so my belief one and maybe he a good meeting but let me get back to you
mobile well whom you don't you might think ball would have been
and I'm may have been throughout the home you done
and game notably thanking him
so give me a big hand
okay
the hay so I thank you everybody for being here so early in the morning
at the park when the animal better be or and
I'm so my pocket a if now called
why railed hard and I the motivation my
of the I feel that the trend in open source
today and I think it's largely driven by the emerging though
JavaScript I and during our ecosystems
I'm very guy he got there they
an emerging I'll mentality that
the only find a bit operating mall have both software
and if your software do anything Paso automatically by definition
bad wrong I you're doing it wrong
you should be writing small couple software that other one thing about one
thing right
I and i think the neighbors in a bit by really if the follow-up
back 5 seconds of the more than a little I'm them
I'm and so I'm I'm personally not a fan of that movement in general
and I've definitely he a trip into the room the community and the my pocket so
if
I for I so I get off alive and well usually someone in the audience that the
question might
why should I Israel the first place why should I just and I'm only getting
dollars with anyway why should I do
what you know I'm for not hurt my back
and I i think im questions come from a heartfelt plea and
in people park and of them again
I but for me
had to put in the work them out work to help grow up I'll a lot
I what price he is that there's a lot of things that will dive behind
that nobody knows about it think that nobody knows about it
but unfortunately but a good job hiding the complexity from bball
that a a film that there's no what be there at all and it took a lot of both
doing a lot not
so the VIP live apart there really was just give up on
up yep that's only thing that other doing I'm
it turned out that I only unable to talk about anything though there
you get bigger than that 2k13 but the idea of a pop up in the problem getting
know about example you might have heard about but you get maybe that maybe don't
know about what exactly is going on by the bean
I'm on one page to show how compared with other friend with a good
so you might call type of I why open North
is hardly my not work the lead-up I while
part because is general up problem the general question applies to
much of the work I do among other five but what about the whale
I'm in general I've tried to call and and problem
up on their is a good example that I don't 5 with all the
small problem and how often I think blast for
having a live with it not by the mind the code I'm
by I think there's a live until you actually private solve problems from the
impact though
hey I want to talk about I'm why it is that we are perfectly what
from people in the mail but the left knee whole I hope they have it there
there's a lot more going on in the library that high that we use everyday
and only thing that because the whole to a library that you football
I'm I want to hurt with a
somewhat Calif quote from Donald Rumsfeld I
there are no no you don't think that you know we also know that there are no not
now unknown
that it had something to do not know but they're also I know and I know that it
there are things we do not know we do not know and
from the that I that with helping a
divided up something like that in May I'll whale
application there are appears I have no known think that everybody know that
they have to do
I I went there are a time
sounds good if the unknown unknown I
which are things that you probably have heard of but don't exactly know how to
call
and you hope that you're playing with all them of the third is a good example
you hope your friend
with your maybe you don't want to have to figure out on your own the old
your and then I unknown unknown these are things that they may be doing for
you
by didn't happen to agree with that in the first place noted that a crime
the benefit about that I'm so I'm gonna talk today about the fashion
and their category I'm what you do with the normal route developer that the
first category
the pain but you need to do another day without them there today today
and I've actually the smallest par worry about the physical part well above
for you and if the particle real bout you baby %um i've importing over
something I can offer no thought you're looking at the thought that they are
I V E I photograph the park every of that pay
to your house is an everyday thing I'm thinking I could do that tomorrow
and i wanna talk about how you we all know how to do that that targeted a
work I'm happy to not promote development usually find a lot of hiring
me
time no no no pay I'm my office to be with your comment go try to figure out
how to do that
I'm me the the fear the thing like that where
you know that the problem with that and now after them offer no developer
need to make sure that you have imported the middle where r whatever that
solve that problem with the livor solve that problem I'm and then the
all the the right to move my time I'm
in the page where hopefully for doing our job right you've never heard that
the public that the fourth
so but no not knowing are basically
you have a web browser web app maker but some web server
what their work of flavour from I believe in your control
about what yeah you have a firm some he came out
a fun go back to the router go back to what they love about the web browser
I'm so it will be world miserably
have your unicorn real crowded field rather
your router router the Rev action and this is actually
happy went on to building rail cap that run tonight given day
it is largely how I think about where to go so it seems like these things are
basically equivalent
by like I said I'm not going to talk about this because in fact
for this those particular public-facing think they are pretty similar
when I wanna talk about today aren't you case study the things that are any other
categories
so the first one i wanna talk about I is an example of something that they no
Nonna
and that is CSRF protection so many people have heard of CSR at
that keep your head up with you know how CSR actually works how the attack fourth
keep your hand up if you have a car up if you could explain it clearly
what the mitigation strategy that that
I'm so that's what if that's what I mean when I say to note on everybody knows
that the category
Bay that you would like to protect from so when you go to build a rails app
or no dapper snapper after gonna be most people will
look for a checkbox that says this things all CSR out somehow
but most people don't know enough about how the attack works or how
the mitigation strategy worked know whether the thing that you're using to
solve the problem actually solve the problem on a
so for example because everybody know that you have to solve CSR
problem the express parent node
our ships with this thing all connect which have a CSR
middleware so there is this thing called and a fifth-round and
because what most people know that the SR app is you have to solve it somehow
they tell you put this matter where you're at and then and now allegedly
you don't have to worry about the author of any more I'm unfortunate if you look
at that documentation
it's a little bit more complicated happy tell you make sure you put the
middleware somewhere
below your session cookie parser because our process is what's already E
I having to understand what's going on have increased you have to know that it
does something to the session not super bad although I personally not a major
famine I'm working on application to have them I middleware stack
by that is the thing that people do in no time soon after a lot
I'm and then what I think more problematic is that doctor they say
but this middleware doesn't actually do anything to get that token in your form
so basically says
make sure to add that ok if you're up to your request
I'm somehow and in the documentation the bases show you like
go Ji sub out by go get a bus body you something out a place like
squiggly token with the talk and then you get out I'm
actually so maybe someone later and I'm outputs call me on why I know people are
getting your past the body and replacing it that doesn't seem very nose like to
me it seems like you want to use somebody think
bank but on I guess that's what people do
and I there is a problem though with both these
up documentations flyer which is
in general it security did I wanted list and developers
in Fremont secured if you have to let developers members fear you're basically
already lost
I'm there you can see an example this with the reason massive I'm going to %ah
the reason why Vasai drives a stick was not because
an end developer could not make real security back is relatively
straightforward
for a developer to make real secure the problem is that rails within less than
you and developer
to make real securing everyone is bad and so basically
in general rare this is the general rails rule and the reason why we took
that math I'm going really seriously even though historically
apparently we have not is because this is actually the whole
right don't actually with and developers navigation up informa global security
you have to actually make it work so that so that this is or the intro now
what a
talk about what is their FAA so that you have a better understanding as I
walk through the referee fights so imagine we have this controller we have
any cash
webb et we have a cash transfer controller please if you're banking on
this code
the bat I'm so first the authorized account user with the privateers
we make you cash transfer object we put on some cute actually go to the cash
transfer later
in general you are not going to want to be doing cash transfers are sending mail
whatever on the main threat
I and I don't point out here this is not a massive fireball ability we are at the
first now we're doing his actions or authorizing that the user is allowed to
do
the right thing so I'm actually have to go somewhere that check to make sure
that the parameters are correct
so we basically to the plan is that correct making a cash cash project from
the
for from account to account and the amount I'm and the authorized end is
probably using the
card use a method so you are after as a real about you're relying on the car
museum at the beeper
so has the car user method ep so the first thing that happens typically is
your browser's going to post a
request you use gonna go to walk form companies and password
hit enter the process going to post the request to the action that's what they
slash up along and
with the user and password by the way I like their stuff by
after then started playing parts and the place to start I like that
home and
so we 10 20 password and then
what the problem is the doctors in the response the browser returns a cookie
start the service returns a cookie to the browser that says here is
some tax that these US products in the back
later I'm and I don't this is not the real cookie the cookie as
thing I a signature in it that makes where you can tamper with an
of a law at back to be all other top I'm
but base in the browser now has a cookie that
world it will send later so now imagine that we have a form which is
send some money say actually go through bank accounts last transfer
that produce peace by faster we have a from value a to value in an amount
ok one billion dollars and this is a perfectly valid form this is on bank
that time
you want to submit it this is there are probably banks that do a proxy this one
and the important thing here is that the browser when when you hit Enter on that
form
it obviously your life is the from to an amount
but it sends back that same cookie that we that fact that he got on the server
before
so import affect whether architecture that the server doesn't actually know
what you are between your back
what is called a status or share nothing architecture
so the server doesn't actually know you are the server lies in the fact that
there's this cookie
beckett's passed back and forth automatically between the browser on the
server
transparently from you as an individual for and that's something that
I rails can use on the on the flip side
his identify okay your that User ID and then FF
typically there will be some code somewhere that your hand holder comes
from Mike
divisor of logic or something back get back to the user ID
what's up in a database to populate the current user so basically the way that a
that authorized may have to work is backed with a identified
I gave the browser this cookie rather get back to me I cant
I know that that's a plus now the way the CSRF attack works
is let's say I evil bottom
the browser actually doesn't care whether or not the form is submitted
from my domain or from some other domain
so the grout so you lock on to go make it perform
from into now this is basic that the same form as before with a different
from effect
and then go headed to the body awesome it and the browser will go through it
to the server but the important thing is the browser will also send along
any cookies back that I identified as
part a bank that time and you might say and people often say when it was when I
got back like holy shit that's the great thing in the world probably should
immediately remove the third party
day but probably don't realize that light you might go to
like login dot 37signals back on for the user and password after an inbuilt
there's something back on right or you might go to any
like it is a extremely high on the web for people to not have
the login form key on the same domain and and further is extremely common to
have white
hey I'm gonna give you something some ACLU putting your site when you could
use that to walk into our poor poor
so it basically the web is very entrenched in doing this
selling the cookie being so we can actually get with it just how the
weather actually works
I'm the problem is that from the server perspective we get exactly the same form
poster before we can actually tell the difference between
the form that we got the user legitimately want the bank that come in
after
and the form that we got because evil at times amid
now you might also say it like although it's not a problem wire using from to
announce
and no I could get a bill you're all like just use and I guess we are all
night other
other names and then no problem I you people are going to figure out
unfortunately
people other people can actually go to bank back on and look at what the field
names are and then copy them into the same
back so I'm it doesn't the fact that sarcastically or else makes
certain attacks easier for certain actors but it doesn't actually make it
profitable
so the the mitigation strategy is that we would like to have
instead of just providing the input fields that are the same for every year
we need to include a token
together with the form any special every single user get their own copy out
and obviously the the thing is that the third party
can actually see that okay that their party is no way to see it because the
browser will not let you make any sacrifice across to me
and Senate cookies so there's no way for the third party to actually get access
to that
very a token that is associated with the user session so will be actually going
to submit the form now we can chat
oh there you have it ok if it is the same you session yes okay awesome to me
the company
no token means evil we will not allow so that's the normal mitigation strategies
is like
at this point a pretty old mitigation strategy and it's what basically
everybody is doing when they say that they have theater production
I'm in general CSRF protection the goal is differentiating opposed to come from
your site
would oppose the Conservative Party another side when his people think that
you could just be there for her
for this sounds like to be able to unfortunately there for header
I think they something like twenty percent of all our class or
and something come with other for hair so if you want to use them for how to
resume business strategy
you'll need the lockout for users who want are behind a proxy it's ripped it
out or whatever
I'm so that's also not effective strategy long term is like the origin
had her
et cetera that will make it easier but this is based upon the data from how do
we differentiate
oppose that comes from your site with oppose the comes from a third party
given at the browsers
after someone cookies if you do the crazy thing where you make a dance
performance a minute
so that's that's basically what CSRF protection me
I'm and when you're when we built GSR section two rails
basically have a few goals that we would likely the number one is on by default
many people don't know about the a separate action and so we will do not
want every single person making well that
to happen know that CSRF protection in turn it on for example connect me to do
that
the one about these are perfect and put into middle with that I that bad
than there are several different cases that exist in the world
there's HTML forms which are home about Sierra
ajax request which are gonna with CSR a browser and an APR
past that come from a non browser and I'll
format half a cookie but we still want to make sure that you can make any Paris
I'm and I'll talk a little bit more about why I
both a dutch bus the paragraphs are fundamentally different things
I'm and then finally we actually as we built GSR protection obviously the
state-of-the-art security changes
and for example recently about a year or two ago we found out that
there were some approaches that use to work by white thing certain matters and
it turned out that there was a blast exploit
that made at approach unreliable so everybody who
is does security well and what Famer have to go in my
by the approach do something different and you're doing for I'm so that's
another thing is just like
it is important that we keep up today and don't use don't say
you know do CSRF check the checkbox call it a day
I wanna make sure that were actually up to date so that those articles i think
is a pretty
Street Fort an obvious polls I'm unfortunate if he does get a little bit
tricky
so what do you what do you mean by I by the fall not only to be turned on by the
thought it important to avoid
disabling people want to go to save all theater production
so if you go look at I'm the sinatra website for instance
it tells you are Asian opposites attract attention to defend your application
against coming up
opportunistic attack you can easily disable this behavior
which is resulting performance gains buy things they will protection so
we used to not to remove which should result in performance gains I know that
your best price cuts lower when you actually security
is also I rather sometimes slow but
people can live with secure but not believing the bass
benchmark optimize application and but the problem here thank you go look at
like stackoverflow almost every single post for someone like
on getting the error that says I can't you see a threat one of the people that
gets I we vote is like
pay disable production right and the problem is that if you make
the protection to our to use for whatever reason that people want to
disable
so in addition to which is being on by the fall we want to make sure that it is
rare that people
feel the need to go to save or not people I'm you can disable the other
people do
although we don't have a thing at live at that table all protection
and you actually have to go to war time both
I we don't really have a type it by I'm
the point is that we when I say Tom by the fall I also mean that it should be
extremely rare that someone feel the need to go to sable
and what that means that it needs to work for all the cases
that are common in which people will want to have some
client/server been going up
so most obvious one is formed this is the one everyone knows about the one
everything from a culture to view it
and let's look at how connect tells you how to do it so can access
this is that occupations obviously you're you would not make your form
in line are you getting back from upstream and downstream however
I'm but if you look at the bottom over there it says like that had a rather
have a symbolic replaced
the really talking with her about affected yessir that's also why I'm jane
goes to do
like before I think 11 2012 I unfortunately
like having to parsing tired see my body to find tokens that you're gonna d-sub
out if a little bit crazy and nobody really want to do that
on their variety reasons why that's about approach I'm again I'm very
surprising know people are into this
by I it's basically the point that the 100 percent an approach
you in addition to have to manage to the middleware you have to manually go into
your application and say
make sure that the token is actually there which should be done
by like some energy saving because there's no interaction between
the middleware that that's out the token and your actual application so
other documentation said this is what you should so this is
when a 100 percent man approached and obviously wanted them an approach is
going to be the most likely people to
say or not use in first place I'm Django has
I what I call a semi-automatic approach so at their forms
there's no for helpers I'm in Django so they may tell you whatever you may
perform
make sure you put in the CSRF token I'm helper
and then we'll make your pussy is wrapped up in so that I
that is good it does not a party to know about me catch a CSRF token
but it does mean that there are a large number people don't forget to put
together after and get views
and going to say try to disable theater middleware Bay
that's the first thing the final or before please but putting this token
and I think that's I think that's really were thinking about your design the PI's
light
had only four people from knowing about this in the first place if people have
to know about it there is a good chance they will try to
they will get get into trouble special security
I'm obviously the rails approach as that we all know is you use the form for help
for which we always have you
even before we have a separate action I'm which means that when the at the SR
protection you able to add a behind the scenes without any
an extra work from you at the framework developed as the application developer
rather
I'm happy just a guy had a busy every website got upgraded to have this
abduction when it became the
known as one of those so obviously I for the automatic approach and the
good news about the automatic approach that there are forms that created it
in it life cycle of a typical real that did not have the SR protection
I'm I think that this is a very a big way for
I the next thing is okay so you have to use our protection which HTTP method do
you need to protect
signs that tell you the answer before I proceed the answer is
you don't have to protect head and get advice would be very bad I was in fact
2012
Google back on the map is a question mark CSRF token he calls
right that would be very bad answer your question hopefully not making
I should not be doing on unfav things
same have requests in real-time the same thing I'm
and then follow other things that are not paid or get requests so I I'm
cheating here there's like tracing of is also
with just a by these other ones that people use in practice so he gave us a
postponed earlier past are unsafe I'm
if you go look at the connection aware by default the capital where trees
everything is unsafe
obviously no we don't use it in practice nobody's going to leave
everything at once a for you not be able to make you know type your own brother
so a beefy their documentation tell you to do this basically two
blacklist poster by unfortunately now you treat importantly by
say and again unfortunately this is after that is basically they don't do
anything
so the default is this and they tell you in your ass go to this
which means that a bunch of you lovely copy and paste the code and when
somebody goes and call them like a with that this is bad
would probably some will do I may go fix documentation there will be a bunch
that's out there that are just stopped doing that one thing
they are man what was the purpose so you can go any
any app that uses collective effort actually is vulnerable to
put it to leave about just barely get
I'm so this is a shower saw I'm indicates that occupation is another
though and you can see where if post night recommended with your Mac sandwich
especially theories about this is if you're doing if you're building a
middleware stack
you might say like ok no problem like browsers don't submit pointedly
which unknown if that changes in the future
has changed a few times back in for but more concerning the North back
probably upcoming I up that says like change thunderstorm at the polls put to
a park west
so by the time they actually get to the theater middleware you probably have
already done some white
meet a show you might have to wait mutation Mike leaving up to defend the
developer to realize that this has happened and Mike
all it's not actually pose request because it's the mutated
clearly this is not I'm so so is the problem
I'm iraq protectionist was not resist does the right thing
I just the right things I'm there's another thing though which is our
weather exacts a pasar
there is a again I'm just going to tell you the answer people who think they
just passed was a
they are not you can actually why has he texted Wes
on there some crazy last that lets you get around that used to be considered a
rock-solid
solution so basically when you are doing theater action you can actually say
why is the next best not correct I'm
however rapid action which is what's not to the game
white FHR West on also something actually include
this middleware by the faulty turning on me
I'm not exactly sure what's going on but
a way to form the form I'm
token middleware specifically what effect the terms you cannot
I'm unfortunately was like a hard process roster finds out
likely basic and youngster in this from Google security researcher like a
no crazy act and VFX and anal sex that by
I'm there is that their cash actually the security process in a friend the
values for that to happen
otherwise me someone heard that there was a new security vulnerability
by the chances Beijing before most famous 16 security check box is checked
off
people don't like arrive check so I would recommend
people in general for using a primer you shown these payments that actually Abbas
documented scary process so that people like Google were going around
my trying to find jobs actually have a place as any
otherwise people so I'll get back to that it retained expresses a
dennis is back I'm Django and have a semi-automatic suspicion
and the general solution is okay so we can actually treat leadership this is a
please copy and paste this lipid documentation hopefully found
and putting into yours outstanding work
I'm unfortunately doesn't work because the EAC sentiment is
the one event I need to do before he jacks which is
heavily documented on tobacco low but I'm not no documentation
and this is just this is the problem with I
Carolina people copying pay documentation is that there isn't really
a good
a good way said not I'm automated there's no one here is
pay 500 for you there's no good way for
past like that may be a way of being on median and occupation as a hair
but this is for people have to copy and paste have to find have to know about
I guess I lot don't use AJAX first place a BF but
law a taxi is here at hopefully if I miss an opening of the as you can see
the CSRF
which there are many are I'm so basically that so this is
I think what's interesting difference to me about this is that just
if you like about me today I am going to argue about this bitching about you
made a persuasive case in fact with quibbling that
basically Django has the answer that right but all these semi-automatic
solutions end up with something that many people
failed I meet people can't figure it out for some reason so
I'm personally I had favor solutions that are like these have been the Cisco
please always remember pay for talking I just people don't do it
you cannot misprint developers and the problem is
we do 7i taxes you cannot wait to see it when security features
and so I force after this guy's eyes or trackback 0
1000 information about us is a rap track for my yes yes Rapids MI I bet appealing
so this guy knows enough to know that he's battled low-post prices rise
probably not correct
but couldn't figure out you know it in documentation you could actually figure
out how to do it
some idea actually going to do this but by the way don't use AJAX and if that
doesn't work
YouTube before yes by the point is that you searched the whole
about basically what you find is like leave the theater
what real does and this is our the point I thought we looked harder
by it actually works reliably not in last year's development doing it
is we put a CSR Maytag ahead
and I mean food %uh we have a docs will include tax
which includes a bunch of shots but then we ship with including real chance file
and then he added Ajax pre-filter which does a CSR protectionist
chateau in the heavens and so basically whenever you see a great
and the same thing is true use prototype another liberia has a real chance but
most of these day parade
on so if you just making Razak and use cable ready
making a gesture West one/apm sentences are token
I will automatically be there forms if you happen that forms a
feedback from the head if it's in the head and this is a
I think a much better solution because it means that most people
they're not me thx bye for now they just left the whole other factors for this
evening theater
action see back I don't have the slightest but the funny thing is
EPI so I'm if you have or
action to the needy I action again in the very back up
save his reputation unfortunately what we discovered
I'm what you're doing the the most recent security fence
was you actually think there's no way to actually whitelist
ATIS I'm so you can't say maybe I don't know if the BI
because the same vulnerability that attack Ajax also attacked
any US that we could used to figure out who's maybe our
however past figured out really awesome end up saving up day-to-day
which is address 31 or 32 which whenever we actually fix the vulnerability
31 I'm instead of reason exception
you have RCS rat vulnerability we just clear the session
so API request have a cookie and so that doesn't do anything
might be because it's not like first place so the Airbus went through because
it okay if parameter enters
iPad everything was great other people were trying to do CSRF attacks
I'm a wind up the recession which have a slight annoyance factor I want you out
sometime
is right back but thats the overall
end result is that people had a relapse and issue no worse
any network a TI was and you probably know any
by all and I think that's that's the point right you only have did
it's not good for you have to do is not good yeah people I'm doing real
Ajax had a common basis then you should happen to any this you should just be
using them as secure
by default security falls on there's a lot of the Security Act and the whole
talk to on security excited
not to do that I'm but there are many other cases I from the one of the most
compelling reasons to use real
people say why should I have to switch to know is there's like
the things like this I'm and we also keep up today and you probably do not
switch something
and insecure so that's that's unknown
no no probably her sister act by don't really know how it works
so now I'm
and then the other category studies example here
I'm so occasion you think putting some people problem though
like that there's a a voting raise your hand if you know that the
keep your head up you know like why did body is
K that's good like Kapil Dev I'm keep your head up you like
can reason about going areas at all
yeah so I think for most people ponies are things that happen
the magazine actually very bad effing holding ever doesn't happen to you
there are definitely some errors after review I I'm
I personally think that those areas are you a good thing largely
by there was a period of time way from when I was coming out where
there was a very real possibility that everything will happen everything you
have
hunting for years like you up for tonight and
you look at them for years old a how to do a lot of work to make that happen
and I'm this happens by machines and I want to talk about
for what we get there and then hopefully we'll probably go forget
I'm so the first thing i wanna talk about things like what is it going
I and a I'm you use a little bit
recent back here but you can you can safely ignore this in fact
just the basic idea so I'm basically
up what any coding is just Howell you should represent a certain
series characters as general of the character so that
you with Minn despite an actual name
that is a character there that general at
be used in hand usually we talk about visitors
get over there back character exists happening in nineteen a good land as
well
and that idea for the following is alumax represent that invites
so I have been recognized by one it's a slap
last at sea and that's what that what
the you with what looks like and he represented the FAA's two characters
flashbacks c3 classics BC
I'm represents that you might get it
I'm I'm not going to talk about this ever again dresses talk by I
if you want to visit the F-sixteen you can see it it's just another
my friends with exactly the same conceptual
characters why care the character issue with NY
DA but the way it back to upset and bites is different
and just the further drive going oh my I can take care
the white character actually the white character is
not unless a slash something then the
you within one character so basically what you get when you
look at bikes the wires is getting through the bites those bites
and end up needing something and
I'm what basically happened
practices that you may not
there I get the point I make it there's no actual thing in this year's budget
that
Latin right there's no text that one poll
years in fact right bad know where you have to know that somehow
have been got somehow know that is a Latin Mass Effect 3 TDS 8
are you get that
and I think another thing it's important to know is that
a lot of character a lot of holdings and Laarni
get a by I'm wanted them for i sowie
international I'm
practice on a flight means so
11 basically you get a poll share
after so that's why Yueh NDA
is Karen those to coatings look the same because
a character that is nasty I is exactly the same goal
black one immediately and that's what it is if you get a chance
is a any valid ASCII any characters will be valid giving as well
I'm but the way that we represent things that are not
yeah across ask you can have it
now the hard day is that if you see a series of pipes
you see some stuff
you actually can't it back leave a look at this figure out where yes
you can actually got the okay I know that actually because
know we told you that there was that if lather you get a
and you can't it's now is possible as a
computer even to guess so we can guess for some
you confident if you wanna absolutely running on our screens I'm
care after an actual process do because the situation insanity
by it with it optimal for us to not Picasa run things through a
not a hundred percent reliable karen is actor
I'm so without more mad at the actual don't know the answer
am I going to try to gas what characters are
by you you actually K always gets
and is actually a pink bra I'm so imagine that I have you had lamb 1
which in fact is an act together Judah in utf8
and I guess train which is bull those space together which
totally happens this is like thing that happens in
don't have homes for in your language or your daily
like most people you can easily get situation we just have bytes
and you just smashed by together you end up with a strain that looks like
something like this
okay and the problem is that what did go to you that's right the answer is there
is no
going that's been happening is for it is a crime thriller
by this trend happens all the time real and a
what you end up having you have to get he say okay
11 11 happy the first markets interpret correctly
but the flashbacks see 533
plastic easy that get it back in latin boy names
a weekday any on any orders in you probably seems on the Internet
and it happens because there's mixed characters there's even that
brothers fact guess but it's easy to get here characters and after pic
at your pics if it's almost like that one and then you have characters to
provide legal and one but clearly long
like every human being you can see that's clearly not 1 but as a computer
although that's when
and then if you try to interpret the FB have another job you have
up yeah the party which is actually yeah it's correct
but the party that is I'll and one is like
that's not even a valid you can take care
we have no idea what that is so you could imagine algorithm that try to pick
it apart and I could do that
any aneurysm I know that is a browser that the try this but like
no this is clearly not like we're not going to have a real strike
constantly like two heuristics on streets trying to figure out what's
going on
right that's clearly not at I'm actresses in case you've seen this
character on the web at Beijing why
be that happened is you have be HTML document that happen if you hate
one character is probably just like sum up the middle and one from a form at
some point back to the native
this do a utf8 you like some attacking their name their neighbors
shows a a they their their document
a light switch the encoding a lot more on our daily my people could care less
what you get
so my simple restore the White said you bite back all know now that the FAA
but it's wrong extra writes that faces what happens you end up with
insanity and there's basically all me 180 and my PHP
and Mike hilariously like my people always be
go look bicycle according to like police bigger race
notoriously hard to get where
so the way you normally get it right that usually there is some information
and its associated together with the thing that you're doing it tells the
answers so in this case
I me get back to HP respond okay to combat
agencies %ah and Haley are said yep its own you look at a
espy said these bikes are you get back I had
hey you should know that get a and so why did good
ivory room you'll do your job or something else going where
is all going to be OK I do these bikes as binary or
unknown by hey forgive this these bikes the best system
make sure your address is it knows that if you get paid
and then dresses not and we will not happen said
and have a similar situation at the races match and I going to put something
into a database
and imagine that I did not put corrupted data
on you can actually affidavit a database when he is
the characters that this database pdf/a so now I go get you back
from the database I can go when i'm forced on YouTube a and again
I would do this before I give it to me and in general the
problem according to the question downs their israel's
and in Rails Los Angeles Rams that we get another party system
and then there's a whole pop boatload other external that
that cop gets down and bites and he is
that boundary place that the only place we know the answer so
the HDPE Livorno can look at the headers like
those headers are not attack Israeli Afghanistan system
Soichi feel I always the one that asked to actually say is utf8
or no gerry has anything to eat yet a or I
my c-class ATT and what we decided
the rails a inside Israel everything is utf8 now this is configurable but
as far as I know nopee configures a I'm
inside israel's we would like all strains PDF and this is
essentially just trying to make me similarly to how people
assault-type me that inside the system it's always
a reliable and but that means that we have to make sure that everyone on the
outside
a boss is giving us veteran UK
summit of actually Yiyi
and before the bank talk a little bit about I will be having only the first
I'm so the first thing that there's this thing called people external and what
people external basically saying is
if you read awesome data from an external source
and and it doesn't you don't otherwise on the way the whole thing is here's a
vicious a minute
so I really miss polls %um what
usually make sense want if you don't think going to get a
and you go out every time some while holding anti-gay
on I should note that
review does not fall utf8 with of whatever your operating system says
and operating systems barrier so the most commonly believed in the Western
world are
land one and sorry ASCII and you get a
if it it happens media it usually things work if your system
happens as ASCII 9 live with my dad did not work
I'm so YouTube we want to be like either said you're holding your system
yet be to the LCC type
variable or in your spare setting default mixer
right for you this is the thing that and for cutting taxes they got information
say it actually is actually FB
my forte I think ask people asking questions
public family hey I'm going into battle as the UK what's going on
or look after my and turned up
so because the people that are not yet baby see what that means is that when
the bob cat will be interpreted
p and then obviously in Leeds UK so if we have
if the NTSB while the outside world at
people that sold you get a the goal added
things coming to visit the POP is done we
known as I'm but sometimes
a external files are not actually in utf8 sometimes there are other unknowns
I use you would not believe all that for nothing 11 but you can imagine having
database
in like 18 tax if I it's like a
this ring is in line and get a member the goal is for all students to come to
realize you get it
so what what happens in real that in ruby that is another step
people external databases bit like a actually care about
including this is me off lol before you give it to the inside /url
please make sure cause other and the basic with the settings mean is you have
it at that while
bathtub Wiley Park interpreted as landline
afford it said to me it's going to be transcoded
you get a and transport it doesn't mean a fighter jet me it means actually go
take bites
seeing what you do. points are and then converted into Egypt
and so is like in me there's a series of able know how to do this for
a bunch of different things and latin cutie
in there somewhere exotic translation don't exist but
there was a large the those are weird
word I'm so what I think that I have to do
to II back to her native was just go around and tell people I care if people
text
in helping please added daily driver
he's going to make sure that you were actually on earth people internal
settings so if
your that I see the driver and user app is a musical and a visit to the ball
I'm so there's a lot of hot money not there it's not acceptable real thing
like
hey it happens in one database please to make sure you like goal
run this command chain elation and follow right like
for many very much to say to that this is please copy and paste injured in the
senate
hopefully work obviously this is for for us to handle
at least the back with a hole in the first place and also like
is an airplane operation so for us
it was basically go around and make sure all the popular Davies drivers
arguable internal which means whatever the external database
happens to be an by the time he gets the rails violence drivers will always be
here
so that solves the problem for Davis drivers I'm for
or in like friends mom with baby their
I'm what does that mean in practice what it means the practices that bicycle they
made it is something going
could be like Russian can be shipped
doesn't matter it's whatever your daily happens to me and and animosity driver
which is what you should be using
not that simple drivers did not do this correctly I'm
my single teen driver says OK now I got the bikes and
I see that exchange s someone at packages shipped yesterday
I feel that the user has passed by default internal so I'm going to ask you
to transfer those bikes
2008 and then it will be defeat by
I'm so then now really has the right thing and yet
if satisfy one batter for actual data coming to whales penis
and if you actually look at a Rios
you'll see that we are saying to people that sell people internal FB
and that basically means that your telling the world like a if you have you
see that I don't know what it is
yeah baby and if just like people there is a file
FB and and it you see if you have that happen external source that is not
already a baby
Police Department the FAA before you give it a rest on
don't use my various us on Rails is basically
is like anyone real process so we're basically saying like yours we want
if you're running away right like to see if you like it or something don't go on
like that
people internal/external X actually users and so you can imagine I'd like
some
Japanese users like oh my god Shiseido you don't like the choir
to CSP oh my god son Michael Jackson stage
I'm it's okay we'll see do as well as a free-market money process and the whole
style by sure why we should not be managing
water okay
almost a I think I
templates
yes it is actually the last section is second half so I'm
basically what we do for tap with his
easy thing to do okay that was probable external sounds good you get the source
make a the the full extent have a nice day I accept that we would like you to
be able to say like okay actually is
landmarks not time and whatever people external see you could put an add a
comment
of your haywire you can see or hear them all
me to do the right thing I'm and is also another case
I'm which is ball hamlet your be allowed to specify
the coding with the special economic zone your buddies
per se perfect night as per cent pounding poi
if they have a lot of people it's bash debate and slept in their documentation
so we need to allow those things is the works is like more work that we do here
I'm when we get to play for an excerpt from an external source
we don't just believe that the FAA because the expected to be me church the
right thing
am if it's not the right thing based exceptions siku
cafe and get a is both the vid and so we also provide a much better air
something happens to be you know happened to save it want to text me
do the wrong thing I'm an accident one more thing which is at present data
ass a profit has that's the last factor that into the system
and so actually itself I specified as an acceptor said
flag but action about on and bases as hey
browser issue is that it and that theoretically should
theoretician do the right thing unfortunately actually look
are still words what I you guys I said if the user enters characters that are
not on the character said the document containing the foreign
you get there who've might fly
yeah I'm and facing the problem is users anything going to lack want you to pay
smart both Microsoft Word
I as far as it happened that morning North except are set
we do this thing we put a checkmark you change phones landline using a
smartphone from Warid
check mark is not one I honest are set
so now you're a troll I we basically make sure that coatings are all correct
like a what you should have to know anything these are things that
hopefully hopefully these are things that
use a framework that has for you should not spend any time on the stock
you should be focusing on me no news on the part of the appetizer at and finally
what you want to spend your time and I think that
now its
police
lost on on on on partly to anybody will deal with
day utf8 you will be one
does aged 07 knowles this kitchen just a bit because
before it was really horrible yeah yes it up
I everyone actually give us the tools for solving the problem so
errors like me when I'm sucking cody's I hate you why when you going
actually there was no way for us to do the right thing when it is we didn't
have the tools
to see what the buildings were I'm so now in 19
eat any people don't have a place in characters in their real
S&P and thank you very much for this yeah yes thanks
as one to watch them
hi
it yeah
thanks very great art arm the weirdness with that it will not be included as
that sinatra does not relate
expresses a five-fold because the middleware
you would have to swallow the crossfire request for the room anywhere with that
middleware
in order to have express so ready for what is from
though to know the other one he did doesn't your to CSR
but there are more than two seems good
I'm there but there's attorney i think is a on a building for reversible
yeah by the way I wanna say so
%uh sinatra used to be a massive we've only with grammar
like euthanasia every possible availability I'm
good job happy now methanol
I said I should probably have a serious
against the wall it's good like the ultimate security but then you can see
them
there's definitely a problem like we have subjected to call the Securities
Act of
and that might be information comes out is no way to find out about like you
unless you like constantly looking at all the security alert for UK cool
alright yeah thank you one on this island
a good one I'm how did you come up with the check mark as the
as a kind of a reference point yes and I was maybe one day goes by said
things ever I'm sorry to leave the snowman
so okay so so the rule is that has to be a character that in Ukiah as Unicode
character there's not a lot
so it you can't but like a easy with the action operating
and so the first thing is a snowman the ideal weather we never see it
by get requests that I for live together West Beach of in the URL
so people like my guy I didn't act why there's no and I you around
so we basically spent a lot of time and you can't be able to check it like
cement
immediately look at me like oh you give a quick check I know that means if you
give it
comes based Acting Company
idea but the vichy and he was just too happy
that people will look and not regatta intersect achanak actually ago
thank you very much anything he could be d
