Même si je travaille dans le domaine de la vente en ligne, je n’avais jamais pensé à faire mes courses par le web. L’inauguration d’un point de dépôt à mon travail à changé cela. En gros, je peux commander mon épicerie en ligne le matin, et elle est livrée le jour même dans une pièce réservée à cet effet non loin de la réception.

J’ai donc fait une première commande, et tout s’est passé sans encombres: le soir, avant de rentrer, j’ai transféré les courses dans les fontes de mon vélo. C’est d’autant plus pratique que le soir j’ai soit l’aïkidō, soit je finis après la fermeture des magasins. Cette fois-ci je n’ai aucune denrée périssables, ce sera pour la prochaine commande.

La commande peut se faire via le web, mais Coop offre aussi une application pour iOS qui n’est pas trop buggée, j’aime bien le fait de pouvoir scanner le code barre d’un produit pour le mettre dans la commande, très utile pour remplacer les produits d’usage courant.

Bref une première expérience concluante, qui me permettra – j’espère – de simplifier mes courses.

Flattr this!

Daitō-ryū – the missing link…

Family tree of martial arts

While I lived in Japan, I could not find an aikidō dōjō near the place I lived, so I trained in shōrinji-kenpō. One thing that stuck me was that half of the techniques, the soft ones, were very similar to aikidō techniques. At that time, I just assumed this was due to some vague influence and the fact that there are only so many possibilities. It turns out that aikidō and shōrinji-kenpō share a common ancestor: .

The origins of that martial art are a bit nebulous, the main fact is that it was taught by Takeda Sokaku, who probably inherited the art from his clan. Takeda had multiple students, among whom Morihei Ueshiba, who founded , and Okuyama Ryuho, who founded Hakkō-ryū. In turn one of the students of Okuyama Ryuho was Nakano Michiomi, who founded and took the name Sō Dōshin.

Flattr this!

The Shamhala Guide to Aikidō&#13:An essential introduction to the philosophy and practice

The Shambhala Guide to Aikidō

Cover of the Book, with a picture of Morihei Ueshiba

While I have been practicing aikidō for many years, but was not that interested in its origin, I was just doing aikidō, and I always felt a strong dichotomy between the japan I experience and the japan that seems to underlie aikidō. Still stories kept accumulating so I decided to learn a bit more. I found a book in a second hand shop in California, only to misplace it. I finally read it.

The Shambhala Guide to Aikidō is a short book written by , a buddhist scholar and 7th dan aikidō teacher. It contains four parts:

  1. A presentation of 植芝 盛平( Ueshiba Morihei (
  2. A presentation of aikidō
  3. A chapter about the philosophy of aikidō
  4. A presentation of the schools and styles of aikidō
The Shambhala Guide to Aikidō

Shambhala First edition 1996
ISBN: 978-1-570621703

I found the first part the most interesting, the life of the founder of aikidō, o-Sensei, would probably make a good action movie: he fought for the preservation of shrines, then served in the army during the Russo-Japanese war, went as a pioneer to Hokkaidō were he met 武田 惣角( Takeda Sōkaku ( who taught him daitō-ryū, another martial art that would heavily inspire aikidō. Ueshiba then joined a shinto sect, went to Mongolia, got arrested by the Chinese army, returned to Japan, where he spread aikidō, training even during the period after the war, where such things were forbidden.

The second part that presents aikidō suffers from the usual problem of trying to explain something inherently complex and dynamic using still images. The explanations made sense, but I know these moves. I always have to wonder about people learning martial arts using books, I can’t imagine things coming out right…


The third part explains the philosophy of aikidō, a good part of the ideas were already known to me, as they are transmitted in any aikidō course, the rest was interesting but was way to esoteric for me, like for instance Morihei’s mandala. This chapter felt like it had a different tonality than the rest of the book, nearly as if a different person had written it. While the rest of the book has a strong new-age feeling, this chapter felt paradoxically more grounded.

I found the fourth part about the various schools of aikidō very interesting. Fragmentation is very present in aikidō, with various federations and schools coexisting often without acknowledging each other, this in turn causes a lot of politics and various things that are never openly talked about and causes a lot of confusion, in particular to people who are not privy to the intrigues.

All in all I found this book quite interesting, it is certainly a good introduction to aikidō, although most of the information can be found on the web nowadays. I felt that the chapter on the philosophy should have been either lighter or heavier, this just felt like a strange compromise and I have my doubts about anybody understanding aikidō from the still images (there are plenty of movies on youtube). Still it is a fast read that can give a feeling of what aikidō is.

Flattr this!

Saint Matthias

How to pronounce my name

Saint Matthias

One of the problem working in an English speaking environment, is that the phonetic rules of reading of the english language or the absence thereof is applied to my name. I’m not really offended when somebody mis-pronounces my name, but tend to not associate random sounds with myself, which kind of defeats the whole purpose of using my name in the conversation.

The issue is particularly baffling for english speakers, because my name does not involve any weird phonemes that are inaccessible to english speakers. Simply put, if you want to pronounce Matthias in English, just say Mat-tea-as.

If you have a computer running Mac OS X, you can just hear it by typing the following commands, assuming you have the relevant voices installed.

say --voice "Victoria" "Mat-tea-as"
say --voice "Steffi" "Matthias"
say --voice "Virginie" "Matthias"
say --voice "Kyoko" "マティアス"

First one is an English voice, second a german, third a french, and last a japanese one. Mac OS X hints has instructions on how to install custom voices on Mac OS X.

Flattr this!

Understanding Bidi Injections


Most injection attacks follow the same pattern: a character or a sequence with a special meaning is not properly handled in user provided data, and ends up being interpreted the wrong way. While most software engineer have learnt to escape delimiters in various scripting languages, unicode offers its own vector for the malicious user in the form of bidi control characters. Those characters are meant to be used for embedding left-to-right text within a right-to-left text, or vice versa, they can also be misused to change the behaviour of user-interfaces. The core problem is that those characters are control characters, and should not be left unchecked in user provided text, but as their existence is pretty obscure, they are not well known.

So what can a malicious user do thanks to those characters? Basically change the behaviour of display of text after the insertion point of the text. Two characters are particularly useful for this: right-to-left-override (0x202E) and right-to-left-embedding (0x202B). The first inverts the display order of all characters until the end of the run. The second inverts the display orders of tokens (words) and the direction of punctuation until the next strong character. A strong character is a character whose reading direction is fully defined, typically a roman character.

Normal Injected
User evil ( User evil ‮ (
User evil is not trusted! User evil ‮ is not trusted!
Level of evil > 66 Level of evil < ‫ 100 > 66

The table above shows some examples of abusing those characters. In the first two line, user evil, has embedded a right-to-left-override at the end of its display name (evil). On the first line, this lets him reverse the display of his e-mail address, making it look like the domain is and not In the second line, he uses this to transform a warning into gibberish. Note that the user-provided field is enclosed in an <em> tag, but the formatting instructions escape the tag.

In the third, the evil users controls the name of some measurement, and uses right-to-left-embedding to reverse the display order of the tokens, but also invert the direction of a greater than sign. So by injecting the sequence < 0x202B 100, the UI now displays the reverse semantic information, i.e. that the level of evil is lower than 66, when in fact, it is higher.

Another example of abusing such characters would be in source code, by embedding them in the string constants and the comments, one can craft code that will look a given way in a web based review tool, but executes another way. Another use is to submit certain keyword reversed, so they do not match a black-list, but embedded with bidi control character to display in the right order.

There are multiple ways to mitigate such attacks. The best one is probably to remove all unicode control characters from user-provided input. Another one is to add pop directional formatting (0x202C) at the end of the user-provided area.

Bidi injections are already used in practice, it is used by at least one Mac OS X malware.

Flattr this!

Three bums with a newborn child

Tōkyō Godfathers

Three bums with a newborn child

As I’m a fan of Satoshi Kon, 東京ゴッドファーザーズ (Tōkyō Godfathers) was on my list of movies to watch. Where used japanese post-war cinema as a backdrop, Tōkyō Godfathers is set in the underworld of Tōkyō: three homeless, the archetype of the dysfunctional family, find a newborn child in the garbage and start a quest to find its parents.

Tōkyō Godfathers (2003)
Directors: Shōgo Furuya, Satoshi Kon
Duration: 88 minutes.

The main theme of the movie is childhood, with various character reminiscing their childhoods, their families and the relation between perception by their kins and their current situation. While the movie is quite dramatic, it is also quite surrealistic, and as such funny. I found the movie much more classical in its format than or Millennium Actress. While less stunning visually, it also makes the story more grounded. The plot has a meandering quality which means it was impossible for to predict how the protagonists would reach their goals, more than a quest, the story is a chaotic flight in the underbelly of Tōkyō.

In short, I nice movie I would recommend if you like slightly surrealist stories and a must see for any fan of Satoshi Kon.

Flattr this!

4th International Aikido Seminar in Muerren Summer holidays in the Bernese Alps! We are proud to announce this very special seminar to Aikido practitioners of all styles and levels. Families and accompanying persons are welcome. We provide 6 hours of training daily in the spectacular Bernese mountains with a stunning view on Eiger, Moench and Jungfrau. Begin of seminar: Monday 12 noon, end of seminar: Saturday 3 pm Training and full room and board: Whole week Mon.-Sat. less than 5 days: cost per day Adults: CHF 700/ *350 CHF 150/ *75 Children

Mürren 2013

Aikidō Seminar
Mürren Lauterbrunnental
Mo.15.7.2013 - Sa.20.7.2013
Cyndy Hayashi 6.Dan Roland Spitzbarth 5.Dan
Special Guest: Robert Nadeau Shihan
4th International Aikido Seminar in Mürren Summer holidays in the Bernese Alps! We are proud to announce this very special seminar to Aikido practitioners of all styles and levels. Families and accompanying persons are welcome. We provide 6 hours of training daily in the spectacular Bernese mountains with a stunning view on Eiger, Mönch and Jungfrau.


This year, I once again participated in an aikidō seminar in Mürren. I received training from three teachers, it was very interesting and fun, this year’s special guest was Nadeau Shihan.

Dieses Jahr hab ich wieder an einem Aikidō Seminar in Mürren Teil-genommen. Den Unterricht, der durch drei Lehrern gegeben würde, war interessant und spaß. Dieses Jahr war Nadeau Shihan ein spezieller Gast.

Cette année encore, j’ai participé à un séminaire, d’aïkidō à Mürren. L’entrainement a été donné par trois enseignants, c’était intéressant et très sympathique. L’invité spécial cette année était Nadeau-Shihan.

Si la grande partie des cours étaient classiques, avec beaucoup de technique du bâton et du sabre pour Roland Spitzbarth, et des techniques à main nues contre les armes et des préparation au randori pour Cindy Hayashi, la partie donnée par Robert Nadeau était assez différente, avec une grosse emphase sur le flow, la dissolution de l’égo, et de technique conscience, let the body flow. Pratiquer l’aïkidō sans se concentrer sur la technique, sans même y réfléchir n’est pas chose aisée, surtout, pour moi dans une situation statique, c’est un état que je n’atteins que durant une séance de .

Chercher à enseigner cet état relève du zen au mieux, et à ordonner aux gens sois spontané !, au pire. Il est relativement aisé de me convaincre que je pratique mon aikidō de manière trop mentale, mais beaucoup plus complexe de m’aider à la pratiquer sans impliquer mon esprit, à fortiori si l’on construit une théorie avec sa propre terminologie, ses métaphores et leurs problèmes sous-jacents.

Ce que je trouve fascinant, c’est de retrouver le même concept de flow revenir encore et encore, que ce soit en aïkidō, dans la programmation, ou la pratique du jeu de rôle. L’idée sous-jacente semble toujours être la même, mettre l’intellect au second plan et laisser l’action suivre son cours, mais dès le moment où l’on admet que le concept est le même, on ne peut s’appuyer sur la dualité corps-esprit, car soyons clair, mon corps ne sait pas programmer, il s’agit de quelque chose qui est plus liée à la nature de l’action que simplement le corps.

Flattr this!

Data URI Script

Sometimes you want to provide a small data file for example purposes, but uploading it somewhere is a hassle. One way around this is to use the data URI protocol defined in . I have written a quick python script that converts a short file into data URI. You can download the program from this .


import base64
import mimetypes
import os
import sys

def main():
  if len(sys.argv) < 2:
    sys.stdout.write('usage %s \n' % sys.argv[0])
  with open(sys.argv[1]) as input_handle:
    data =
    type = mimetypes.guess_type(sys.argv[1])[0]
    encoded = base64.urlsafe_b64encode(data)
    print 'data:%s;charset=utf-8;base64,%s' % (type, encoded)

if __name__ == '__main__':

Flattr this!

Infinity Blade II

Infinity blade – sakura garden

Another game given away for free on the fifth aniversary of the Apple app store is Infinity Blade II. Infinity Blade is a sword-fighting game, but its striking feature is the ridiculously gorgeous graphics. This is a game that runs on my mobile phones, but whose screen captures would make acceptable desktop pictures.

Infinity Blade II
Epic Games
iOSGame available on the Apple App Store

The game itself is not to bad, controls are pretty rough, all actions, parrying, striking, dodging, blocking and casting spells are done by taping or swiping the sword. The fight system is pretty classic: drain down the hit-points of the adversary and you get a finishing move sequence which is nearly as over the top as in Bayonetta. Besides the fights, there is a bit of moving around and clicking on boxes, enough to give some depth to the game, but not enough to make it a real exploration / puzzle game.

All in all a nice game, in particular when you consider it is now pretty old (it was released in 2011), and free.

Flattr this!

More CSV Evil


My post on got quite some attention, with various systems parsing them quite differently, one google+ posting by Kristian Köhntopp referencing said post had a nice phrase:

If it is not a state machine, it ain’t a correct parser

This got me thinking: nowadays CSV files include unicode characters, whose parsing requires its own state machine. Is it possible to make them interact? In other words, can I construct a file that is valid unicode text, which, if parsed as CSV, produces invalid unicode records?

The answer is yes, thanks to Unicode’s . These character combine with the character preceding them, modifying it. One example of such a character is 20E3, which ads a rounded box to the preceding character, so we can build a boxed A character: A⃣.

What happens when we box a comma? Either the unicode parser has precedence, and it consumes the comma to build a combined character boxed-comma, which means CSV parsing will not see it anymore. Or The CSV parser takes precedence, and consumes the comma, leaving a boxing character at the start of a text, which is illegal. says nothing of unicode combining characters, and unicode says nothing of CSV files. If you need something more confusing, there is also a combining comma with code-point 0326. Here is a very short example of the words good and evil separated with such a boxed comma. How does your favourite library parse this data?

Flattr this!