.  I generally do my panoramas vertically so I can capture a larger amount of vertical area.  This requires more shots, but memory it cheap, and I don’t have to end up cropping parts I want to keep.  I’m going to guide you through making a seamless panorama using only free and open-source software in Linux, specifically Ubuntu 9.04 Jaunty Jackalope. 
Read more…

, , , , ,

Rowan LeCompte is awesome

April 11th, 2009

While waking up this Saturday morning, I heard one of the best interviews I’ve ever listened to on NPR.  Rowan LeCompte, a stained glass artist who has contributed greatly to the [Washington National Cathedral](http://www.nationalcathedral.org/), is interestingly agnostic.  His explanation of a philosophy of kindness is wonderful.  Have a listen. (Start at 3:55 if you’re short on time)

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

, , , , ,

Pitfalls with digital health records

April 8th, 2009

The more I hear about digital national health records, the more I worry about them with regards to security. Various interpretations of the new legislation in the 2009 Stimulus bill could mean anything from implementing something like SAFEHealth, a decentralized system, to something like Google Health, which would centralize medical records. I expect that a decentralized system will not be what the government will choose. Proper usage of a decentralized system would be fine, but removes a lot of the utility promised by proponents of electronic health records, such as the possibility of access to updated health records from anywhere. I’d like to start off with an alarming quote I found in this interview with Karen Bell, director of the Office of Health IT Adoption at the U.S. Department of Health and Human Services:

TR: What about the public-health benefits? Systems that house large quantities of patient data could enable new types of research studies.

KB: Absolutely, that’s something I get really excited about. It will totally break open our knowledge base. For example, I have been diagnosed with low-pressure glaucoma, which is fairly unusual. No one knows what causes it. I would love to be able to search the system for anyone with this form of glaucoma and start to look for similarities.

Read more…

, , , , ,

I’m Barack’s 18th cousin 5 times removed

April 8th, 2009

I received and email from Geni today informing me that I am related to Barack Obama.

Did you know that you are related to President Obama? We found him in your family tree on Geni.

Specifically, he’s your 18th cousin five times removed.

You can find this in the tree by navigating to your father’s mother’s father’s mother’s mother’s father’s father’s father’s father’s father’s father’s father’s father’s father’s father’s father’s father’s father’s father’s father’s father’s father’s father’s sister’s daughter’s son’s son’s son’s son’s son’s son’s son’s son’s son’s son’s daughter’s daughter’s daughter’s daughter’s son’s daughter’s son.

To see the exact path from you to President Obama or any other blood relative on Geni:

1. Upgrade to Geni Pro
2. View the public profile for Barack Obama

Geni needs your help! We’re proud of the hard work our users have put into building our site and we want to share the story. Please reply to this email if you would be willing to let us list your name among the tens of thousands of President Obama’s blood relatives who are on Geni.

Thank you for using Geni.
-The Geni Team

I’m not going to upgrade to Geni Pro to actually traverse this path, but it’s interesting nonetheless. He can go on the list with Eisenhower, Daniel Boone, and King Edward III.

, , , ,

New D40x

March 29th, 2009

While in Canada, I decided I needed a new digital camera. After reading about it for a bit, a Nikon D40x looked like a really good fit. So far, I’m extremely happy with it.

Array


Array


I went ahead and bought a Nikon 55-200mm f/4-5.6G ED IF AF-S DX VR Zoom Nikkor Lens to go along with it. This should give me a little more zoom for long-range work.

Now, I just need to go take some nice photos.

, , , ,