April 2008
April 12, 2008
CSRF presentation at RSA 2008. It terrifies me how few people understand CSRF, years after it was discovered. I’ll say it again: if you’re a web developer and you don’t know what that acronym means, go spend an hour reading about it—because the chances are your applications are vulnerable.
Multiple inheritance of newforms and modelforms. If you ever see “Error when calling the metaclass bases metaclass conflict: the metaclass of a derived class must be a (non-strict) subclass of the metaclasses of all its bases” when trying multiple inheritance with newforms and modelforms, here’s a scary solution I found.
April 13, 2008
The problem of grues is, of course, their recursive nature. To wit: A) Grues are found wherever it is very dark. B) There are no light sources on the inside of a grue. Therefore, being eaten by a grue is a fate which entails being eaten by an infinite number of progressively smaller grues, presumably nested in a geometrically complicated and interesting way.
— Arturus
April 14, 2008
[Amazon's] forthcoming persistent storage feature will give you the ability to create reliable, persistent storage volumes for use with EC2. Once created, these volumes will be part of your account and will have a lifetime independent of any particular EC2 instance.
Amazon takes EC2 to the next level with persistent storage volumes. You can store a snapshot of a storage volume to S3 with a single API call, making backups trivial.
Flirting with mime types [PDF] (via) Different browsers have different rules for which content types will be treated as active content (and hence could be vectors for XSS attacks). IE uses a blacklist rather than a whitelist and hence rendered active content for 696 of the tested content types.
Once you reach a certain level of activity in the system where the garbage collector can no longer keep up (and it will happen), then every line of code in your system is now a potential failure point that can leave the whole program in a bad state. Lisp has this problem. Java has this problem. Erlang does not.
KML: A new standard for sharing maps. Google’s KML format, which is already supported by both Microsoft and Yahoo!’s map software, has been accepted under the wing of the Open Geospatial Consortium and is now an international standard.
April 19, 2008
Quotation search in Google News (via) Extremely impressive application of (I suppose) natural language processing in Google News—it now extracts quotations from news stories, even handling things like “he said” and “she said” and resolving them back to the speaker.
Cluetrainwreck. Comcast’s official Twitter account is pretty creepy... “I hope we can change your perception of Comcast!”.
PayPal Plans to Ban Unsafe Browsers. At first I thought they were going to encourage real anti-phishing features in browsers, which would be a big win for OpenID... but it turns out they’re just requiring EV SSL certificates which have been proven not to actually work.
Mibbit (via) Excellent web-based IRC client, should be great for when pesky firewalls get in the way. Also a good candidate for use with a site-specific browser.
I've become increasingly convinced that what CEOs should be crying out for is not more innovation but fewer self-imposed obstacles.
HTML 5 vs. Yadis. The draft HTML5 spec currently disallows values for http-equiv and link rel which aren’t listed in the spec—meaning both methods of specifying a link to an OpenID server are invalid for HTML5. This should probably be fixed...
JavaScript: The Good Parts. Douglas Crockford’s soon-to-be-published book on the subset of JavaScript that he recommends. Promises to be “short, but dense”—if it’s half as good as his JavaScript lectures this is going to be a must-have.
Embedding custom non-visible data in HTML 5. “Every HTML element may have any number of attributes starting with the string ’data-’ specified, with any value.”—this will be incredibly useful for unobtrusive JavaScript where there’s no sensible place to store configuration data as HTML content. It will also mean Dojo has an approved method for adding custom attributes to declaratively instantiate Dojo widgets.
April 21, 2008
ISPs’ Error Page Ads Let Hackers Hijack Entire Web (via) Earthlink in the US served “helpful” links and ads on subdomains that failed to resolve, but the ad serving pages had XSS holes which could be used to launch phishing attacks the principle domain (and I imagine could be used to steal cookies, although the story doesn’t mention that). Seems like a good reason to start using wildcard DNS to protect your subdomains from ISP inteference.
April 22, 2008
Plazes adds Fire Eagle Support. The Plazer software can now automatically update your location in FireEagle based on fingerprinting your laptop’s local network.
OSM Super-Strength Export. Awesome new feature on OpenStreetMap: you can browse to anywhere on the map, then hit “export” and download a rendered bitmap or vector (PDF and SVG) image of the currently displayed map—and because it’s OSM there’s no watermark and a very liberal usage license.
Reading binary files using Ajax. There’s a simple trick for Firefox, and (amazingly) you can get IE to play along using a function written in VBScript.
Google AJAX Search API: Flash and Server Side Access. Over a year after Google shot down their SOAP Search API, they’ve quietly released a JSON based one under the guise of supporting “Flash and other non JavaScript environments”. Comes with the strange requirement that an HTTP referer be sent with every request; the API key is optional.
April 24, 2008
Generator Tricks for Systems Programmers. The best tutorial on Python’s powerful generator feature I’ve seen anywhere.
April 25, 2008
Internet Asshattery, Armchair Scaling Experts Edition (via) Leonard says what needs to be said about the most recent case of Twitter scaling flame-bait.
CSS Variables. Hooray! My number one requested CSS feature (and I know I’m not alone), proposed by Daniel Glazman and David Hyatt so I imagine we’ll see it trialled in WebKit pretty soon.
April 26, 2008
Mass Attack FAQ. Thousands of IIS Web servers have been infected with an automated mass XSS attack, not through a specific IIS vulnerability but using a universal XSS SQL query that targets SQL Server and modifies every text field to add the attack JavaScript. If an app has even a single SQL injection hole (and many do) it is likely to be compromised.
We are happy to announce that the Google Contacts Data API now supports OAuth. This is our first step towards OAuth enabling all Google Data APIs. Please note that this is an alpha release and we may make changes to the protocol before the official release.
— Wei Tu
Python one-liner of the day. I love the idea of publishing one-liners accompanied by one-line test suites.
Speechification. “A blog of Radio 4. Not about Radio 4 but of it. We point to the bits we like, the bits you might have missed, the bits that someone might have sneakily recorded. Other speech radio from around the world will no doubt find its way here too.”
MediaWiki API. Wikipedia’s best kept secret?
Multi-Inflection-Point Alert. Dammit, Tim, stop giving away our competitive advantages!