CVE-2020-13254 – Information Exposure Vulnerability with Django and Memcached

07 June, 2020

Information Exposure Vulnerability with Django and Memcached On Wednesday April 29th, Thread started experiencing a partial outage of our main backend service. We traced the issue down to the existence of malformed Memcached keys and corrected the issue on thread.com. Along the way we suspected that…

Learning from Board Game Design

18 May, 2020

Last year I bought a copy of Scythe from publisher Stonemaier Games, based in large part on the art. I was very happy with the art and enjoy playing the game, but what I found even more satisfying was the design of the rulebook, the iconography, and the use of physical tokens to re-inforce processes…

Is this what modern web development is?

08 May, 2020

During GitHub’s annual product announcement on Wednesday, new features to edit code online were demoed. At one point a code snippet was shown from a toy web-app, written in Javascript using the Express server library. Here’s the code sample… After the announcement, David Heinemeier Hansson (DHH…

Requirements change for the better

17 February, 2020

I’m an armchair space enthusiast – I like to watch new launches but I know very little about rockets. Recently there’s been a lot of renewed interest in landing on the moon which is very exciting, and also a lot of press coverage of NASA’s Commercial Crew programme returning manned spaceflight…

Enron: The Smartest Guys in the Room

14 January, 2020

I’ve been reading this extensive breakdown by Bethany McLean and Peter Elkind of Enron’s collapse after a colleague’s recommendation (based on my enjoyment reading Bad Blood). I found it fascinating how much of the classic image I have of corporate greed stems from the relatively recent collapse of…

The Checklist Manifesto – Atul Gawande

22 September, 2019

Not long after a recent one to one with my manager, discussing how we could improve our incident response process in engineering at Thread, I returned to my desk to find a copy of The Checklist Manifesto that he had kindly got for me. This is less of a book review and more of some highlights that I…

Design Issues of Sign in with Apple

05 July, 2019

Last month at their annual Worldwide Developers Conference (WWDC), most interesting announcements was Sign in with Apple. Built to compete with Facebook and Google’s single-sign-on (or social sign-on, SSO) offerings, Apple’s SSO will eschew control over the data and analytics that its competitors…

GraphQL Interfaces vs Unions

28 October, 2018

GraphQL’s type system allows us to make many invalid states impossible to represent, which improves the usability and reliability of our APIs. Two features of the type system that contribute significantly to this are Interfaces and Unions, however they can be used to address similar design…

Scaling Django Codebases at PyCon UK 2017

02 March, 2018

Four of us from the Thread engineering team went to PyCon UK again in September for the third year running, and I was lucky enough to have my talk selected. At Thread we use Django for the backend of the main site which has grown to over 350 “apps”, and various members of the team have used the…

How and why we teach non-engineers to use GitHub at Thread

04 January, 2018

At Thread one of our core beliefs is that technology allows for great change. This is important to our product, but it’s also important to how we work internally. Because of this way of working, we try to represent everything in data—products, measurements, styles, suppliers, locations in our…

Starting a Snap site with Stack and Persistent

19 June, 2016

Following on from my previous post about Haskell web frameworks, I wanted to dive into actually making something with my favourite of the lot. Snap gives you a lot right out of the box, but setting up an application to the point where it can talk to a database in a useful way (i.e. not untyped raw…

Haskell Web Frameworks

04 June, 2016

I’ve been learning Haskell for a while now and am excited by the improvements it can bring to how we work as software engineers. Haskell has traditionally been used in academia, research, and financial modelling, but has only recently become a productive tool for web development. Since I come from a…

First Thoughts on React Native

04 April, 2015

React Native was released this week. For those who aren’t familiar with it, the short version is that React Native brings the React architecture to iOS, letting the developer write Javascript that runs asynchronously, off the main thread, to orchestrate native components. I was looking forward to…

Achieving Full Marks on Qualys SSL Labs

23 March, 2015

Qualys have become well known in the recent crop of SSL and TLS vulnerabilities as a first-responder with automated testing and validation. Their SSL server test checks for protocol support, key exchange security, and the security of the certificate used. After deploying TLS on my website, I checked…

Your API is not RESTful

03 January, 2015

This is a post that I have been meaning to write for quite a while. 3 years ago, during an internship I was introduced to the concept of a RESTful web service, while integrating with various APIs such as those provided by Amazon S3, CloudApp, and several others. I ended up writing very similar, code…

MongoDB Misinformation

13 May, 2014

MongoDB, the company behind MongoDB published a new whitepaper this month, about ‘quanityfing business avantage’. As I’ve recently completed a research project at university where I critically analysed the design decisions taken in MongoDB, I thought it would be interesting to see how the company…

Microsoft's New Direction

03 April, 2014

It’s the middle of Build, the annual Microsoft development conference, and just a few months since Satya Nadella took the position of CEO at Microsoft. In recent years Microsoft has been making some very weird decisions, including the design of Windows 8, issues in the Xbox One developer licencing…

iMessage Security

01 March, 2014

Apple recently released detailed descriptions of how many of their iOS security components work. This is a great step towards better security and transparency about security on iOS, and I’m really glad they have published the information. Included in the document were details about how iMessage is…

Stripe CTF 3.0

30 January, 2014

Last Wednesday, Stripe started their 3rd Capture the Flag competition. As a provider of online payment services, security has been critical to them, so over the last few years they have run two CTFs based around hacking and securing systems. This year they chose a different subject: distributed…

A Crowdfunded Cryptography Nightmare

29 January, 2014

Today I found DyNAcrypt on IndieGoGo, and was disappointed to see yet another example of terrible cryptography practice in a project looking for crowdfunding. I don’t know whether the creators of DyNAcrypt are trying to scam people, or just ignorant, but either way, I’m going to go through some…

You Can't Learn to Code in an Hour

18 January, 2014

I learnt to code when I was 15, by watching hours and hours of video tutorials about writing C# applications in Visual Studio, and copying code out of programming books. Wait, no. I learnt to code when I was taught programming in Visual Basic for a year at college (high school). Actually, I learnt…

Reasons Children Should Learn to Code

24 October, 2013

I’ve just read The Government wants to teach all children how to code, Here’s why it’s a stupid idea by Willard Foxton on his Telegraph technology blog. I found the article incredibly short sighted and full of bad stereotypes that miss the point of teaching children to code. I’m not going to pick…

Objective-C

12 October, 2013

If I mentioned that I like C, C++ or Python to other students on my course, or colleagues, there would be no reaction. There are things you can criticise about each one, but they are all very safe bets. When I tell people that I enjoy writing Objective-C however, they are confused and often quite…

WWDC 2013

11 June, 2013

Apple’s World Wide Developer Conference was yesterday, and I wanted to write down my opinions on what was announced and released. iOS 7 As much as I dislike the homescreen icons (and I really dislike them), the rest of the OS has some very interesting design choices in it. The lockscreen is very…

Initial Thoughts on Android Development

04 June, 2013

I’ve been writing Mac OS and iOS apps for a while now and while I haven’t got a massive amount of professional experience with it, I feel I understand the core concepts quite well. However, despite having written a fair amount of Java in the past I’ve never attempted Android development. After a…

I/O

15 May, 2013

A few hours ago Google held the keynote presentation of their yearly I/O developer conference. My housemates and I, all being computer science students, put it on the TV and discussed the announcements as they happened. This post is a summary of my thoughts on what happened. As a Developer There is…

Please Don't Buy an Electric Car

16 April, 2013

This was the title of a talk I attended this evening, given by Professor Alun Vaughan of the University of Southampton, and Professor Averil Macdonald of the University of Reading. As you can imagine the title is quite over-dramatic and the speakers did concede that it was to ‘spark discussion’, but…

GoSquared API Proxy for Panic's Status Board

11 April, 2013

Yesterday Panic, a well known Mac and iOS development company, launched a new app for iPad. Status Board is based on their famous office status board. Since I worked at GoSquared last summer, know the API and use the service, so I thought it would be nice to get the timeline of current visitors and…

Unlocking Hillsborough

06 April, 2013

I’m writing this on the train home from Rewired State’s latest event: National Hack the Government Day 2013 (event summary page). It was another great event with the same friendly atmosphere that goes along with so many (especially Rewired State’s) developer events. My friend Elliot and I won in one…

Reddit Workflow for Alfred 2

12 January, 2013

The Alfred 2.0 beta was released earlier tonight and as an avid user, I wanted to start writing workflows immediately. Workflows are able to take input from the user in many different ways: actions on files, keyworks, shortcuts, etc, and then return data as notifications, search results and actions…

Principles of Computer Graphics

06 January, 2013

The specification for this assignment was to create a basic 3D scene with mutliple objects, camera control, and various graphical effects under the title Mars in Fiction. The scene had to be written in C++ and use OpenGL, and ‘modern’ OpenGL techniques that have been the standard since version…

Heroku Buildpack for Hammer

30 December, 2012

I have recently been developing a few static sites using Hammer, a great little Mac app that handles compiling resources and putting together parts of web pages to create static websites. Hammer is also able to publish drafts to hammr.co, which is great for getting some feedback and showing…

Square's Advantage

30 December, 2012

A while ago, having just completed a module at university where we looked at the technology behind card payment systems, I wrote about the problems that Square and PayPal Here faced in moving abroad. I concluded that iZettle, a startup from Sweden, was well poised to take the European market, but…

2013: The Year of Linux on the Desktop?

03 August, 2012

There is a lot going for Linux in business already: it’s free, runs well on old hardware, and has a good range of office software, but I don’t think business is where Linux will take off, if anything I think it will take longer than home use. Unfortunately, I think one of the main reasons for Linux…

The Failing Security of Home Routers

16 May, 2012

There are basically 2 options for internet in the UK: BT (phone line based) connections through BT themselves and resellers, with a maximum speed of around 24Mb, or Virgin Media (fibre based) connections which max out at about 120Mb currently, although the technology supports >400Mb. For a house of…

The Problem with Square and PayPal Here

09 May, 2012

In the last decade, PayPal has slowly become a mainstream service, thanks mostly to it’s tight integration with and later purchase by eBay. This has given rise to competitors such as Google Wallet and Amazon Payments which, while they each have a slightly different purpose or target audience, have…

GitHub's Security Vulnerabilities

19 April, 2012

The security of GitHub’s website and systems has been the focus of a fair amount of news in the industry over recent months, this is an account of my experience finding a vulnerability, getting it fixed, and also my opinions on the recent ‘mass assignment’ exploit that was publicly demonstrated on…

London Real-time

19 April, 2012

Hosted at White Bear Yard in London, Friday 13th to Sunday 15th April, I and a group of friends hacked together a system for aggregating social data for events. We used the Twitter, Facebook and Foursquare streaming APIs and built a prototype of a scalable system using Node.js, Redis, RabbitMQ and…

Password Security

22 March, 2012

4.7% of users have the password password 8.5% have the passwords password or 123456 9.8% have the passwords password, 123456 or 12345678 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password…

Buffer Overflows

04 January, 2012

The task given to me was to create a webserver that was exploitable with buffer overflow. This was my first attempt at networking code in C so it may be quite a bad implementation, I was also quite rushed with this coursework due to approaching exams. The server binds to port 8000 and delivers files…

Enigma

20 January, 2011

I have always had an interest in computer security, probably inspired by films like Hackers and scenes like ‘this is a Unix system’, and along with this interest I have been fascinated by cryptography. This lead to me reading The Code Book by Simon Singh which I think is the perfect introduction to…

PIN Security

19 May, 2010

Most credit card fraud occurs because, somehow the fraudster is able to see the card owner’s PIN number. The most common way this happens is hidden cameras at ATM machines recording PIN numbers or dodgy Chip & PIN readers fitted with monitoring devices (this is significantly less common). The way to…