eBay, Firefox and the Sabbatical Campervan
Trying to take a holiday from scripting technologies. Foiled by eBay scammers.
Major geek cred for me starting my independent career to get a name check at The Register as the first reporter of a Firefox exploit in the wild. Good timing, huh. Fuller story below. Here's some screenshots from the original encounter (click to enlarge).
Before and After Images of the exploit
In case there's contract employers and any tech investment angels out there visiting from the Register article, there's also a schedule of the kind of things I'll be commercialising during my sabbatical and the commercial philosophy I'm espousing, after the story behind the exploit encounter. If you think you might have some relevant opportunities for a hacker like me, you can join my professional network or just say hi
Can't a guy get a holiday!?
As my friends will know, in April I'm taking a Sabbatical from my day job at BT as Principal Technology Researcher for scripting technologies to pursue some challenging alternatives in lifestyle, commerce and career. The BT Rules end-user-programming project I conceived is ready for beta launch now, and backed by an amazing team, so I can fade into the background for a year.
I've spent the last few weeks religiously following new campervans for sale on eBay. My plan - to live out of a campervan whilst paragliding along the alps, and create open-source businesses with four hours a day of networked hacking. You get the idea - Scripting researcher is trying to take a break from a day job working in scripting technologies, and avoid late nights code hacking and stress.
Then the worst happened! I encountered an in-the-wild scripting exploit in Firefox whilst browsing eBay listings - the campervan shown above. Since then I've been, you guessed it, staying up all night getting it identified and reported and trying to give accurate information to Firefox, eBay and the Register!
The core of the exploit is that eBay seems to make the assumption that linking to remote stylesheets is harmless, whilst recent standards in stylesheets (especially in this case where they are used to bind event handlers), means that stylesheets should be considered as harmful as linking to external scripts and allowing those to execute in the page.
The result: a third party who is able to introduce even a single HTML element into your ebay listing (e.g. by providing a template for you) can then manipulate the listing, all its contents, and probably acquire paypal details of anyone who bids on it (although this is hard, and I don't plan to explain how to do this, it's possible).
I'm totally amazed at the helpfulness, professionalism and responsiveness of the Mozilla team and community. So much heart! Thanks to Mardeg on the Firefox IRC channel for helping me pin down the exploit and get started on it, and Boris, Jonas and others for patiently helping me clarify the issues in my mind and for others around the relationship between this feature exploit and established security practices for script interpreters such as the same origin policy. The whole discussion and ongoing work on the patch is here at bugzilla.
The sabbatical which drove me to eBay campervans is driven by an alternative commercial philosophy, challenging the normal routine of my day job, including living out of a networked campervan. More on this later. Here's some example projects which have early prototypes in place, to give you a flavour roughly in order of increasing craziness.
- Launch a community around an open source alternative to Powerpoint, with rich compositing effects based on the cross platform python OpenGL library called Pyglet
- Productize and commercially launch a new form of clock display/wristwatch I recently invented, with EL wire driven by a small microcontroller
- Promote and support users of web-publishing technologies based on XQuery and XML technologies (like this one) with supporting libraries, tutorials and consultancy
- Undertake small consultancy projects in my specialist areas around user scripting and web communities
- Launch a sock-sharing community to reuse all those odd socks
- Insert thousands of LEDs in trees as a large scale controllable 3D display, multiple phones wired in a Exquisite Corpse surrealist style, and generally expand on cyber arts installations and collaborations with the Curiosity Collective
I want to author software and build hardware with all activities happening in the public domain, and build a career and commercial businesses on being the best contributor instead of endlessly defending intellectual property like patents, proprietary code and copyright. I believe it will make me more productive, and being able to share and discuss freely with the world, as we've done with BT Rules, is a rewarding alternative.
I hope to be able to contribute my expertise to other's commercial ventures on an ad hoc contract basis (anyone out there need a geek) to capitalise on the insights I've developed in my technology strategy, architecture and prototyping work at BT as well as learning from others' approaches. In April 2010 I'll be returning to BT Research to report on the experiment and consolidate that learning into new project approaches, injecting the innovation back into my employer's organisation.
I'll be adding more detail about the radically open source commercial approach I'll be pursuing, and the collaborations and contracts I'm interested in taking up with third parties in the next few hours. Some of it is commercial, and some of it more artsy thanks to the inspiration of all the guys in the Curiosity Collective in Ipswich - a group which I helped to start with Dave and has got me deeply involved in electronics and audio visual play.
By way of a launch of a career creating bespoke interactive installations I'll be presenting a Semaphore to SMS gateway, Filmcan Zoetropes and my proverbs installations 'Curiosity Killed the Cat' and 'The Grass is always Greener'at the Collective's stand at the Maker Faire, Newcastle next weekend. See you there.