Snooper.email (short post)

I’m going to make some really short posts to keep track of projects that I’ve done by myself or within my company in the last weeks.

The first one is about snooper.email, a service we developed to keep track of when your email is opened. It makes use of a tracking pixel (fundamentally an image hosted on your server) to detect when the email is opened, and thus the image fetched.

Snooper.email

We also posted an update on our company’s blog: https://blog.dmnk.cloud/index.php/2021/04/12/snooper-email-traccia-quando-le-tue-email-vengono-aperte/

Teenage Engineering PO-33 KO drumset loader app

While there are some projects I’ve been doing lately that I’ve not written here yet, this is one of those I want to write up while it’s still hot – I could easily forget about it.

I recently bought a PO-33 KO by Teenage Engineering, which I think is an incredible music making device. It’s basically a handheld sampler, very easy to use, even if it has some limitations. I’ve been enjoying very much playing with it lately, but that’s not the point of this post! You can go see all the videos out there if you’re interesting in what it is and what it does.

The point of this post is that if you’ve been using it, you know it has some beautiful features, among which there’s the possibility of recording samples with the microphone or the line input. Everything is really fine while recording the melodic slots, but when it comes to recording drum slots, it begins to be a bit difficult to make the PO detect the various slices correctly. There’s a bit of frustation about this in the community, as you can find various videos on Youtube giving tips and tricks on the matter. In the end, it seems to be understood that the process is somewhat buggy, and it’s become accepted that you should probably use some of the available workarounds, like recording first in the melodic slots and then copying the slices to the drum section. By the way, these workarounds are slow and kind of impractical if you want to quickly move some drumset you’ve got on your PC to the PO.

I’ve seen people already doing this in various ways, trying to tackle the problem using other hardware or software which is not specific for the PO, but still the solutions seemed to me a bit suboptimal.

That’s why I wanted to try and solve the problem with a very simple webapp which basically allows to upload a series of sounds and then plays them in a hopefully PO-friendly way. It’s still in very early developement, but I’ve already been able to use it to upload some sample drums I had on my PC to the PO.

Right know it’s still pretty raw, but you can find it here: http://app.dmnk.cloud/po33-loader/

Some quick instructions:

  1. press the buttons and select some  audio files representing your slices. You can select multiple files at once and it will place them in consecutive slots. The first sound is placed in every slot because as I understand it’s needed to play all 16 slots if you want a clean slicing.
  2. when you’re ready, press the desired destination drum slot (9-16)  plus the record button on the PO (as normally when you want to record there), and at the same time, start the playback on the app by pressing the red button (you’ll find it in the place of the record button on the PO background image of the app).
  3. you shoud hear all your sounds playing one after another and hopefully if either you’ve connected the PO with a jack-jack cable or you’re just placing it close to your speakers, the PO should be able to slice the sounds correctly.

You’ll notice that the sounds get cut in some cases, that’s because in my tests longer sounds have always been split by the PO in more slices. I decided that this tool should be only used with shorter sounds, more appropriate for the drum slots. If you need something longer, you’d better record it separately on a melodic slot and copy it manually to the drum section afterwards.

I hope this thing will be useful to someone! I may or may not make some improvements in the following days and then I may or may not update this blog post accordingly.

NotesLearn

I recently bought an alto saxophone. It was quite a while I haven’t seriously been playing an instrument, so I came across a little challenge when it was time to read a music sheet. You know, that thing with a pentagram and some notes of various shapes drawn over it.

Since playing a note on the saxophone is not straightforward as it would be on a piano, I actually had two separate challenges: the first was to recognize a note on the pentagram, the second was to play it well (it means play the correct note steadly for some seconds – and in tune).

So I decided to code a little app to aid me doing so. The app is pretty simple: it shows a (random) note on the pentagram, and then listens to the microphone waiting for a note, identifying the pitch and, after some seconds of playing, says if the played note was correct or not. This app has proven quite useful in the process of improving my reading accuracy and speed, and I guess it might be useful to someone else too.

It’s published here: https://dmnk.cloud/noteslearn.

Technical infos

On the technical side, it is entirely coded using Javascript, and has been a cool challenge to code since it was the first time for me interacting with the microphone data on a web app. It uses some advanced Audio features of HTML5, based on the AudioContext component. Recognizing the pitch was a minor issue, obtained by playing a bit with the FFT of the signal, some other challenges included volume thresholding and octave recognition (less trivial).

In the end, the result is pretty usable for my alto sax, even though it may be less accurate if used with other instruments I didn’t test. The piano version is not perfect, for some notes it needs to repeatedly play the key to make the app recognize it. I guess it should work best with constant-volume-notes kind of instruments, like violin or flute, but as I said it was only fully tested with my alto sax.

KangaMex

Hello everyone! It’s been a while since I last wrote a piece on this blog, since that a lot of things changed, but I still want to share some of my experiences with the world.

I’ll be making some brief posts to track some projects I’ve been working to in these almost 2 years of absence.

This post is about KangaMex, a messaging platform which idea is really simple, yet I didn’t find something like it when I needed it. The app is a delayed messaging service, or a service to send messages which will be delivered only at a specified date and time in the future. You write your message, set the unlock date and time, the recipient’s username, and send it. The recipient will be notified that he/she has an upcoming message, but will not be able to see it until the unlock time has come. Very simple, nice way to send delayed messages.

The app is at mex.kanga.life.

Who wants to be millionaire?

You probably know the tv show “Who wants to be a millionaire”. Lately I’ve been invited at the graduation party of a friend, and thought about creating a game for it.

So I decided to create a HTML5 simulation of WWTBAB, complete with webcam support, sounds and introduction video. It has been quite fun, and I’ve been releasing the code on github.

Questions are hardcoded in the index.html file, but it’s trivial to modify them. Recently I’ve added support for images in questions.

I really don’t know if someone can actually make use of it, but who knows?

Just a quick overview about the keys used to control the simulation:

  • [Left arrow] – to skip to next step (video is not skippable by now)
  • [Down arrow] – to unveil the next answer
  • [A,B,C,D] – to highlight the selected answer
  • [Y,N] – when an answer is highlighted, Y makes it correct, N makes it wrong
  • [F] – to switch between the default background or the webcam image
  • [P] – to flash the background to induce some suspance

Github.

Example-link.

A try for a 3D game

Recently I’ve been experimenting a lot with 3D in the browser with Three.js, and although this is my first post about it, there’s a lot more I’m working on about 3D in JS, but it’s involved in my professional work and it’s not time to publish it yet.

Anyway, as usual I like to keep track of my projects here, so I link to this simple game I developed as a joke for a friend some days ago. The game is here, descriptions are in italian but if you don’t understand just click and everything will be fine.

JSMol plugin vulnerability and thoughts about security

JMol is a library used to create 3D models of molecules in Java, which can be embedded into webpages using the usual applets. JSMol is a Javascript library which is used to provide the Jmol capabilities through the HTML5 technologies, relying on server side computation for some functionality.

Here’s a short story about how I discovered some pretty bad vulnerabilities in the JSMol software, and how it can affect every server which is hosting this software.

 

Using my university’s moodle installation, I discovered that the JMol/JSMol plugin for moodle was installed and probably misconfigured in some way: it had unusual permissions set in its directory tree.

This made me curious and I wanted to better understand what was going on.

I made some research, and discovered the plugin along with its source code (the project is entirely open source), and started to look at the source of the only PHP file in the JSMol package.

Looking through the code, I discovered a lot of parameters used without proper sanitizing and checks, and quickly discovered two related and pretty serious vulnerabilities.

The first one is a vulnerability which allows an attacker to read the entire filesystem with the PHP process’ privileges. The second is even worse, but it seems it had been fixed in the newer releases of the software, and was about arbitrary execution of commands on the server.

They derived from an insecure use of PHP’s file_get_contents() and exec() functions in combination with badly checked parameters coming from GET and POST variables.

I immediately contacted the developer of the plugin and reported the vulnerability, along with the curator of the JMol plugin of moodle.

As of today, the vulnerability has been fixed by the developer, and should be available in the latest version of the software.

Anyway, some research I’ve made suggests that the vulnerability was present in many websites using the plugin, which I thinks are unlikely to upgrade the software. In particular I analyzed every registered moodle installation from moodle.net (roughly 50k) and discovered that a small fraction (~100) had the plugin installed and was vulnerable.

I would not classify it as a widespread vulnerability, but I think this should remind us of the nature of websites’ security. In fact, I would say that every even small piece of software publicly accessible on a website should be cause of concern when thinking about security.

As is often said, the best thing to do about software security is to firmly believe that you don’t have any.