Brain on Fire » Blog Tim McCormack says words

As I discussed previously, parser mismatches are an underappreciated class of vulnerabilities. In that post I described what they are and showcased a few examples, but today I'd like to talk about what to do about them.

I'll present a few options, with advice on when to use each technique.

Read more

Yesterday I got inspired to start playing around with Fourier transforms of images, and I'd like to share some of the results. Most are intended to just be artistic, although playing around has also given me a little more insight into how the frequency domain relates to to the spatial domain. There's also a git repo so that you can reproduce these images and video yourself, and for many of the images I'll link to the version of the code that produced it.

In many of these, I've transformed a grayscale image to the frequency domain, messed around with the amplitude or phase information, and then transformed it back into spatial. In others, I've just plotted the amplitude or phase, and then sometimes post-processed the plots in GIMP.

I'll start off with one of my favorites so far; many more explorations under the cut.

Warning: This is sort of a stream-of-consciousness post. Feel free to just look at the pretty pictures and skim the text.

Read more

There's a class of security vulnerabilities that has gotten very little attention until recently but shows up everywhere. In the past I called these dueling parser vulnerabilities, but recently there has been more recognition of this vulnerability class, and the terms parser confusion and parser mismatch have come into use. In this post I'll be using "parser mismatch" because it is the clearest and most descriptive.

Broadly defined

A parser mismatch occurs when you have:

• Two code locations
• ...each of which tries to parse the same thing
• ...but where the parsers disagree on what some inputs mean.

In general, you'll see two kinds of behavior:

• For "normal" inputs they'll almost always agree
• For malformed inputs, they'll often disagree, creating the possibility of a vulnerability

Kinda abstract. Let's get more concrete.

Read more

This is a recipe for a 100% whole wheat sourdough with no extraneous ingredients: Just flour, water, salt, and starter. It does not require any kneading, and instead relies on a low-effort series of tensioning steps over the course of an evening, followed by an overnight proof rise. In the morning it is baked in a Dutch oven.

By the numbers:

• Active work time is about 30 minutes including all prep and cleanup, assuming a practiced hand. (On top of that, starter maintenance totals about 10 minutes per week.)
• Start to finish is about 18 hours, but varies based on ambient temperature.
• In baker's percentages, the recipe is 81% hydration and 1.8% salt.
• 15% of the total flour is prefermented (that is, is contributed by the starter).

This recipe is best for winter; in a 55–65°F kitchen, a dough started in the afternoon will be ready to proof by bedtime but will not be overproofed by morning. In summer, a different recipe may work better.

I am not a professional baker, and I'm sure this recipe could stand to be improved. (Suggestions welcome, especially if you end up making it!) But this has been my weekly bread for a year now, and I've been quite pleased with the results.

Read more