It's Just Text

There’s been a lot in the media recently and over the years discussing regulation of what code can and can’t be written. Most people consider this a perfectly reasonable request. We regulate the production of munitions. We regulate the production and sale of narcotics. Code is just another way to make things, right? So we should regulate what can be produced via code.

There’s a problem here however. Code is speech. I know, unless you code you don’t really understand this - and there’s a caveat here for those that just dabble. But code is really just a way to describe something. In one context the computer will interpret those instructions and do what is asked. In another context the code will simply be a description for those that read it or maybe a bunch of confusing crap for those that can’t.

It hit me the other day that there is a particular web attack that exemplifies this perfectly, XSS - Cross Site Scripting1. Succintly put, XSS is an attack against interpretation. The web developer intended to allow users to input comments (or something else but comments are common). The user inputs something that the computer recognizes and then executes. This is a problem of improper context. It’s like yelling fire in a theatre - wrong context. Yell fire all you want at home. Better yet, save it for the range.

Let’s say the user isn’t even malicious. She just wants to describe some problem she’s having with a new project but when she uses the appropriate shorthand to describe the problem the computer goes, “yep, I understand that. Let me just do that now.” So instead of getting a quick answer from the other polite and knowlegeable folks on the web she crashes the site.

If the user had realized the computer was going to take what she said personally she might have said something more meaningful. In that case, she might have asked for cookies from everyone. Yum. Cookies.

If you don’t know, cookies are the way the server remembers you. Servers have very short memories and are blind. They can’t tell who you are until they check your cookies. … That just doesn’t sound right.

Well, at least they don’t simply trust your address (IP, that is). That would be quite embarassing for you and your spouse.

If the user asks the server for cookies from the other users Ms. User now becomes Ms. Malicious User. We’ll call her Mallory2. With all of the cookies Mallory can visit the site and impersonate all of the other users. She will have permission from the server to do whatever those users could do. The server now believes she is all of them. Yeah, servers are dumb.

The point being, the server asked for a comment. Mallory commented. In this case, the comment meant something to the server so it followed orders. There are other sites where this can’t occur. The popular site Stack Overflow is specifically set up to allow users to post code so that others can help them with it. This server mostly ignores what users write. It simply passes along the message. In fact, what you’re reading right now was written in code. The website software I use recognizes HTML and Markdown. I can write in both of those. It will process them and present them nicely to you. I own the site so I speak pretty directly to the server. I don’t own the server however so the people who own the server Github restrict what the server will process to a certain degree. They don’t want my crappy code to compromise everyone else they are hosting.

####Where does this leave us? We are left with the basic questions: When is code malicious? When is speech malicious? When should it be illegal? The same questions apply to both code and speech as I argue that they are both speech. They have correlating issues. The discussion could be extended to include pictures / pictographs, sound, or any other sort of signal. Whatever can be made to have meaning is ultimately code.

We are moving away from value of the thing to value of the information. What we can never get away from is the physical manifestation of information. I think that’s a good place to start. The manifestation of the information should hold prominence.

I’m sure you’ve had the same thoughts as some really horrible people (Manson, Hitler, Cobra Commander) at some point in time - ok, maybe not quite that bad but my point still stands. That’s information. I can record it (parts of it). I can process it. Someone else processed it and killed a bunch of people. You (I hope) decided to have a beer. Judging you by the information held in your storage repository would have been premature.


1. I’m taking liberties in my description of XSS for the sake of brevity and clarity. If you want to know more, this is the best description of XSS I’ve seen: http://excess-xss.com/ This is best example: Samy is my hero I remember when this was running through Myspace. *

2. This is a name used regularly for the academic discussion of attacks. Traditionally these names are used to discuss cryptographic attacks but they are sometimes used to describe other computer related attacks as well. Reference: http://en.wikipedia.org/wiki/Alice_and_Bob *

Making the Site

I finally got around to making a website for myself. This officially counts as my first post and playing around with it all. It’s fairly intuitive. My setup is also great for a hacker like me.

I’m hosting on Github Pages. That makes life easy. I can use VIM to edit locally and just use git to push to my site. Lovely.

I opted to use Jekyll as a static site generator framework. It’s ruby-licious (which I don’t like). But I guess I have to get over my hatred of ruby. Too many projects are using it - not the least of which is Metasploit. Kind of important for me. There’s a post below (not written by me). The post was part of the template that I used called Hyde. I need to edit those posts to make it obvious they are not mine. Basically, any post prior to this one is from the template. They’re good info on Jekyll and Hyde (heh).

Jekyll is rather nice. It allows me to post in Markdown or HTML. It supports Javascript. Static pages can be generated that it will just leave alone so you can write Javascript files and CSS files. If you find a template you like you’re probably just minutes from having something quite nice with little fuss. Mostly, just look for a template like Hyde or whatever you fancy. Do a git clone of the code. Make yourself a repo and add the contents from Hyde repo.

…yes, I know I was talking in coder-ese. Nerdian. Whatever. Thing is, for a coder these are things that are normal to us and that makes this whole blogging thing easier. I have to deal with so many different architectures and frameworks as it is. This was just easy.

I won’t go much more into the whole setup. I’m finding the folks below to be of great assistance in getting me going:

  • Yes, we Jekyll Great overall discussion of Jekyll.

  • HackDesign yeswejekyll pointed me at the above. This site is awesome for the hacker that hasn’t been paying too much attention to web technology beyond Little Bobby Tables. This may be a bit much for some of you but I have a visual art background so I like this kind of thing. Sometimes thinking about kerning is relaxing way to not think about return addresses.

Introducing Hyde

Hyde is a brazen two-column Jekyll theme that pairs a prominent sidebar with uncomplicated content. It’s based on Poole, the Jekyll butler.

Built on Poole

Poole is the Jekyll Butler, serving as an upstanding and effective foundation for Jekyll themes by @mdo. Poole, and every theme built on it (like Hyde here) includes the following:

  • Complete Jekyll setup included (layouts, config, 404, RSS feed, posts, and example page)
  • Mobile friendly design and development
  • Easily scalable text and component sizing with rem units in the CSS
  • Support for a wide gamut of HTML elements
  • Related posts (time-based, because Jekyll) below each post
  • Syntax highlighting, courtesy Pygments (the Python-based code snippet highlighter)

Hyde features

In addition to the features of Poole, Hyde adds the following:

  • Sidebar includes support for textual modules and a dynamically generated navigation with active link support
  • Two orientations for content and sidebar, default (left sidebar) and reverse (right sidebar), available via <body> classes
  • Eight optional color schemes, available via <body> classes

Head to the readme to learn more.

Browser support

Hyde is by preference a forward-thinking project. In addition to the latest versions of Chrome, Safari (mobile and desktop), and Firefox, it is only compatible with Internet Explorer 9 and above.

Download

Hyde is developed on and hosted with GitHub. Head to the GitHub repository for downloads, bug reports, and features requests.

Thanks!

Example content

Howdy! This is an example blog post that shows several types of HTML content supported in this theme.

Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Sed posuere consectetur est at lobortis. Cras mattis consectetur purus sit amet fermentum.

Curabitur blandit tempus porttitor. Nullam quis risus eget urna mollis ornare vel eu leo. Nullam id dolor id nibh ultricies vehicula ut id elit.

Etiam porta sem malesuada magna mollis euismod. Cras mattis consectetur purus sit amet fermentum. Aenean lacinia bibendum nulla sed consectetur.

Inline HTML elements

HTML defines a long list of available inline tags, a complete list of which can be found on the Mozilla Developer Network.

  • To bold text, use <strong>.
  • To italicize text, use <em>.
  • Abbreviations, like HTML should use <abbr>, with an optional title attribute for the full phrase.
  • Citations, like — Mark otto, should use <cite>.
  • Deleted text should use <del> and inserted text should use <ins>.
  • Superscript text uses <sup> and subscript text uses <sub>.

Most of these elements are styled by browsers with few modifications on our part.

Heading

Vivamus sagittis lacus vel augue rutrum faucibus dolor auctor. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Morbi leo risus, porta ac consectetur ac, vestibulum at eros.

Code

Cum sociis natoque penatibus et magnis dis code element montes, nascetur ridiculus mus.

// Example can be run directly in your JavaScript console

// Create a function that takes two arguments and returns the sum of those arguments
var adder = new Function("a", "b", "return a + b");

// Call the function
adder(2, 6);
// > 8

Aenean lacinia bibendum nulla sed consectetur. Etiam porta sem malesuada magna mollis euismod. Fusce dapibus, tellus ac cursus commodo, tortor mauris condimentum nibh, ut fermentum massa.

Gists via GitHub Pages

Vestibulum id ligula porta felis euismod semper. Nullam quis risus eget urna mollis ornare vel eu leo. Donec sed odio dui.

Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Nullam quis risus eget urna mollis ornare vel eu leo. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec sed odio dui. Vestibulum id ligula porta felis euismod semper.

Lists

Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Aenean lacinia bibendum nulla sed consectetur. Etiam porta sem malesuada magna mollis euismod. Fusce dapibus, tellus ac cursus commodo, tortor mauris condimentum nibh, ut fermentum massa justo sit amet risus.

  • Praesent commodo cursus magna, vel scelerisque nisl consectetur et.
  • Donec id elit non mi porta gravida at eget metus.
  • Nulla vitae elit libero, a pharetra augue.

Donec ullamcorper nulla non metus auctor fringilla. Nulla vitae elit libero, a pharetra augue.

  1. Vestibulum id ligula porta felis euismod semper.
  2. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus.
  3. Maecenas sed diam eget risus varius blandit sit amet non magna.

Cras mattis consectetur purus sit amet fermentum. Sed posuere consectetur est at lobortis.

HyperText Markup Language (HTML)
The language used to describe and define the content of a Web page
Cascading Style Sheets (CSS)
Used to describe the appearance of Web content
JavaScript (JS)
The programming language used to build advanced Web sites and applications

Integer posuere erat a ante venenatis dapibus posuere velit aliquet. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Nullam quis risus eget urna mollis ornare vel eu leo.

Images

Quisque consequat sapien eget quam rhoncus, sit amet laoreet diam tempus. Aliquam aliquam metus erat, a pulvinar turpis suscipit at.

placeholder placeholder placeholder

Tables

Aenean lacinia bibendum nulla sed consectetur. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Name Upvotes Downvotes
Totals 21 23
Alice 10 11
Bob 4 3
Charlie 7 9

Nullam id dolor id nibh ultricies vehicula ut id elit. Sed posuere consectetur est at lobortis. Nullam quis risus eget urna mollis ornare vel eu leo.


Want to see something else added? Open an issue.

What's Jekyll?

Jekyll is a static site generator, an open-source tool for creating simple yet powerful websites of all shapes and sizes. From the project’s readme:

Jekyll is a simple, blog aware, static site generator. It takes a template directory […] and spits out a complete, static website suitable for serving with Apache or your favorite web server. This is also the engine behind GitHub Pages, which you can use to host your project’s page or blog right here from GitHub.

It’s an immensely useful tool and one we encourage you to use here with Hyde.

Find out more by visiting the project on GitHub.