Skip to main content


Showing posts from 2019

When Windows gets confused: Sometimes a RVA is not a RVA

Today we do a deep dive into a portion of the Portable Executable (PE) file format and discover some rather broken behavior in the Microsoft Windows OS that causes some processes to not start up because the Windows loader gets confused about what a RVA is. The PE file format is how all executables (i.e. EXEs) and things containing executable code (e.g. DLLs) are loaded into memory and run. It's a highly structured file format and has many features not found in other executable formats for other OSes and has many nuances and details surrounding it, some of which are intentionally obscured. One of the more complicated concepts for someone coming into the PE file format to understand is the Relative Virtual Address, or RVA for short. Microsoft defines the RVA as: "The address of an item after it is loaded into memory, with the base address of the image file subtracted from it in an image file." Another way of saying it is that a RVA is the offset from the base addre

The Equifax $125 cure may be worse than the disease

A couple of years ago, Equifax was breached and huge tracts of data were dumped. The Equifax CEO and other leadership dumped a bunch of stocks days after discovering the hack and a month prior to the announcement for "unrelated reasons" (yeah, right). The apology by the CEO for the data breach rang hollow with everyone and he eventually stepped down with a $90 million USD golden parachute. The breach was partially caused by lax policies regarding keeping the software running on their servers up to date. But no one in the software security industry was shocked that any of this happened - it's the same old story of greed, lax security policies, and not regularly pentesting infrastructure. The news this week is covering the landmark FTC settlement with Equifax and a page on the FTC website has been set up that links to the Administrator website for the claim proceedings: The d

Designing a better terminal text color experience

Hello, it is 2019. We've been computing together for over 50 years. And then there's this: Text in the ANSI 16 color palette that, for some strange reason, is a thing that still exists. Okay, I get it. Most of us who use the terminal (aka console, Command Prompt, whatever you prefer to call it) are down to earth, get the job done software developers and system administrators and not graphics design artists. But isn't that just a teesy, tiny bit painful to look at? And isn't this almost 2020? Many of the text bits are quite unreadable - the black text on black background in the above image is especially invisible. And the colors you can see for the most part just yell, "I'm a color! Look at me for an extended period of time and get a free headache!" Sure, each and every user can usually change default colors to something else but these are the default colors. Actually, it is worse than that, excluding the usually but not always configurable

Only your "inner web developer" cares about efficiently handling web browser resize events

Who here has sunk hours of time into efficiently handling the web browser's window resize event? [Raises hand.] What part of your user base is actively resizing their browser window to see if you efficiently handle the window resize event? [Uh... 0.0000000001%?] Stop doing that. No one cares. (I also thought about titling this post, "How to identify a web developer with just one question" but still including a similar level of snarkasm.)

Hardware fingerprinting with a web browser

While I was updating jQuery Fancy File Uploader to support recording video and audio from webcams, microphones, and other media sources, I ran into an interesting web browser security related problem that appears to affect all major web browsers that support the MediaRecorder API . From the Developer Tools console of your favorite web browser, run this one-liner: navigator.mediaDevices.enumerateDevices().then(function(devices) { console.log(devices); }); Then go to another page on the same domain and repeat the process. Try it in a new tab. As of this date, in both Firefox and Chrome (untested in Edge), it looks like the 'deviceId' of each attached hardware audio/video device remains static across a domain during a single browser session. Since a lot of people leave their web browsers open for long periods of time, this information can be used to track a user's activity across a single domain without using cookies or localStorage. The user is also not alerted to