Day 4

The company might block any DNS requests for www.facebook.com, but an employee can just visit the IP address of Facebook directly if they know it, or change their DNS server in Network Preferences to something custom, like Google’s easy-to-remember 8.8.8.8. But now Google knows every site you visit, since you’re asking it for DNS information …​

The default ones that were there already are configured by DHCP, when you first connect to a network.

The company also just block packets to any IP address that belonged to Facebook, or even look inside a packet, since HTTP requests include a Host: field, and block packets they don’t like.

A proxy is just some server that we might send all our traffic to, and then it forwards it along for us. Routers are proxies too. Another type of proxy is a VPN (virtual private network), which we can use to go around website blocking, since it has a completely encrypted connection. So our data, including all the headers and packets, are secure, up until it reaches our VPN, after which it is decrypted and forwarded along to its actual destination. This keeps anything in between us and our VPN from reading our traffic.

The cost of this, though, is latency, or time between requests and responses, since we need to send our traffic to another server first.

Tor is a similar software where all the computers running it form a network, and routes data randomly among them, so it would be extremely difficult to trace the origin, or even destination, of data on the network.

Sometimes, when we submit a query to a webpage, we do want the input to be in the URL and saved, like for images of cats, so we can bookmark it or link to it more easily, instead of having to type it in every time.

POST is for data to remain private, like passwords or credit card numbers, or also when sending large files that don’t fit in the URL of a GET request.

A char has no negative sign, and is meant to store characters, while a short has a sign bit in its leftmost bit, and used to store integers that can fit in the 15 bits left.

An int is an integer, with no decimal place, while a float is a real number which does.

A long is an integer with more (twice as many, to be precise) bits, and a double is a float that also has twice as many bits.

We have these data types because we want the flexibility of being able to choose between saving space and not having as many empty bits, or having larger numbers or more precision. With thousands or millions of numbers, that difference is much greater.

David had trouble finding sources that detailed the hack, but the gist is as follows:

The bank’s website, at the time, used to take you to a URL that looked something like this, after you logged in:

http://www.citibank.com/balance?account=123

But now all we would need to do is to change the URL to any account number we want, since the website didn’t check whether you were actually logged into that account, as it should have. Sometimes really simple programming errors can lead to really large security holes.

Google has multiple servers, for redundancy and latency, and having all those IP addresses just allows for any of them to be contacted. Facebook only has one IP address, but all of their traffic might just be automatically balanced by that one server to others.

We have a gallery here, if you’re interested!

David looked around and there’s not much information, but it seems that though there was a function that convert clock time to floats relatively precisely, it was only being used some of the time, so operations on imprecise and precise values created more errors than there otherwise would be.

We’ll ignore that first gray line for now, and look at the second line. The < means that we’re starting a new tag, which is just something that tells the browser that there’s something special ahead. In this case, <html> (the > is further to the right, and we can ignore everything else within for now) tells the computer that we’re starting a new HTML document.

The next purple tags we see are <head> and </head>, which is telling the browser that whatever is in between them should go in the head of the webpage. You can think of the head as the stuff at the top, like the title, that blue "g" icon, and other stuff that’s not displayed. The next chunk, <body>, is everything that you see in the actual page.

All we needed to write this was Notepad or TextEdit.

The first line is required by the HTML standard, and just says the document type is HTML.

After that, we notice the <html> as usual, but now at the bottom we see </html>, which is telling the browser that the page has ended.

We’ll start calling everything within an open (start) and close (end) tag an element.

Notice how everything inside an element is indented, and that every tag that’s opened is closed.

<title> and </title> are on the same line because hello, world was just one line, but it makes no difference to the computer.

Also notice how tags are closed symmetrically, as in <title> is closed before <head>, since it was opened inside <head>.

The shapes don’t really matter, and the root element is called the document, which we can think of as everything in the file.

Then within the document, we have the html element, and now we see how the children of that are labeled head and body, matching what’s in the source code.

The head element has the title element, with the text hello, world inside, and since that’s actual text, we’ve made it an oval rather than a rectangle.

Notice the title is in the top of the tab, and our text is in the body.

(The text is bigger because David zoomed in more in the browser, but it’s still the same actual size.)

So Chrome chooses to display the name of the file, instead of nothing, but that was a decision made by the browser and not us, since we didn’t specify anything.

Every time we’ve made a change, we had to save the file from TextEdit, and refresh in Chrome.

A link has historically been called an anchor, hence the <a> tag, but we also pass in, as an attribute, the href, or hyper-reference (also an ancient word for the actual link) to the place we want the link to actually go.

Notice the fundamental syntax of the href portion, where the attribute name is to the left of an equals sign, with the value to the right.

If we left out the http:// part of the link, or even the ending tag of </a>, it would still work, but only because browsers automatically guess what it thinks is missing. Only if we use complete syntax can we be sure that the page will be displayed as we intended. (Well, browsers actually all display things slightly differently, and making web pages that look the same on all browsers (cross-browser compatibility) has actually been a pain for the longest time.)

Hmm, not what we intended, but this makes sense because we have all those spaces and lines, and browsers will only place a maximum of one space between text.

And notice how we closed our <br>, line break, tag. This is because a line break is an element that can’t have anything inside, and is either there or not, so we use a slightly different syntax where the open and close tags are combined as you see there.

What we’ve done here is connect to one of Cloud9’s servers, somewhere in the cloud, and save our hello.html there, with the built-in text editor that we can access in our browser.

Turns out, on line 3, the <!-- marks a comment, which is something about the source code that isn’t displayed.

The new tag around all that text, <p>, marks paragraphs.

The new tag on line 18, <meta>, has an attribute called name which is viewport, kind of cryptic, but the next attribute, content, has something inside called width=device-width, initial-scale=1.0, which is just scaling the page to 100%, of the width of the device.

And all of these standard HTML values and descriptors can be found by looking in a book or on Google for what you want to do. There’s no way for anyone to know all of these tags, and most everyone looks up what they need as they need it. The important part is the syntax, with the tag name, an attribute, an =, and the values in the correct place and order.

<ul> stands for unordered list, which means there will be bullet points for each <li>, or list item, and if we wanted a numbered list, we could use an <ol>, an ordered list.

Notice line 21 is a comment that reminds us where the image is from, and line 22 is a new tag, <img>, that has alternative text that reads Grumpy Cat in case the image doesn’t load, and refers to a src, source, file of cat.jpg.

There are lots of divs here, like invisible rectangles on the screen that divides a page, and each of them have a style attribute.

The values of each of the style attributes seem to have their own structure too. It’s not just a single word, but key-value pairs, where "key" is some property, and "value" is just the value of that property.

For example, on line 21, the property called text-align is being set to a value of center. So it seems like the text inside this particular div is going to be centered. And we only know the particular names of these properties and values by looking it up on online references.

And inside that division, we have another one, where we’ve set the font size to 36 pixels and the font weight. The <b> tag in HTML is a little outdated, and it’s better to factor out design into CSS anyways.

On line 29, we have something else that’s new, ©, which is an HTML entity, or just a tiny bit of code that represents the copyright symbol.

We’ve replaced the style attribute with ones called id, and those IDs are referred to again in the <head> of the page.

This allows us to change the styling more easily, rather than going through and finding the correct spots within a webpage.

The <style> tag in the <head> is where we’ll have all the styles now, and the curly braces and semicolons are again standard syntax we can look up in online references.

#top, for example, means that everything inside should be applied to elements with an id of top.

Now all the stuff that was once in the <style> tag has been moved to a file that looks like css-2.css. So multiple webpages on your website can share the same style just by linking to that file, without you having to copy all the styles manually.

We can type something like cats, and then we’ll get to the Google results page for cats. (This is sort of an example of front-end versus back-end, where we’ve implemented the form, the front-end, but all the processing is still done by Google, the back-end.)

So if we try to think about how this might be implemented, the page has an input box and a submit button, and when we click it, the browser is probably making a GET request.