I just presented the major focus of my time and effort for the past year-and-a-bit, StegoTorus, at this year’s ACM Conference on Computer and Communications Security. You can see my slides and the code (also at Github). I was going to explain in more detail but all of the brain went into actually giving the talk. My apologies.

This is an ongoing project and we are looking for help; please do get in touch if you’re interested.

LWN has an article with a nice chunky comment thread talking about the history of DVCSes and how git has basically taken over the category. Mozilla, of course, still mostly uses Mercurial, but there’s a lot of people who prefer git now, and there are bridges and stuff.

I have a weird perspective on all of this. I hacked on Monotone back in the day, so I have the basic DVCS concept cold, and Mercurial is only a little different; it never surprises me. Git, however… I read the documentation, and I think I understand what’s going on, and then I do something that according to (my understanding of) the documentation should do what I want, and instead it mangles my local repo and I get to spend an hour or two repairing it. Or, in one memorable case, it mangled the remote, shared repo - thankfully that was easily fixed once I figured out what it had done, but I still don’t know why it did that instead of what I expected it to. (A matter of which branch’s HEAD pointer got updated with the result of a merge.) I’ve been actively hacking on projects whose primary VCS is Git for over a year now and this consistently happens to me about once every 20 to 40 hours of coding time.

So I don’t trust Git and I don’t like using it. I do, however, appreciate its speed, which as far as I can tell is down to back-end stuff – storage format, network protocol, and so on. So here’s what I want: I want someone to write an exact clone of the Mercurial CLI that uses git’s back end. I have no time, but I would totally contribute money to the development of this. It has to be an exact clone in terms of command line behavior, though. If that means throwing away front-end features of Git, I am 100% fine with that. I would happily lose the index/working copy distinction, for instance. I could also live with losing support for arbitrary Mercurial extensions; I would miss MQ in principle but I suspect there’s an alternate development model for Mozilla that doesn’t need it. Everyone else seems to manage.

Anyone else interested in something like that?

If you find that Emacs on OSX fails to pick up the same $PATH setting that you get in command line shells, instead defaulting to an impoverished default that doesn’t include (for instance) anything installed via MacPorts: (add-hook 'after-init-hook #'(lambda () (setenv "PATH" (with-temp-buffer (call-process "/bin/bash" nil (list (current-buffer) nil) nil "-l" "-c" "printf %s \"$PATH\"")
(buffer-string)))))


I am only embarrassed that I put up with the brokenness for as long as I did.

This is a little off my usual beaten path, but what the heck.

This is two related proposals: one for a new DOM feature, document.parseDocumentFragment, and one for JS syntactic sugar for that feature. It is a response to Ian Hickson’s E4H Strawman, and is partially inspired by the general quasi-literal proposal for ES-Harmony.

Compared to Hixie’s proposal, this avoids embedding a subset of the HTML grammar in the JS grammar, while at the same time being more likely to conform with author expectations, since the HTML actually gets parsed by the HTML parser. It should have at least equivalent expressivity and power.

## Motivating Example

function addUserBox(userlist, username, icon, attrs) {
var section = h<section class="user" {attrs}>
</section>;
if (icon)
section.append(h<img src="{icon}" alt=""/>);
userlist.append(section);
}


(more…)

Readers of this blog may find https://github.com/zackw/stegotorus and https://github.com/zackw/moeller-ref of interest.

This day had a lot of interesting papers, but some of the presentations were disappointing: they spent their time on uninteresting aspects of their work, or handwaved over critical details.

That said, most of the work on passwords was compelling, and if you read to the end there’s a cranky rant about the panel discussion.

(more…)

I skipped the 8:30AM session today, it was mostly not interesting to me and I badly needed the extra hour of sleep. I’m sorry to miss “On the Feasibility of Internet-Scale Author Identification”, but I will read the paper. I also skipped the business meeting, so, summaries start with the 10:30 session, and end with the short talks.

(more…)

I’m attending the IEEE Symposium on Security and Privacy, 2012 and I’m going to try taking notes and posting them here, again. The last time I tried this (at CCS 2010), most of the notes didn’t ever get posted, but I paid a whole lot more attention to the talks than I do when I’m not taking notes. This time, I’m going to try to clean up the notes and post them the next morning at the latest.

S&P was at the Claremont Hotel in Oakland, California for thirty-odd years, and they didn’t really want to leave, but there wasn’t room for all the people who wanted to attend. Last year they turned nearly 200 people away. This year, it’s in San Francisco at a hotel on Union Square—amusingly, the exact same hotel that USENIX Security was at, last August—with much higher capacity, and while I still have to get up at dawn to get there on time, at least I don’t have to drive.

I have not had time to read any of the papers, so this is all based on the talks, only. However, where possible I have linked each section heading to the paper or to a related website.

Mozilla folks: I would like to draw your attention particularly to the talks entitled “Dissecting Android Malware”, “The Psychology of Security for the Home Computer User”, and “User-Driven Access Control.”

(more…)

Attention conservation notice: probably not of interest to anyone who doesn’t read this blog via Planet Mozilla.

I currently syndicate everything on this blog to Planet Mozilla. Given the ongoing discussion of what does and does not belong there, I would like to poll the audience: How do you feel about any of the following topics appearing on Planet?

• Details of my recent trip to $COUNTRY • Offers to give away unwanted items prior to moving • Musings about pottery • Musings about video game design • Small programs that were a pain to write and might be useful to someone else maybe someday • Various Internet-security-related topics which may or may not have anything to do with The Web • incredibly hypothetical ideas, zany schemes, and related philosophizing • detailed reports on my academic research • explanations for a lay audience of how to use the Internet safely • summaries of the research presented at$CONFERENCE

This is a sincere question, which I am asking in order to decide whether I, personally, should start filtering what gets syndicated to Planet from here.

My grandfather David and his brothers grew up in the small city of Ostrowiec. They emigrated to the USA in 1938, and as far as I know, none of the family have set foot in Poland since. Until now; this academic year, my sister Dara is living in Warsaw on a Fulbright scholarship to study Polish theater and its relationship to the Greek chorus. Pam and I went to visit her over the winter holidays, continuing a family tradition of her studying abroad and me visiting. Here are highlights and selected photos. Full photo album, as usual, on Flickr.

(more…)