Tag Archives: Javascript

Is Facebook Fingerprinting Chrome extensions?

This morning I noticed something new in my Chrome Console while working on a Chrome Extension. It looks like Facebook is now looking to see if you have a set of Chrome extensions installed in your browser. Most of the extensions I looked up on Google’s web store and via their search engine and they look like they are Malware of some sort, but a few of them look like they are much less harmless. It’s hard to see what the extensions actually do because they have been pulled from the Chrome Web Store, but some of these look like they modified the appearance of Facebook intentionally.

Some users don’t like being forced to see walmart colors all over the web and have used various tactics to customize the web to their liking. Some other users might do it for usability reasons or just plain augmentation of the web.

Does Facebook have the right to do this? It feels like an invasion of my privacy. I think the latest version of Chrome protects us from this sort of attack but that does not mean that Facebook won’t invest in other ways to discover this information or that they won’t lobby google to discover it. Some extensions also have the ability to open up channels to other extensions so if facebook had it’s own extension it might still try to fingerprint which extensions are there.

This isn’t all bad, in fact it really depends on how it’s being used. If it’s only used to defend our privacy and security then it seems fine, but if this little trick is being abused this could really sour things.

I guess I am mostly just surprised that Facebook is doing this.

Screen Shot 2012-09-05 at 10.30.49 AM

To get this to occur in your own browser you will need to be a bit sneaky and use a private session. Once Facebook runs the finger print they don’t do it all of the time, I think they only do it on auth and then they cache the result in some way. In fact since some extensions have access to the cookies I wonder if one could ‘skip’ the finger printing by setting the proper cookies or localstorage setting.

Finger Printed Extension IDs

kjafndplmofcedgddaoceenkcbfankem
kincjchfokkeneeofpeefomkikfkiedl
iejbljbhhoclgfiapmomcpkpkcmihfib
lkfhadffdnjnogmgjfihlcmmjhcfchaj
afnnkheojlgkipfabekmdkngocfhegck
hkpibllecmidllaojdmkcmfnoinmejco
gpllafflnmgjjcakjloknldkndnkmcpi
pkhidkonipdjidjglnkfcfhnkfnlefbk
kjafndplmofcedgddaoceenkcbfankem
kincjchfokkeneeofpeefomkikfkiedl
iejbljbhhoclgfiapmomcpkpkcmihfib
lkfhadffdnjnogmgjfihlcmmjhcfchaj
afnnkheojlgkipfabekmdkngocfhegck
hkpibllecmidllaojdmkcmfnoinmejco
gpllafflnmgjjcakjloknldkndnkmcpi

JSLint-Feature – Error Severity

Hi Douglas,
I have been to a good number of your talks, and I love the idea behind JSLint. I even don’t mind it when JSLint makes me cry every now and then, however, I feel like the priority of JSLint should be around launch successful code early and often.

Here at Kabam we build games that run as HMTL5 apps, and recently we have started to use JSLint as part of our build process. In a few cases it has caught some minor errors and we were later able to resolve them.

Our build process uses Jenkins, which is an open source version of Hanson. These continuous build automation tools make use of another wrapper library you might be familiar with. http://code.google.com/p/jslint4java/

So in this sense let’s say a develop wants to add a new piece of code, and this code causes a problem.

JSLint reacts in the following ways,
– it has a an error limit and stops reporting erros after a certain amount
– errors are not prioritized based on ‘newness’ – because that would be hard
– errors are not prioritized based on priority.

The end result is that a team must fix all errors to get the maximum value out of JSLint.

I propose a 2 part solution.
1. JSLint should not set error priority, unless it sets sensible defaults
2. JSLint should report an error code so that a wrapper like jslint4java could use a config file set an error priority.

This would allow teams to triage error types as part of their build/ development process.

On line 1326 you have a function warn() defined I propose it’s written something like so, including a new warning property, defining an error.type property using the bundle[] accessor name as the error code.

If you think of some other change that could get to the spirit of what I am looking for that would be great too. If I get the time I might try to implement a prototype. Hudson and Jenkins have 3 levels of errors, High, Medium, and Low.

Would you have some suggestions as to what would make good defaults for each of the error.types?

I feel like this change would better support agile development and continuous integration, and would allow teams to prioritize their development efforts.

Thank you for being a beacon and leader in the community.

function warn(message, offender, a, b, c, d) {

        var character, line, warning;

        offender  = offender || next_token;  // `~
        line      = offender.line || 0;
        character = offender.from || 0;

        warning = {
            id: '(error)',
            raw: bundle[message] || message,
            type: message,
            evidence: lines[line - 1] || '',
            line: line,
            character: character,
            a: a || (offender.id === '(number)'
                ? String(offender.number)
                : offender.string),
            b: b,
            c: c,
            d: d
        };

        warning.reason = warning.raw.supplant(warning);

        JSLINT.errors.push(warning);

        if (option.passfail) {
            quit(bundle.stopping, line, character);
        }

        warnings += 1;

        if (warnings >= option.maxerr) {
            quit(bundle.too_many, line, character);
        }

        return warning;
    }

Opening social networks/ graphs up to Researcher Collaboration Tools, a UCSF Harvard Profiles collaboration project

For the past few months I have been consulting part time with UCSF and the department of Clinical and Translational Sciences. You might think that has something to do with my browser plugin Babelfin, but Translational Sciences really has nothing to do with language learning, but rather taking exciting patterns in other fields and translating the processes between them. In this case UCSF is focusing on how Social Media and Social Networking can be used in an academic sense for collaboration and messaging rather than games, photo sharing, or virtual resumes.

The UCSF OpenSocial project (http://code.google.com/p/ucsf-opensocial–shindig-apps/ ) started as a Harvard project called Catalyst PROFILES ( http://connects.catalyst.harvard.edu/profiles/about/opensource ). Profiles (as we call it), is a simple social networking server that manages the graph relationships between colleagues, co-authors, and research interests. Profiles looks at relationships differently than Facebook, Linkedin, or event MySpace, but it’s pretty bare bones and limited in what it can do.

The innovative part comes in where UCSF thought it would be neat to extend Profiles without altering it’s code. So, Eric Meeks at UCSF bolted on an Opensocial container named Shindig to Harvard’s Profiles project which allows external apps to run on top of Profiles. This makes for an interesting mix of code, as Profiles is a Microsoft C# ASPX project, and Shindig comes in PHP and Java flavors. Eric rightly choose to implement the Java flavor of Shindig as it’s the most current.

So, this is where I come in, as, I am building the applications that run on the Shindig server accessing the Profiles social graph. In many cases it’s just like building an application that runs on Linkedin, Bebo or MySpace, however, there is no friend graph, but, there are 3 other graphs I can use, co-author, colleague, and interest graphs.

Initially we are keeping it simple, but we plan to extend Opensocial in a standard way so that other universities and research institutions can apply Opensocial to their graph servers. UCSF and Harvard are hoping that their work will make it easier to use Profiles as the graph server, but they are both very excited about creating an open platform that can develop a rich ecosystem of applications that extend their work, and are able to run on other platforms with small tweaks. In the end we want researchers to be able to better collaborate using social tools.

Large Binary Numbers in Javascript

Have you ever wondered what the largest number is?  At one point it was a googolplex, but unless you write a custom class to deal with really large numbers, your dev environment will never count to a googolplex.

For http://loc.is I am reworking a geohash encoding algorithm today, and I wanted to see what Javascript could handle.  Strongly typed languages like Java have known upper limits, but languages like javascript are a bit more mysterious, so the only way to know is to find out.  I wrote this function to test it, and I ran it in the firebug console on a random webpage ( firebug won’t work unless the DOM is ready ).

for( i = 0 ; i < 500 ; i++){
    var value = Math.pow(2,i) +1;
    console.log (   i + "n" +
    value + "n" +  
    value.toString(2));
}

The output finally looks like this, and reveals that 2^52 is the largest number you can add 1 to and still represent it as an integer. Any larger and javascript will just use it as a float, and you will not have a sufficient number of bits to represent it.  I wonder if this is the same in all browser/ os combination pairs?

51
2251799813685249
1000000000000000000000000000000000000000000000000001

52
4503599627370497
10000000000000000000000000000000000000000000000000001

53
9007199254740992
100000000000000000000000000000000000000000000000000000

54
18014398509481984
1000000000000000000000000000000000000000000000000000000

So in this circumstance, javascript seems to have 54 bits of integer accuracy, a few short of a LONG 64 bit int, or IEEE 80 bit notation.


Test it yourself, and let me know.