A notch above a monkey

DjangoCon Europe 2014?

Update 2: Tickets are now on sale and it is safe to say that I am not going. The opening price (which will go up after 50 sold tickets) is already too high for me and it is exactly what I was originally afraid of.

Update: I am sorry, I overreacted. As http://2014.djangocon.eu//news/ makes clear tickets will cover everything except getting there and I have full confidence they will be reasonably priced. Listed transport options for those from my neighborhood are still valid (unless somebody has better data which would be great).

I did not go to DjangoCon Europe in Warsaw this year, but I was certain I would go to the next one. Not anymore.

There is no good way of contacting organizers[1] and not much travel information either on the DjangoCon’s website or elsewhere. Most of what there is is in French which I don’t speak so my worries are hopefully unfounded, but what I found so far looks grim.

First transport. It is not organizer’s fault I live where I do (Ljubljana, Slovenia), but my options are plane (500+€; travel time 6 and 17 hours), train (EUR ??; travel time 14-24h in each direction) or car which would take about 9 hours in one direction and cost around 600€ total per car (180 for tolls, ~400 for fuel with hopefully free parking there).

It is really difficult to get a good idea of how much do hotels on the island cost, but judging by tripadvisor they are not cheap and in general cost 100+€ per day. Staying on the mainland can be done cheaper, but I think ferry costs at least 13€ per day so total cost will likely not be very low and you will not be around for any late events.

No idea yet about how easy it is to find suitable food if you are a vegetarian or a vegan or how much does it cost. I assume it can be worked out.

In total this looks significantly more than it did to attend EuroPython in Florence and that was FLORENCE!

I dislike criticizing efforts of others, especially when I know that involves a lot of volunteering and when I am not privy to inside knowledge and dilemmas. However as a regular conference goer it does look to me that there has been a shift happening from egalitarian accessibility of making community conferences cheap and easy enough for anyone to attend to a more stratified approach where money (or time) poor will have to do with video recordings/broadcasts while the rest will get ever flashier experience.

There is obviously a lot of value in meeting face to face (otherwise most of us would probably prefer to save the expense of it) which is why I would find this kind of development sad if it happened to major community gatherings like DjangoCon Europe. So I am hoping that it isn’t and it won’t.

  1. I know there’s a Twitter account. I don’t find it a good channel for the kind of communication I want, but that is a different discussion.

Laughable Javascript security

Building a secure web application is not easy, unless you also use 3rd party code such as Facebook’s Like widget in which case it is impossible. What you have is just an illusion of security, a door to abuse that you can’t even check if it is currently closed.

Or that’s what I thought for years. A once substantiated belief that grew into an almost dogmatic certainty until I recently got a chance to revisit it when trying to design a secure Javascript-based web application living inside of a likely untrusted environment.

There are obvious things you can do to protect your application such as delivery over secure connections and use of anonymous functions to sandbox your code from outside interference. However you will probably need to interact with external code at some point in which case is that XMLHTTPRequest object you are using really the built-in one or has it been replaced (cloaked) with an impostor object to perform the man-in-the-middle attack?

I don’t know of a way to check if an object is untouched. What is sometimes used instead is a .toString method which on functions and methods returns their source unless they are native to browser in which case it returns a string saying so.

Since you can replace any attribute and method on any object some go even further in search of a certainty and use .toString from the Function object.

At first thought that looked clever until I came up with:

  1. <!DOCTYPE HTML>
  2. <html lang="en">
  3. <head>
  4. <meta charset="UTF-8">
  5. <title>Break check if function is native</title>
  6. </head>
  7. <body>
  8. <script>
  9. (function () {
  10. var toS = Function.prototype.toString,
  11. pM_str = window.postMessage.toString();
  12.  
  13. Function.prototype.toString = function () {
  14. return this === window.postMessage ? pM_str : toS.call(this);
  15. }
  16. window.postMessage = function () { console.log('Fake'); };
  17. })();
  18. </script>
  19. </body>
  20. </html>
  21.  
  22. Download this code: /code/nativecheck.txt

The code above replaces Function’s .toString method with a one that lies when executed on an also cloaked window.postMessage. Instead of displaying source of the new postMessage it prints whatever browser would print for the original one.

It simultaneously demonstrates how you can cloak native Javascript objects and hide that you are doing it. If you put malicious code into an anonymous function and remove <script> node that added it after it gets executed, then there is no way for scripts loading later to know that it happened. There will be no traces of crime.

It might be difficult to cloak literals like {} and [], but you certainly can their methods so even if your code is wrapped in an anonymous function, it isn’t really secured from outside peeking and poking. Hence you even can’t trust your own code.

Turns out that this particular dogma is also true. Depressing.

Shrinking images with image-diet

I like easy-thumbnails and use it often in my Django projects, but I wished for a long time that its PIL generated thumbnails would be smaller. That’s why I wrote image-diet, a drop-in extension for those easy-thumbnails users who use file system for storing images. Images remain visually the same, but can be significantly smaller (mine by more than 50% but your mileage my vary).

This matters because images are together with Javascript main cause for ever larger page sizes which leads to slower websites, especially in low-bandwidth environments. But really, don’t we all want our websites to be as fast as possible?

image-diet was inspired by ImageOptim and Trimage and I’m grateful to authors of both. It uses jpegtran, Jpegoptim, Gifsicle, OptiPNG, AdvanceCOM PNG and Pngcrush to do the heavy work of squeezing redundant bytes. Getting them should be easy as they are part of Ubuntu distribution and can be installed on Mac with brew. For more information please check documentation or ask.

I would love to hear any comments and ideas you may have, even more so if you try it.