This seems like as good a place as any to link to some of my favorite posts:

Load balancing: Beyond healthchecks: A mini-thesis on solving some critical issues in load balancing
An informal security assessment of Imzy (part 1) (and of course part 2): A bunch of vulnerabilities I reported to a social media startup, including a fairly unusual one I'm rather pleased with.
How to eat a croissant: Some goofiness that had been rolling around in my head for a while.
Cryptographic shuffle: An unusual use-case and a very satisfying solution.
Seeing plants move: Plants are faster than you might think.
Making redo rebuild when directory contents change: A nice trick for efficient dependency-based rebuilds involving larger directory trees.

But here are the most recent pieces...

ChatGPT hallucinates software bugs and ignores real ones

February 21, 2023 | 0 comments

I've seen any number of people defending ChatGPT's use as a tool that can not just write code, but find bugs in existing code. My own position is that it could be useful for this, but only in the hands of someone who is skeptical, detail-oriented, and experienced with the language. This is because ChatGPT doesn't know anything about programming; it just knows what code looks like and what people say about it. This is sometimes good enough to write code, but it very readily departs from reality onto its own hallucinatory journey. In my case, it took a single line of code with one bug in it and instead of identifying that bug decided to add 3 or 4 more.

You can find any number of examples of this online along with discussion and analysis, so this blog post is just a vehicle for posting my own January 9 2023 chat transcript in a way I can conveniently link to.

(I would have posted it earlier, but OpenAI's chat history function was down for several weeks, so I could not retrieve it.)

Fixing a broken Firefox profile via Sync

January 21, 2023 | 0 comments

I've been using Firefox for something like 15 years, so it's no surprise that I eventually ended up with a corrupted profile (perhaps from a sudden shutdown). It was functional 99% of the time, but a few things would break in weird ways, like Local Storage getting cleared periodically for both web pages and extensions. It was subtle enough that by the time I noticed, it was too late to just restore from backup.

The way I eventually fixed it was to use Mozilla's "Firefox Sync" service to copy the data to a new profile. This post describes the steps I took, in case someone else wants to take the same approach.

URL filtering vulnerabilities in lxml

October 16, 2022 | 0 comments

The lxml toolkit is a library for working with XML and HTML from Python. It includes a utility called Cleaner that supports filtering HTML for dangerous and unwanted elements and attributes, although since early 2022 it has been marked as not suitable for security purposes. Nevertheless, it is still used that way by many projects.

A coworker and I were recently exploring its capabilities. At one point he made a simple mistake that is extremely common in Python, and stumbled onto what I recognized as a vulnerability. Exploring the code more, I found another vulnerability, this one not dependent upon misconfiguration.

(As of this posting, the issues are not fixed and released, but patches are available.)

Older entries

Brain on Fire » Blog Tim McCormack says words

ChatGPT hallucinates software bugs and ignores real ones

Fixing a broken Firefox profile via Sync

URL filtering vulnerabilities in lxml

Recent posts