Category Archives:

Google Hackathon was hacked

Two days ago, the first Israeli Google Developer Day was held. It was a colorful and interesting event, to the best of google tradition.

Yesterday, all attendees got an email saying that an unauthorized network activity was detected.

“We identified unauthorised activity on the public wired Ethernet network which was provided by the convention centre for conference attendees to access the Internet.”

Beside the interesting lectures there were two code-labs or hackathons going on. The first thing that came to my mind when I saw everyone are connecting their laptops, wirelly and wirelessly, is that someone will abuse this for some king of Man in the middle attack. But for some reason I thought that since it’s google, they won’t let something like this to happen.

Just minutes before, I asked the google experts over there, which are very nice and professional in there own fields, about the GMail Frame Injection issue. I wasn’t accusing anyone just trying to raise a discussion about it. It seemed that no one knew about it and no one really cared. The suggestion I got was that I should report this somewhere in the GMail website. But, it’s already been reported, I protested.

I should have understood by this, that security isn’t the first priority of these uber geeks.

Maybe we’re expecting too much from google, they’re just the greatest company they’re not gods.

Anyhow I wasn’t hurt by this since I don’t transfer sensitive non encrypted data in these kind of places. And it might be that google is just covering themselves just in case someone got hurt. And most users weren’t really affected.

On a side note, I’ve allowed myself to “analyze” the google dev crowd, I’d expected them to be in higher level then, for example, the Microsoft crowd.

Indeed, in a rough inclusion, the google crowd is much geekier and also much more nerdish, as opposed to the Microsoft crowd, especially here in Israel :D. It can be said that MS is much more approachable and that they create tools that anyone can use, or that MS is aiming to the lowest common denominator, or that everything is political. I don’t care. All I know is that I don’t feel belonging to any of these. The google crowd is too smart nerdish and MS crowd is too… how to say it politely… too stupid common.

I’m somewhere in the creative outskirt, I’m in the Flash crowd :)

P.C. Not that it’s anything wrong about it to be a common .Net developer, a lot of my best friends are .Net developers ;)

Resolving some issues with swfobject

There are some known issues with swfobject and ASP.NET, infact it’s not just with swfobject but also with the Flash object in general, one issue of using ExternaInterafce from an ASP.NET Form can be solved with these technics

I had a strange issue with swfobject lately and obviously I’ve blamed ASP.NET for inserting unwanted code into my pages and causing problems. Generally it’s reasonable to blame it as it does make a mess sometimes, but, this time it was my fault for not noticing other Javascript code is conflicting with swfobject.

The issue I had, was with the swfobject’s addVariable and addParam functions. The Flash SWF HTML seemed to be written to the page’s flashContent div but all of the variables and parameters I’ve added were ignored. After examining the swfobject getSWFHTML function, this function gives you the HTML code that is gonna embed the Flash inside the page, when I saw how strange the HTML is, I realized what happened:
Without naming names ;) some Javascript developers, extensions and frameworks like to write to the prototype of generic Javascript objects (This is also how Object Oriented Actionscript 1 was done in the past). And with doing so, extending these built-in objects (object, array, string, etc’) with various functionalities. A good example is the javascript JSON implementation which extends the Javascript object with object.toJSONString(). Swfobject stores the variables and parameters inside a regular Javascript object and when it prepares the Flash HTML it uses a loop to go through all the elements and add them to the markup
<param value=”flashMovie.swf” name=”movie” />
<param value=”transparent” name=”wmode” /> etc’

in case you’re using the json.js, your HTML will have also
<param name=”toJSONString” value=”function (w) {….and whole lotta mess” />.

This might cause the embedding of the Flash movie to fail or function improperly.

The solution for this is to add a check to all of the loops inside swfobject with the hasOwnProperty, for example:

[JS]for(key in variables){
if( variables.hasOwnProperty( key ) )
variablePairs[variablePairs.length] = key +”=”+ variables[key];

The hasOwnProperty function returns true only if the property is not built-in and not in the prototype chain. Therefor the toJSONString in our example will return false and wont be considered as a flash variable or parameter.

When encountering issues with the swfobject a good place to check is the swfobject.getSWFHTML() function.
[JS]var o=new SWFObject(“flashFile.swf”,”falshMovie”,200,300,”9″,”#FFFFFF”);

//exmine the html before it’s being writen to the div

o.write(“flashContent”); [/JS]

More related info about hasOwnProperty.