Twitter GitHub

Hi, I'm TJ.

About Me

My name's TJ Horner, I'm 15 years old and love programming. I like going to hackathons and creating awesome stuff! I've been programming ever since I was 7 in ActionScript. I really love Google stuff. I'm an early adopter of just about any Google product. I beta tested Google Wave, Voice, and many others. I love material design, and am thinking about redesigning this site with Polymer. Want to talk? I'm mostly free!

And right now? I'm not playing anything on Steam, so I'm probably working on a project.

Favorite OS

Mobile OS? I'd have to go with Android. Stock Android. No OEM bloatware, I'm fine...
For desktop OS I'm definitely for Fedora GNU/Linux. It has a strict policy for free software, which I'm a fan of. I love tweaking everything.

Favorite Language

(Yes, programming language...)
Node.js and Ruby are my absolute favorite languages. I kinda-sorta like Python but I don't use it for everything. I have experience in other OOP languages such as Java and C++, but I'm not as strong in those.

Favorite Music

I like electro music mostly, but I'm into rock and jazz. I'm not listening to anything right now.


My Rig

I use my desktop as my main weapon while programming. Here are the specs if you are interested (PCPartPicker list):
  • CPU: AMD FX-8320 3.5GHz
  • GPU: Gigabyte GeForce GTX 960 2GB
  • Motherboard: Gigabyte GA-970A-DS3P
  • RAM: 16 GB
I also have a laptop that I use for on-the-go stuff. And school, sometimes. I bring it to hackathons too.
  • Model: MSI GT72VR 6RE
  • CPU: Intel i7-6700HQ (8 cores, 2.6 GHz)
  • GPU: GeForce GTX 1070 (not 1070M, it's a desktop 1070)
  • RAM: 16 GB


Collaborative Launchpad

Control my Novation Launchpad over the internet. Uses Node.js for MIDI interface, express.js for the server and for WebSocket stuff. Yes, this all happens on my real Launchpad. It also wakes me up in the middle of the night.

CAH Creator

CAH Creator is a website that lets you create your own Cards Against Humanity-style decks in real-time with friends and share them with anyone. Check it out at! It's also open source on GitHub: @CAHCreator


Soundsync is an Android app that lets you control Soundcloud on your desktop from your phone. You can also cast to your Google Cast-enabled device which is great for parties, meetups, or even hackathons!


Cloud is a thing that lets you do stuff. Actually, right now it lets you upload files and share them. It also integrates with my URL shortener, So you could head over to and it would take you to a sample text file! It's soon to be open source. I have it set up at


This section is outdated. Maybe I'll update it later. Hopefully.
I love attending hackathons! Here are some hackathons I'll be going to in the Winter season:

January 16 - 18, 2015
PennApps is the premier student-run college hackathon. More than a thousand student programmers from all over the world converge on Philadelphia twice a year for a weekend of creating and learning. Hackathons are about coding together to solve real-world problems. Students work in teams of up to four people for thirty-six hours to create a web, mobile, or hardware application. PennApps has been around for a long time, and we're soon going to be celebrating our eleventh iteration.

January 24 - 25, 2015
Today's youth hacking tomorrow's future. Hack Gen Y is a hackathon for high school hackers in Silicon Valley.


When I'm not making things, I like breaking things (responsibly). Here are some things that I've broken with permission, in no particular order.

Environment Variable Leak
Found a vulnerability in the npm internal API that leaked environment variables, including API keys and database passwords (I shit you not, their Redis password used to be this-is-a-password-for-redis-and-it-is-a-secret-so-dont-share-it), on certain requests.

Cross-Site Scripting
Angular statements put into meeting chat were not properly escaped, and executed on all clients whether they had the chat open or not. This allowed an attacker to execute arbitrary JavaScript on all clients in the meeting.

Cross-Site Scripting
HTML not escaped properly in Glossary and Updates views from the Translate page, allowing an attacker to execute arbitrary JavaScript on a client viewing a certain translation.

Cross-Site Scripting/Form Validator Bypass
When updating a user's profile, one could send arbitrary data to the server in the name fields, and that is later shown on the website but isn't escaped, so you could put anything you want in there. It is also shown and effective in the teacher's dashboard, so a student could technically just XSS a teacher.

Privilege Escalation
A certain exploit allows a student to gain access to the teacher dashboard, and do everything a teacher can do (enable tests/quizzes, view student scores, add/delete/edit students and classes, etc.) This is obviously really bad.
Cross-Site Scripting
An exploit in how wallpapers on Unified Workspace works allows a user to input arbitrary JavaScript, which is later not escaped properly when loading the workspace dashboard, and is then evaluated in a script.


I an Intern in Software Engineering at StudentRND. I make projects such as CodeDay Teams and ColemanCTF that go along with CodeDay, a 24 hour programming marathon designed to encourage students to learn how to code. I'm also a volunteer for CodeDay San Diego and help set up things like securing sponsors or getting judges.

I'm currently working on nothing by doing nothing.
Last updated at .
(updates every 10 minutes)