I'm now 19 years old. It's hard to believe this is my last year as a teenager. As mentioned in the previous post, my parents got me a new Dell Dimension 3000 desktop as an early birthday present. I actually just finished setting it up. :-)
The day was otherwise uneventful, although my mother bought a large box of chocolate chip cookies for me to share with my suitemates. Everyone definitely loved them. Thanks, Mom!
Currently reading: Chemical Principles by Steven S. Zumdahl
Showing posts with label computers. Show all posts
Showing posts with label computers. Show all posts
Sunday, October 10, 2004
Saturday, October 9, 2004
new Dell Dimension 3000
Because the computer I've been using is now six years old, my parents got me a Dell Dimension 3000 as an early birthday present. The new PC has a 3 GHz Pentium 4 processor, 512 MB of RAM and 160 GB of storage. It's much faster than anything I've ever had. Thanks, Mom and Dad!
I'm considering joining a distributed computing project, probably either distributed.net or the Great Internet Mersenne Prime Search. This will allow me to put the idle CPU cycles to good use. In any case, I can finally retire my old Pentium II box after all those years. :-)
Currently listening to: Toccata and Fugue in D minor by J. S. Bach
I'm considering joining a distributed computing project, probably either distributed.net or the Great Internet Mersenne Prime Search. This will allow me to put the idle CPU cycles to good use. In any case, I can finally retire my old Pentium II box after all those years. :-)
Currently listening to: Toccata and Fugue in D minor by J. S. Bach
Thursday, November 28, 2002
Thanksgiving with the Lu family
I had a nice Thanksgiving as the Lu family invited us over for dinner. It was a much-needed get-together, especially considering that they didn't stay long the last time they came over.
Lisa prepared a large turkey and several other dishes. There was more than enough food for all of us. I mostly played games on my TI-89 but did enjoy hanging out with Thomas and Connie. Everyone definitely had a great time.
On a related note, I'm grateful for my new calculator. It's extremely useful and a great time killer. Imagine bringing it to a Thanksgiving party — you can't get any geekier. :P
Currently watching: Interceptor Force 2
Lisa prepared a large turkey and several other dishes. There was more than enough food for all of us. I mostly played games on my TI-89 but did enjoy hanging out with Thomas and Connie. Everyone definitely had a great time.
On a related note, I'm grateful for my new calculator. It's extremely useful and a great time killer. Imagine bringing it to a Thanksgiving party — you can't get any geekier. :P
Currently watching: Interceptor Force 2
Wednesday, October 30, 2002
more DLS vulnerabilities
You may remember that I found a security issue in my school's student information system a while ago. It turns out the DLS had additional vulnerabilities. I can talk about them now that they're fixed. Hopefully I don't get in trouble for this. :P
Changing another user's settings
On the profile settings page, the user ID is used to specify the target profile. Because it was stored in a hidden field on the client side, an attacker could manipulate the data and change another user's preferences. It was a serious issue as they could compromise any account — including those with administrative privileges. I'm glad I discovered it before someone with nefarious intentions did.
File inclusion vulnerabilities and IP address spoofing
Due to security concerns, the DLS is configured to only accept certain file types. However, there was nothing more than some JavaScript to validate file extensions. I was able to bypass it by calling the submit() method on the form. This could be exploited to distribute malware or even execute arbitrary code on the server.
IP addresses are recorded when users upload a file. But because this data was also stored on the client side, one could use a fake IP addresses or even substitute it with an invalid value. By chaining these vulnerabilities, attackers could cover their tracks.
I also found a similar bug in the settings page. Students used to be able to change their name on the site. Although this feature was disabled some time ago, hidden fields with the data remained in use. LAHS recently asked two ACMA engineers to come over so we could discuss the issues. I renamed myself to "l337 h4x0r" during the demo and got a few chuckles. ^_^
Unauthorized access to private files
Only files in a user's public folder are intended to be accessible to others. Everything else is supposed to be private. Each user also has a "recycle bin" for storing deleted files. One thing I noticed is that the user ID is specified in the path to that folder. I was able to access other people's deleted files by simply changing the value.
All these issues were due to the lack of server-side validation. Chances are the DLS still has vulnerabilities. I can only do so much without access to the complete source code. It would be a good idea for ACMA to conduct an independent security audit of the software. Of course, that's a bit above my pay grade. :-)
In other news...
LAHS had a Halloween dance on Friday to gauge interest in future events. As far as I'm aware, this is something we've never done before. I love dances but skipped this one as it was a little expensive.
Changing another user's settings
On the profile settings page, the user ID is used to specify the target profile. Because it was stored in a hidden field on the client side, an attacker could manipulate the data and change another user's preferences. It was a serious issue as they could compromise any account — including those with administrative privileges. I'm glad I discovered it before someone with nefarious intentions did.
File inclusion vulnerabilities and IP address spoofing
Due to security concerns, the DLS is configured to only accept certain file types. However, there was nothing more than some JavaScript to validate file extensions. I was able to bypass it by calling the submit() method on the form. This could be exploited to distribute malware or even execute arbitrary code on the server.
IP addresses are recorded when users upload a file. But because this data was also stored on the client side, one could use a fake IP addresses or even substitute it with an invalid value. By chaining these vulnerabilities, attackers could cover their tracks.
I also found a similar bug in the settings page. Students used to be able to change their name on the site. Although this feature was disabled some time ago, hidden fields with the data remained in use. LAHS recently asked two ACMA engineers to come over so we could discuss the issues. I renamed myself to "l337 h4x0r" during the demo and got a few chuckles. ^_^
Unauthorized access to private files
Only files in a user's public folder are intended to be accessible to others. Everything else is supposed to be private. Each user also has a "recycle bin" for storing deleted files. One thing I noticed is that the user ID is specified in the path to that folder. I was able to access other people's deleted files by simply changing the value.
All these issues were due to the lack of server-side validation. Chances are the DLS still has vulnerabilities. I can only do so much without access to the complete source code. It would be a good idea for ACMA to conduct an independent security audit of the software. Of course, that's a bit above my pay grade. :-)
In other news...
LAHS had a Halloween dance on Friday to gauge interest in future events. As far as I'm aware, this is something we've never done before. I love dances but skipped this one as it was a little expensive.
Saturday, October 19, 2002
new graphing calculator
I got a TI-89 as a belated birthday present from my parents. It's something I've wanted for a while. Considering that my Casio CFX-9850G has started to show its age, this was the perfect time to upgrade.
From my first impressions, the TI-89 has a lot more features and functions. Also worth mentioning is that the built-in programming language is far superior. I can see why everyone says this is a great calculator. It's basically a handheld computer. But the best part is that my math and physics classes are about to get easier. :-)
Mom has told me to be careful as these devices are often stolen. I hope this doesn't happen to me. One thing for sure is that I'm going to have a hard time concentrating in class. :P
Currently playing: Phoenix
From my first impressions, the TI-89 has a lot more features and functions. Also worth mentioning is that the built-in programming language is far superior. I can see why everyone says this is a great calculator. It's basically a handheld computer. But the best part is that my math and physics classes are about to get easier. :-)
Mom has told me to be careful as these devices are often stolen. I hope this doesn't happen to me. One thing for sure is that I'm going to have a hard time concentrating in class. :P
Currently playing: Phoenix
Friday, August 30, 2002
found a vulnerability in my school's student information system
Our school district started using a student information system called the Digital Locker System this year. It's being developed by ACMA while the administrative tasks for LAHS are handled by our physics teachers, Mr. Randall and Mr. Florendo. Given that the DLS is bleeding-edge software, the company is still working out the kinks.
I was checking out the DLS when I noticed the default password for students was the same as the user identifier. Each user also has a profile page that is publicly accessible. Because the user ID is specified in the URL as a parameter, an attacker could use it to access other people's accounts. I realized it was serious and reported it to Mr. Randall as soon as possible. He said he would escalate the matter, and the problem was fixed by the time I got home. All accounts now have different user IDs.
As hard as it is to believe, someone else also found the same issue. I was showing it to Mr. Randall when I noticed a lot of accounts with changed names. It was obviously the work of a hacker. Too bad they didn't do the right thing and tell someone. I'm glad we found out before they could cause more damage.
Update: I got word from Mr. Randall that school officials have identified the person responsible. He says they banned him from the DLS and took away his computer privileges. Good riddance.
Currently watching: Dolphins (2000)
I was checking out the DLS when I noticed the default password for students was the same as the user identifier. Each user also has a profile page that is publicly accessible. Because the user ID is specified in the URL as a parameter, an attacker could use it to access other people's accounts. I realized it was serious and reported it to Mr. Randall as soon as possible. He said he would escalate the matter, and the problem was fixed by the time I got home. All accounts now have different user IDs.
As hard as it is to believe, someone else also found the same issue. I was showing it to Mr. Randall when I noticed a lot of accounts with changed names. It was obviously the work of a hacker. Too bad they didn't do the right thing and tell someone. I'm glad we found out before they could cause more damage.
Update: I got word from Mr. Randall that school officials have identified the person responsible. He says they banned him from the DLS and took away his computer privileges. Good riddance.
Currently watching: Dolphins (2000)
Monday, June 25, 2001
Java programming class
Summer school has started for me. I'm taking a Java class at Foothill College this year. You may know I do have some coding experience. However, this is my first formal programming class.
Java is platform-independent and runs on many operating systems. RuneScape is a game that's written in this language. Of course, there's a big difference between school and the workplace. I don't expect to make a game like RuneScape anytime soon. But this is nonetheless a great learning experience.
Currently playing: RuneScape
Java is platform-independent and runs on many operating systems. RuneScape is a game that's written in this language. Of course, there's a big difference between school and the workplace. I don't expect to make a game like RuneScape anytime soon. But this is nonetheless a great learning experience.
Currently playing: RuneScape
Saturday, October 7, 2000
my first computer program + new math website!
I just finished my first real Visual Basic program. It takes in the radius of a circle and returns its diameter, circumference and area. I know it doesn't do much, but my geometry teacher was nevertheless impressed. Therefore, I've decided to release it to the public in hopes that someone will find it useful. :-)
Download information
You can get the program at my math website here. Please note that it requires the Visual Basic 5.0 run-time files to work. For the record, future updates regarding my software will usually be posted at my math website.
For those unaware, my website used to be a fan site for the game Terminal Velocity until my mother made me shut it down over concerns that I was breaking the law. It's not copyright infringement to post links to shareware or demo versions of software - as opposed to distributing full versions - but I didn't feel like arguing with her. In any case, at least my GeoCities account is being put to good use now. :-)
Historical note: GeoCities has been shut down, so I've replaced the link with one to a static mirror.
Download information
You can get the program at my math website here. Please note that it requires the Visual Basic 5.0 run-time files to work. For the record, future updates regarding my software will usually be posted at my math website.
For those unaware, my website used to be a fan site for the game Terminal Velocity until my mother made me shut it down over concerns that I was breaking the law. It's not copyright infringement to post links to shareware or demo versions of software - as opposed to distributing full versions - but I didn't feel like arguing with her. In any case, at least my GeoCities account is being put to good use now. :-)
Historical note: GeoCities has been shut down, so I've replaced the link with one to a static mirror.
Saturday, January 1, 2000
on the Year 2000 problem
Dad told me his company's security system went haywire. I guess the transition to the year 2000 wasn't exactly seamless. However, he says this was quickly fixed and didn't cause any damage. As far as I'm aware, there have been no major disruptions. So no power failures, plane crashes, nuclear meltdowns or accidental missile launches. Of course, the world didn't end either.
On the whole, this has been an uneventful day so far. Some argue that the money spent on Y2K — estimated at a few hundred billion dollars — was a waste. But there are many others who disagree. You can't take chances when it comes to critical infrastructure.
Currently playing: Duke Nukem
On the whole, this has been an uneventful day so far. Some argue that the money spent on Y2K — estimated at a few hundred billion dollars — was a waste. But there are many others who disagree. You can't take chances when it comes to critical infrastructure.
Currently playing: Duke Nukem
Saturday, October 10, 1998
I'm officially a teenager + new computer!
Well, I just turned 13. In other words, I'm now officially a teenager. I'm aware that 13 is considered an unlucky number, so here's to hoping I won't have too much bad luck for the next year. *shrugs*
Speaking of which, this birthday was a little different. I figured I was getting too old for annual birthday parties - not to mention that my mother was getting tired of always having to invite people over - so I did not have one this year. After all, parties aren't the only way to celebrate a special occasion; I'd imagine a night at the movies or a dinner at a nice restaurant would be just as fun. But that doesn't mean I'll never have another birthday party again - I just might save one or two for those very special ages.
On the other hand, I got a brand new desktop PC in the evening. The computer has a 400 MHz Pentium II processor, 8 GB of storage and 64 MB of RAM. It came with a nifty wireless mouse, too. Pretty impressive, don't you think?
I should mention that the computer was never intended to be a present. I'm not that spoiled, mind you. Rather, Dad had ordered it a while ago, and it just happened to arrive on my birthday. It's funny how things tend to work out. Perhaps I won't have so much bad luck after all. ;-)
Oh yeah, and my friend Moonway's mother knew I used to be an avid map collector, so she gave me two high-quality maps a few days ago. One is a world map, and the other is a map of the United States. Thanks, Angela!
Currently playing: SimCity 2000
Speaking of which, this birthday was a little different. I figured I was getting too old for annual birthday parties - not to mention that my mother was getting tired of always having to invite people over - so I did not have one this year. After all, parties aren't the only way to celebrate a special occasion; I'd imagine a night at the movies or a dinner at a nice restaurant would be just as fun. But that doesn't mean I'll never have another birthday party again - I just might save one or two for those very special ages.
On the other hand, I got a brand new desktop PC in the evening. The computer has a 400 MHz Pentium II processor, 8 GB of storage and 64 MB of RAM. It came with a nifty wireless mouse, too. Pretty impressive, don't you think?
I should mention that the computer was never intended to be a present. I'm not that spoiled, mind you. Rather, Dad had ordered it a while ago, and it just happened to arrive on my birthday. It's funny how things tend to work out. Perhaps I won't have so much bad luck after all. ;-)
Oh yeah, and my friend Moonway's mother knew I used to be an avid map collector, so she gave me two high-quality maps a few days ago. One is a world map, and the other is a map of the United States. Thanks, Angela!
Currently playing: SimCity 2000
Subscribe to:
Posts (Atom)
