Daitō-ryū – the missing link…

Family tree of martial arts

While I lived in Japan, I could not find an aikidō dōjō near the place I lived, so I trained in shōrinji-kenpō. One thing that stuck me was that half of the techniques, the soft ones, were very similar to aikidō techniques. At that time, I just assumed this was due to some vague influence and the fact that there are only so many possibilities. It turns out that aikidō and shōrinji-kenpō share a common ancestor: .

The origins of that martial art are a bit nebulous, the main fact is that it was taught by Takeda Sokaku, who probably inherited the art from his clan. Takeda had multiple students, among whom Morihei Ueshiba, who founded , and Okuyama Ryuho, who founded Hakkō-ryū. In turn one of the students of Okuyama Ryuho was Nakano Michiomi, who founded and took the name Sō Dōshin.

Flattr this!

The Shamhala Guide to Aikidō&#13:An essential introduction to the philosophy and practice

The Shambhala Guide to Aikidō

Cover of the Book, with a picture of Morihei Ueshiba

While I have been practicing aikidō for many years, but was not that interested in its origin, I was just doing aikidō, and I always felt a strong dichotomy between the japan I experience and the japan that seems to underlie aikidō. Still stories kept accumulating so I decided to learn a bit more. I found a book in a second hand shop in California, only to misplace it. I finally read it.

The Shambhala Guide to Aikidō is a short book written by , a buddhist scholar and 7th dan aikidō teacher. It contains four parts:

  1. A presentation of 植芝 盛平( Ueshiba Morihei (
  2. A presentation of aikidō
  3. A chapter about the philosophy of aikidō
  4. A presentation of the schools and styles of aikidō
The Shambhala Guide to Aikidō

Shambhala First edition 1996
ISBN: 978-1-570621703

I found the first part the most interesting, the life of the founder of aikidō, o-Sensei, would probably make a good action movie: he fought for the preservation of shrines, then served in the army during the Russo-Japanese war, went as a pioneer to Hokkaidō were he met 武田 惣角( Takeda Sōkaku ( who taught him daitō-ryū, another martial art that would heavily inspire aikidō. Ueshiba then joined a shinto sect, went to Mongolia, got arrested by the Chinese army, returned to Japan, where he spread aikidō, training even during the period after the war, where such things were forbidden.

The second part that presents aikidō suffers from the usual problem of trying to explain something inherently complex and dynamic using still images. The explanations made sense, but I know these moves. I always have to wonder about people learning martial arts using books, I can’t imagine things coming out right…


The third part explains the philosophy of aikidō, a good part of the ideas were already known to me, as they are transmitted in any aikidō course, the rest was interesting but was way to esoteric for me, like for instance Morihei’s mandala. This chapter felt like it had a different tonality than the rest of the book, nearly as if a different person had written it. While the rest of the book has a strong new-age feeling, this chapter felt paradoxically more grounded.

I found the fourth part about the various schools of aikidō very interesting. Fragmentation is very present in aikidō, with various federations and schools coexisting often without acknowledging each other, this in turn causes a lot of politics and various things that are never openly talked about and causes a lot of confusion, in particular to people who are not privy to the intrigues.

All in all I found this book quite interesting, it is certainly a good introduction to aikidō, although most of the information can be found on the web nowadays. I felt that the chapter on the philosophy should have been either lighter or heavier, this just felt like a strange compromise and I have my doubts about anybody understanding aikidō from the still images (there are plenty of movies on youtube). Still it is a fast read that can give a feeling of what aikidō is.

Flattr this!

Saint Matthias

How to pronounce my name

Saint Matthias

One of the problem working in an English speaking environment, is that the phonetic rules of reading of the english language or the absence thereof is applied to my name. I’m not really offended when somebody mis-pronounces my name, but tend to not associate random sounds with myself, which kind of defeats the whole purpose of using my name in the conversation.

The issue is particularly baffling for english speakers, because my name does not involve any weird phonemes that are inaccessible to english speakers. Simply put, if you want to pronounce Matthias in English, just say Mat-tea-as.

If you have a computer running Mac OS X, you can just hear it by typing the following commands, assuming you have the relevant voices installed.

say --voice "Victoria" "Mat-tea-as"
say --voice "Steffi" "Matthias"
say --voice "Virginie" "Matthias"
say --voice "Kyoko" "マティアス"

First one is an English voice, second a german, third a french, and last a japanese one. Mac OS X hints has instructions on how to install custom voices on Mac OS X.

Flattr this!

Understanding Bidi Injections


Most injection attacks follow the same pattern: a character or a sequence with a special meaning is not properly handled in user provided data, and ends up being interpreted the wrong way. While most software engineer have learnt to escape delimiters in various scripting languages, unicode offers its own vector for the malicious user in the form of bidi control characters. Those characters are meant to be used for embedding left-to-right text within a right-to-left text, or vice versa, they can also be misused to change the behaviour of user-interfaces. The core problem is that those characters are control characters, and should not be left unchecked in user provided text, but as their existence is pretty obscure, they are not well known.

So what can a malicious user do thanks to those characters? Basically change the behaviour of display of text after the insertion point of the text. Two characters are particularly useful for this: right-to-left-override (0x202E) and right-to-left-embedding (0x202B). The first inverts the display order of all characters until the end of the run. The second inverts the display orders of tokens (words) and the direction of punctuation until the next strong character. A strong character is a character whose reading direction is fully defined, typically a roman character.

Normal Injected
User evil (gro.doog@evil.com) User evil ‮ (gro.doog@evil.com)
User evil is not trusted! User evil ‮ is not trusted!
Level of evil > 66 Level of evil < ‫ 100 > 66

The table above shows some examples of abusing those characters. In the first two line, user evil, has embedded a right-to-left-override at the end of its display name (evil). On the first line, this lets him reverse the display of his e-mail address, making it look like the domain is good.org and not evil.com. In the second line, he uses this to transform a warning into gibberish. Note that the user-provided field is enclosed in an <em> tag, but the formatting instructions escape the tag.

In the third, the evil users controls the name of some measurement, and uses right-to-left-embedding to reverse the display order of the tokens, but also invert the direction of a greater than sign. So by injecting the sequence < 0x202B 100, the UI now displays the reverse semantic information, i.e. that the level of evil is lower than 66, when in fact, it is higher.

Another example of abusing such characters would be in source code, by embedding them in the string constants and the comments, one can craft code that will look a given way in a web based review tool, but executes another way. Another use is to submit certain keyword reversed, so they do not match a black-list, but embedded with bidi control character to display in the right order.

There are multiple ways to mitigate such attacks. The best one is probably to remove all unicode control characters from user-provided input. Another one is to add pop directional formatting (0x202C) at the end of the user-provided area.

Bidi injections are already used in practice, it is used by at least one Mac OS X malware.

Flattr this!

Three bums with a newborn child

Tōkyō Godfathers

Three bums with a newborn child

As I’m a fan of Satoshi Kon, 東京ゴッドファーザーズ (Tōkyō Godfathers) was on my list of movies to watch. Where used japanese post-war cinema as a backdrop, Tōkyō Godfathers is set in the underworld of Tōkyō: three homeless, the archetype of the dysfunctional family, find a newborn child in the garbage and start a quest to find its parents.

Tōkyō Godfathers (2003)
Directors: Shōgo Furuya, Satoshi Kon
Duration: 88 minutes.

The main theme of the movie is childhood, with various character reminiscing their childhoods, their families and the relation between perception by their kins and their current situation. While the movie is quite dramatic, it is also quite surrealistic, and as such funny. I found the movie much more classical in its format than or Millennium Actress. While less stunning visually, it also makes the story more grounded. The plot has a meandering quality which means it was impossible for to predict how the protagonists would reach their goals, more than a quest, the story is a chaotic flight in the underbelly of Tōkyō.

In short, I nice movie I would recommend if you like slightly surrealist stories and a must see for any fan of Satoshi Kon.

Flattr this!

Data URI Script

Sometimes you want to provide a small data file for example purposes, but uploading it somewhere is a hassle. One way around this is to use the data URI protocol defined in . I have written a quick python script that converts a short file into data URI. You can download the program from this .


import base64
import mimetypes
import os
import sys

def main():
  if len(sys.argv) < 2:
    sys.stdout.write('usage %s \n' % sys.argv[0])
  with open(sys.argv[1]) as input_handle:
    data = input_handle.read()
    type = mimetypes.guess_type(sys.argv[1])[0]
    encoded = base64.urlsafe_b64encode(data)
    print 'data:%s;charset=utf-8;base64,%s' % (type, encoded)

if __name__ == '__main__':

Flattr this!

Infinity Blade II

Infinity blade – sakura garden

Another game given away for free on the fifth aniversary of the Apple app store is Infinity Blade II. Infinity Blade is a sword-fighting game, but its striking feature is the ridiculously gorgeous graphics. This is a game that runs on my mobile phones, but whose screen captures would make acceptable desktop pictures.

Infinity Blade II
Epic Games
iOSGame available on the Apple App Store

The game itself is not to bad, controls are pretty rough, all actions, parrying, striking, dodging, blocking and casting spells are done by taping or swiping the sword. The fight system is pretty classic: drain down the hit-points of the adversary and you get a finishing move sequence which is nearly as over the top as in Bayonetta. Besides the fights, there is a bit of moving around and clicking on boxes, enough to give some depth to the game, but not enough to make it a real exploration / puzzle game.

All in all a nice game, in particular when you consider it is now pretty old (it was released in 2011), and free.

Flattr this!

More CSV Evil


My post on got quite some attention, with various systems parsing them quite differently, one google+ posting by Kristian Köhntopp referencing said post had a nice phrase:

If it is not a state machine, it ain’t a correct parser

This got me thinking: nowadays CSV files include unicode characters, whose parsing requires its own state machine. Is it possible to make them interact? In other words, can I construct a file that is valid unicode text, which, if parsed as CSV, produces invalid unicode records?

The answer is yes, thanks to Unicode’s . These character combine with the character preceding them, modifying it. One example of such a character is 20E3, which ads a rounded box to the preceding character, so we can build a boxed A character: A⃣.

What happens when we box a comma? Either the unicode parser has precedence, and it consumes the comma to build a combined character boxed-comma, which means CSV parsing will not see it anymore. Or The CSV parser takes precedence, and consumes the comma, leaving a boxing character at the start of a text, which is illegal. says nothing of unicode combining characters, and unicode says nothing of CSV files. If you need something more confusing, there is also a combining comma with code-point 0326. Here is a very short example of the words good and evil separated with such a boxed comma. How does your favourite library parse this data?

Flattr this!



Apple is celebrating the 5th anniversary of the app store by giving away so pretty nice games, among them, Badland. Badland is simply game that has been beautifully realised. There is a single control, press the screen and a strange black creature flaps its wings and flies. The goal of the game is as simple: traverse some intricate level of vegetation and machinery. The forest is full of fruit-like things that change the creature, increasing or decreasing its size, cloning it, making it faster or sticky.

Frogmind Games
iOS Game available on the Apple App Store

The game is fun, but the atmosphere of the game is also a strong point: the elements of the game, the forest, the machines, and the traps are pitch black, so is your creature, the background is a dark and deep forest, with the appropriate noises. The app is devoid of any distractions, no ads, no premium coins, no score, just the forest and the creature trying to fly through.

In conclusion a very good game, that I really recommend, specially now that it’s free.

Flattr this!

Saturn’s Children

A woman with purple hair, a collar written Freya and a sexy outfit holding a purple glowing ball

Rewriting some books as an homage is as old as literature itself, yet the exercise is rarely as good as the original. Saturn’s Children by is dedicated to both and , the book feels like Stross decided to rewrite Friday by incorporating the core idea of Asimov’s robotic laws. Stross has the skills, Chilren of Saturn is that book, faster, stronger, better.

Saturn is the god of the day after Friday, and the characters of the book are all children of humanity: robots. Humans have died out, and their robotic slaves continues to reach for the stars, following the human’s orders, slaves to the only surviving persons: corporations. The main character, Freya Nakamichi 7 is the most useless robot of that age, bearing the name of a nordic love goddess, she is a sex robot.

Saturn’s Children

Penguin Books
ISBN : 978-0-441-01731-7

After ruffling feathers with the wrong people, Freya starts working as a courier, transporting illegal goods within her body, while in the background various organisations plot to recreate a bona-fide human. While the main character echoes Heinlein’s Friday, the universe felt closer to Michael Swanwick‘s Vacuum Flowers, space stations and wetware chips, the background conspiracy is a mirror of the last Foundation Books, when the human search for the lost robots. The book also has its share of anime references: one of ruling robot type is the .

Saturn’s Children is certainly an homage, but it is an extremely good one, I could not drop the book and read in within two days, the story is griping and interesting. Stross makes, as usual, interesting observations: what would happen if our society would run on auto-pilot, what would be the impact on humanity of having access to robotic slaves, how would robots modelled after humans think?

In short a must read for any classic science-fiction reader, but also for people who never liked classic science fiction because it was to arid, too technical. In fact a must read for everybody…

Flattr this!