Iterating a number sequence for lulz and jail time

Hello, readers! Today I bring you two posts about law: one Mozilla-related, one not. This is the Mozilla-related post. Mozillians may already know this background, but I’ll review for those who don’t.

The “hack”

In 2010 Goatse Security (don’t look them up) discovered a flaw in AT&T’s website. AT&T’s site detected accesses from iPads, extracted a unique account number sent by the iPad, then replied with a private account email address. Account numbers were guessable, so if someone “spoofed” their UA to look like the iPad browser, they could harvest private email addresses using their guesses.

The lulz

Andrew Auernheimer ("weev") wearing an old-school AT&T baseball cap
Andrew Auernheimer, i.e. weev, CC-BY-SA

The people who figured this out were classic Internet trolls interested (to a degree) in minor mayhem (“lulz”) because they could, and they scraped 114000+ email addresses. Eventually Andrew Auernheimer (known online as “weev”) sent the list to Gawker for an exclusive.

The sky is falling!

AT&T, Apple, the people whose addresses had been scraped, and/or the government panicked and freaked out. The government argued that Auernheimer violated the Computer Fraud and Abuse Act, “exceeding authorized access” by UA-spoofing and loading pages using guessed account numbers.

This is a broad interpretation of “authorized access”. Auernheimer evaded no security measures, only accessed public, non-login-protected pages using common techniques. Anyone who could guess the address could view those pages using common browser addons. People guess at the existence of web addresses all the time. This site’s addresses appear of the form “/year/month/day/post-title/”. The monthly archive links to the side on my site have the form “/year/month/”. It’s a good guess that changing these components does what you expect: no dastardly hacking skills required, just logical guesses and experimentation. And automation’s hardly nefarious.

So what’s Mozilla’s brief with this?

Developers UA-spoof all the time for a variety of innocuous reasons. Newspapers have UA-spoofed during online price discrimination investigations. If UA spoofing is a crime, many people not out for lulz are in trouble, subject to a federal attorney’s whims.

The same is true for constructing addresses by modifying embedded numbers. I’ve provided one example. Jesse once wrote a generic implementation of the technique. Wikipedia uses these tactics internally, for example in the Supreme Court infobox template to linkify docket numbers.

Mozilla thus signed onto an amicus brief in the case. The brief laid out the reasons why the actions the government considered criminal, were “commonplace, legitimate techniques”.

The cool part of the brief

I read the brief last summer through one of Auernheimer’s attorneys at the inestimable Volokh Conspiracy. I’ve been lightly meaning to blog about this discussion of number-changing ever since:

Changing the value of X in the AT&T webpage address is trivial to do. For example, to visit this Court’s homepage, one might type the address “http://www.ca3.uscourts.gov/” into the address bar of the browser window. The browser sends an HTTP request to the Court website, which will respond with this Court’s homepage. Changing the “3” to “4” by typing in the browser window address bar returns the Court of Appeals for the Fourth Circuit’s homepage. Changing the “3” to a “12” returns an error message.

Illustrating the number-guessing technique (and implying its limitations in the “12″ part) via the circuit courts’ own websites? Brilliant.

Back to Auernheimer

The court recently threw out Auernheimer’s conviction. Not on CFAA grounds — on more esoteric matters of filing the case in the wrong court. But the opinion contains dicta implying that breaching a password gate or code-based barrier may be necessary to achieve a conviction. The government could bring the case in the right court, but with the implied warning here, it seems risky.


Auernheimer isn’t necessarily a sympathetic defendant. It’s arguably impolite and discourteous to publicly disclose a site vulnerability without giving the site notice and time to fix the issue. It may be “hard to feel sorry for them being handed federal criminal charges” as Ars Technica suggested.

But that doesn’t mean he committed a crime or shouldn’t be defended for doing things web developers often do. Justice means defending people who have broken no laws, when they are threatened with prosecution. It doesn’t mean failing to defend someone just because you don’t like his (legal) actions. Prosecution here was wrong.

One final note

I heard about the AT&T issue and the brief outside Mozilla. I’m unsure what Mozilla channel I should have followed, to observe or discuss the decision to sign onto this brief. Mozilla was right to sign on here. But our input processes for that decision could be better.


mozilla/IntegerPrintfMacros.h now provides PRId32 and friends macros, for printfing uint32_t and so on

Tags: , , , , , — Jeff @ 09:37

Printing numbers using printf

The printf family of functions take a format string, containing both regular text and special formatting specifiers, and at least as many additional arguments as there are formatting specifiers in the format string. Each formatting specifier is supposed to indicate the type of the corresponding argument. Then, via compiler-specific magic, that argument value is accessed and formatted as directed.

C originally only had char, short, int, and long integer types (in signed and unsigned versions). So the original set of format specifiers only supported interpreting arguments as one of those types.

Fixed-size integers

With the rise of <stdint.h>, it’s common to want to print a uint32_t, or an int64_t, or similar. But if you don’t know what type uint32_t is, how do you know what format specifier to use? C99 defines macros in <inttypes.h> that expand to suitable format specifiers. For example, if uint32_t is actually unsigned long, then the PRIu32 macro might be defined as "lu".

uint32_t u = 3141592654;
printf("u: %" PRIu32 "\n", u);

Unfortunately <inttypes.h> isn’t available everywhere. So for now, we have to reimplement it ourselves. The new mfbt header mfbt/IntegerPrintfMacros.h, available via #include "mozilla/IntegerPrintfMacros.h", provides all the PRI* macros exposed by <inttypes.h>: by delegating to that header when present, and by reimplementing it when not. Go use it. (Note that all Mozilla code has __STDC_LIMIT_MACROS, __STDC_FORMAT_MACROS, and __STDC_CONST_MACROS defined, so you don’t need to do anything special to get the macros — just #include "mozilla/IntegerPrintfMacros.h".)


The implementations of <inttypes.h> in all the various standard libraries/compilers we care about don’t always provide definitions of these macros that are free of format string warnings. This is, of course, inconceivable. We can reimplement the header as needed to fix these problems, but it seemed best to avoid that til someone really, really cared.

<inttypes.h> also defines format specifiers for fixed-width integers, for use with the scanf family of functions that read a number from a string. IntegerPrintfMacros.h does not provide these macros. (At least, not everywhere. You are not granted any license to use them if they happen to be incidentally provided.) First, it’s actually impossible to implement the entire interface for the Microsoft C runtime library. (For example: no specifier will write a number into an unsigned char*; this is necessary to implement SCNu8.) Second, sscanf is a dangerous function, because if the number in the input string doesn’t fit in the target location, anything (undefined behavior, that is) can happen.

uint8_t u;
sscanf("256", "%" SCNu8, &u); // I just ate ALL YOUR COOKIES

IntegerPrintfMacros.h does implement imaxabs, imaxdiv, strtoimax, strtoumax, wcstoimax, and wcstoumax. I mention this only for completeness: I doubt any Mozilla code needs these.


37 days and one year later: part 2: routine, and shelter

This is part two of a series of posts discussing various aspects of a bike trip I did across the United States in 2012. Part 1 discussed the start of the trip and choosing a route. This post discusses my daily routine and where I sheltered each night.

The daily grind

After the first-day snafu, the trip went basically as planned.

I started biking each day sometime in the morning (from as early as 04:00 to as late as 11:45). I finished sometime before or within a couple hours of dark (in the range of 17:00 to 22:00, dependent on my destination) after typical distances of 90-130 miles. Knowing I was on a marathon, I deliberately never pushed for any real length of time. When I hit an uphill, I shifted to the lowest gear that felt comfortable and kept pedaling; I never attempted to power up a hill. And in flatlands I traveled at whatever pace was comfortable, not aiming for speed.

Cyclocomputer showing 6:27:22, 97.08mi on my last day, at the Atlantic Ocean
Fairly typical stats from the last day

Around home through Bay Area flatlands I usually push myself and average 17-18mph during riding time, depending where and how far I go. On this trip 14-16mph was more common, and I had days well below that. Somewhat hilariously, when I returned I found myself in worse cycling shape by this metric: I was slower than my previous average for awhile, until I could, er, get back into shape. (I also returned well out of shape for playing ultimate frisbee, as I expected would happen from not running and walking little for over a month. When I first played after returning, I had plenty of endurance. But my muscles quickly made it abundantly clear that if I sprinted or made a break, I would hurt myself.)


At night I stayed a variety of places. About half the time I camped in a one-man Eureka Solitare tent. (There’s no better 2.5-pound three-season tent out there for its $90 price. Its only demerits are its fiberglass poles [which long ago I was forced to replace with aluminum poles, that have posed no problems] and, occasionally, its not being freestanding.) I slept in a 45-degree bag (too warm!) and a short-length inflatable sleeping pad. These nights were usually in campgrounds, but I stayed in city parks several times in the middle of the country, when allowed. The rest of the time I stayed in motels of varying quality, from $40 to $100+ for the night, sometimes with a meal, sometimes with a pool, sometimes with nothing.

There were a few nights where I neither camped nor stayed at a motel. A local resident of Ordway, CO graciously shared her home with cyclists, and I ended up staying there a night with a couple other cyclists, some heading west, some heading east. The city of Farmington, MO maintains Al’s Place, a hostel for cyclists on the TransAmerica, and I stayed there a night with another cyclist heading east. I also visited The Place, a hostel in Damascus, VA that I’d stopped at while hiking the A.T. And at the end of the trip, in Yorktown, Grace Episcopal Church provided space for cyclists to stay: much appreciated as a base for me to regroup before heading to an airport to fly home.

One additional hostel that I didn’t visit deserves special note. The TransAmerica Trail was first inaugurated in a 1976 mass cross-country ride. One woman along the way, June Curry, put out a sign informing passing cyclists that they could get water at her house if they wanted. One thing snowballed into another, and eventually, somehow, she found herself opening a hostel as a place for passing cyclists to stay, offering much other hospitality as well. Unfortunately June Curry died just before I started my trip, so I couldn’t meet her. :-( But I’d heard the hostel would still be open and running when I passed through, and even if it weren’t, it’d be worth a visit just to learn about the place. The day I’d hoped to stay, however, was the day after my longest day the entire way — which meant I’d roll in fairly late, certainly after dark. I tried calling ahead, multiple times, to see if it’d be okay showing up later. But I couldn’t get a response, and after a last attempt before the sun went down, I gave up and went with alternative lodging. :-(

If my pace were more leisurely, I might have tried out Warm Showers, a site for on-the-road cyclists looking for a place to stay overnight. But as I mostly didn’t know where I’d be til end of day (I set aggressive goals that I didn’t always reach, or only reached late in the evening — see the June Curry story above), the last-minute scheduling seemed way too much hassle for both me and any person who might be willing to host me for a night. It seemed much better to use campgrounds or motels that expect people to spontaneously show up (and more to the point, are specifically paid market rates for it), than to put people hosting mostly for fun through any hassle.

Next time: mileage, elevation, and route scenery.


37 days and one year later: part 1: the start and choosing a route

One year ago, after 37 days of biking around ~3875mi total starting in San Francisco, I reached Yorktown, VA to finish biking across the country. An exact day-to-day accounting would likely bog down in uninteresting logistics (particularly given the way I traveled — other approaches would likely yield more interesting day-by-day commentary). Instead, I’m going to cover a variety of topics of interest from the trip, in somewhat random order, in series. If you want a very cursory, sometimes out-of-order account of the trip, reading approximately July 18 to August 25 of my Twitter stream covers it.

Me in the traditional arms-upraised pose, next to my bike and (appropriately) the Victory Monument at Yorktown, with the Chesapeake Bay (and the Atlantic Ocean) in the background
The secret to my speed: obviously the cycling jersey

An inauspicious start

The trip got off to a bumpy start the Tuesday night before I planned to leave. I planned to ride my spiffy, super-light carbon-fiber racing bike. I use it for regular transport, so I waited to get a final tune-up til the last minute, picking it up the evening before I departed. I began loading it with panniers and gear. Racing bikes don’t have mounts for carrying gear, so I’d use a seatpost rack (with correspondingly light ~16-pound load). When I began attaching the rack, I noticed the clamp matched a much smaller-diameter seatpost. Looking at how the clamp would make contact with the seatpost, it suddenly occurred to me that attaching a seatpost rack to a carbon fiber seatpost might not be a good idea. Carbon fiber is strong along its length, not laterally: the clamp could easily crush the seatpost.

A red carbon-fiber racing bike
Shiny! But really not the thing to use for touring

Wednesday morning, I asked the bike shop if they had an aluminum seatpost of the right size. They wouldn’t have one til Friday. Other local shops didn’t have any, either. Replacing the seatpost was out.

Seeing no other options…I went to the first bike shop, bought a non-carbon road bike that fit me, walked home with it, transferred gear and pedals to it, and biked to Caltrain to head to San Francisco to start the trip.

Thus I crossed the country on a bike I bought the day I left.

Me standing underneath a "Welcome to Illinois" sign, with my bike leaning against the sign just next to me; a sign with directions to a mental health center is just visible
Too bad that mental health center wasn’t closer to the start of the trip, there might have been hope for me then

This is crazy. But not quite as crazy as it sounds. I’d purchased a 2012 Scattante R-570; I’d previously owned the 2010 version, so I knew I’d be comfortable. And months before, I’d considered getting a touring-oriented bike for extra carrying capacity. But I’ve never spent money very easily. I had the money, but I didn’t want to spend it if I didn’t have to.

Now I was in a “have to” situation. Riding a totally untested bike would rightly scare most people to death. Most people would probably cancel the trip or substantially change plans. But my philosophy is that what must be done, can be done. So I did it.

Other than lost biking time (day 1 was 23.76mi route miles rather than the ~100mi I’d intended — no small loss, but not huge, either), all I lost was the ability to buy the bike on sale for ~$160 less. It could have been worse.

Choosing a route

I traveled pretty much entirely with the aid of the Adventure Cycling Association‘s route maps. I considered finding my own route, but I discarded the idea for lack of time and being unsure I’d enjoy route-planning. In hindsight this was clearly the right choice. Unless you enjoy route-planning for its own sake, buy existing cycling maps. You’ll get better routes, and more cycling-useful information, than you can create on the fly. (Plus GPS units cost hundreds of dollars and must be charged every night.)

Route profile for the section of road from Grover to Lake Powell in Utah
A profile from an ACA map, that’s likely harder to find outside of prepared maps

The 4200-mile TransAmerica Trail goes from Oregon into Montana, southeast to Pueblo in Colorado, then east to Virginia and the coast. It’s the most well-known and commonly-used cross-country route. The 1580-mile Western Express goes from San Francisco to Pueblo. Most people do the TransAmerica because it avoids much waterless desert and elevation change. For me, convenience and available time made the Western Express and eastern TransAmerica a no-brainer.

A definite perk to using an existing route is that the roads will be good for cycling. Often I was on relatively empty back roads, or on state roads with light traffic. The worst roads were in the Rockies in Colorado, likely because of the terrain. The worst regularly-bad road occurred between Cimarron and Sapinero along US-50: a narrow, winding stretch of road with little shoulder and a bunch of RV traffic, where I should have occasionally taken the entire lane rather than let anyone unsafely pass me. Colorado also had the worst irregularly-bad stretches of road, along CO-145 due to road construction. There were two two-mile stretches of riding through gravel where roads were being re-oiled, which I rode through (what choice did I have?) past Motorcycles use extreme caution signs on 700×23 tires (less than an inch wide). Good times. And the stretch from Telluride to Placerville had so much construction dust I sometimes couldn’t see ten feet; I had to stop and turn on head and tail lights to be visible. But generally, ignoring these rare exceptions, the roads were great.

Next time, the daily grind and shelter.


Micro-feature from ES6, now in Firefox Aurora and Nightly: binary and octal numbers

A couple years ago when SpiderMonkey’s implementation of strict mode was completed, I observed that strict mode forbids octal number syntax. There was some evidence that novice programmers used leading zeroes as alignment devices, leading to unexpected results:

var sum = 015 + // === 13, not 15!
// sum === 210, not 212

But some users (Mozilla extensions and server-side node.js packages in particular) still want octal syntax, usually for file permissions. ES6 thus adds new octal syntax that won’t trip up novices. Hexadecimal numbers are formed with the prefix 0x or 0X followed by hexadecimal digits. Octal numbers are similarly formed using 0o or 0O followed by octal digits:

var DEFAULT_PERMS = 0o644; // kosher anywhere, including strict mode code

(Yes, it was intentional to allow the 0O prefix [zero followed by a capital O] despite its total unreadability. Consistency trumped readability in TC39, as I learned when questioning the wisdom of 0O as prefix. I think that decision is debatable, and the alternative is certainly not “nanny language design”. But I don’t much care as long as I never see it. :-) I recommend never using the capital version and applying a cluestick to anyone who does.)

Some developers also need binary syntax, which ECMAScript has never provided. ES6 thus adds analogous binary syntax using the letter b (lowercase or uppercase):

var FLT_SIGNBIT  = 0b10000000000000000000000000000000;
var FLT_EXPONENT = 0b01111111100000000000000000000000;
var FLT_MANTISSA = 0b00000000011111111111111111111111;

Try out both new syntaxes in Firefox Aurora or, if you’re feeling adventurous, in a Firefox nightly. Use the profile manager if you don’t want your regular Firefox browsing history touched.

If you’ve ever needed octal or binary numbers, hopefully these additions will brighten your day a little. :-)

Older »