Quotations
Filters: Sorted by date
.. yet another ridiculous data breach: this time, people's passwords to the Government Gateway on a memory stick dropped in the road. Perhaps it is uncouth to point this out, but... if the system had been designed by people with any security clue whatsoever there would have been no passwords to put on a memory stick in the first place.
In the final Production release we will be adding the ability to sign in to the Live ID OpenID Provider using any of the credential types that can be used with regular Live ID sign-in's -- including CardSpace, SmartCard, eID, etc.
I'm really typecasting myself here. If there were an international "Person most likely to write a Spectrum emulator in Javascript" award, I'd have taken it for the last five years running.
The key thing to remember is that REST is about building software that scales to usage on the World Wide Web by being a good participant of the Web ecosystem. Ideally a RESTful API should be designed to be implementable by thousands of websites and consumed by hundreds of applications running on dozens of platforms with zero coupling between the client applications and the Web services.
Government in the UK once lead the world in it's own information systems, breaking Enigma, documenting an empire's worth of trade. And then it fired everyone who could do those things, or employed them only via horribly expensive consultancies. It is time to start bringing them back into the corridors of power.
Are we so deranged here in the twenty-first century that we’re going to re-enact, wide-eyed, the twin tragedies of the great desktop-suite lock-in and the great proprietary-SQL lock-in? You know, the ones where you give a platform vendor control over your IT budget? Gimme a break.
— Tim Bray
The only down side is everyone I’ve talked to at Freebase seems pretty solid on this being their proprietary secret sauce, because a good, fast scalable open source tuple store might actually jump start a real semantic (small-S) web after all these years.
We've found CSRF vulnerabilities in sites that have a huge incentive to do security correctly. If you're in charge of a website and haven't specifically protected against CSRF, chances are you're vulnerable.
Yahoo could also have followed Gmail's lead, and disabled the security-question mechanism unless no logged-in user had accessed the account for five days. This clever trick prevents password "recovery" when there is evidence that somebody who knows the password is actively using the account.
The Palin hack didn't require any real skill. Instead, the hacker simply reset Palin's password using her birthdate, ZIP code and information about where she met her spouse - the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.
— Kim Zetter, Wired
The greatest coup Microsoft pulled with Internet Explorer was putting the word "Internet" in its name. It sits there, on the desktop of every new Windows computer, and it says "Internet". So you click it. [...] What better way to beat a browser with the word "Internet" in its name - a browser that seemingly can't be beat no matter how hard we try - than the Internet Company itself making a browser?
New authentication schemes such as OpenID, or Microsoft's CardSpace, may help as adoption increases. These systems make it possible to register for one site using credentials verified by another. Instead of having many sites with poor verification procedures, the internet could have a few sites with strong verification procedures, that are then used by others. The advantage for the user is that they no longer have to jump through multiple hoops for each new site they encounter.
— Tim Anderson, in the Guardian
As duplicitous and sad as "fake following" sounds - and let's be honest: the whole idea's pathetic on a number of levels - for a certain kind of user, I can see why there’s a desire for this functionality. Especially on a site like FriendFeed, which has quickly become the platform of choice for the web's least interesting narcissists - and the slow-witted woodland creatures who enjoy grooming their fur - this is a major breakthrough in the makebelieve friendship space. Yes, primate culture may be primitive, but it is not without its evolving needs.
The Long Now Foundation was established in 01996*... (The Long Now Foundation uses five digit dates, the extra zero is to solve the deca-millennium bug which will come into effect in about 8,000 years.)
A convention once saw, for example, that I had worked at NASA, and put me on a panel about the future of space exploration. I felt a little out-of-place, given that my main NASA achievement was that I once lassoed a robot with cat-6 cable and had it pull me around the hallways charioteer-style.
Making queries faster isn't in the critical path for improving the real-world performance of any Dojo apps I know of, and I bet the same is true for JQuery users. Reducing the size of the libraries, on the other hand, is still important. Now that we're all fast enough, it's time that we stopped beating on this particular drum lest we lose the plot and the JavaScript community continue to subject itself to endless rounds of benchmarketing.
Unfortunately, we're not cool enough to run on your OS yet. We really wish we had a version of Photosynth that worked cross platform, but for now it only runs on Windows.
I can't question that [the App Store] is probably the best mobile application distribution method yet created, but every time I use it, a little piece of my soul dies.
If it's easy to make all your calls conform to the RESTful verb architecture, then that's good, I guess. But if not, then just use a POST as an RPC call, keep it as simple as possible and be done with it. And don't spend another minute worrying about being RESTful or not.
OAuth came out of my worry that if the Twitter API became popular, we'd be spreading passwords all around the web. OAuth took longer to finish than it took for the Twitter API to become popular, and as a result many Twitter users' passwords are scattered pretty carelessly around the web. This is a terrible situation, and one we as responsible web developers should work to prevent.
The statement that the password anti-pattern "teaches users to be phished" should be rephrased "has taught users to be phished"
— Me, on Twitter
Download size has been an issue in the past. [...] In the early days Macromedia did studies adding null kilobytes to Player downloads and measuring the dropoff rate in completed installations. The more time people have to hit that "Cancel Download" button, the more will do so.
My Universal Feed Parser was conceived as a weapon against what I considered the gravest error of XML: draconian error handling. Recently, someone asked me to implement a switch that makes it not fall back on lax parsing in the case of an XML wellformedness error. I said no, not because it would be difficult to implement, but because that defeats its entire reason for being.
Maybe git is the monads of version control
There are two kinds of people who try to learn Haskell: the people who give up because they can’t figure out monads, and the people who go on to write tutorials on how to understand monads.
Without a discovery process, machines must be told about resources ahead of time and will only be able to interact with resources that they already know. This is the same as only starting a conversation with people you already know, even though with little effort you should be able to talk to new people with a common language.
(It's probably just me, but every time I stumble upon some thread involving people from the so-called "security community", it's like watching a Jerry Springer episode.)
If we want people to have the same degree of user autonomy as we've come to expect from the world, we may have to sit down and code alternatives to Google Docs, Twitter, and EC2 that can live with us on the edge, not be run by third parties.
DjangoCon 2008. Venue: Gooleplex, San Francisco Bay Area. Dates: 6th and 7th Sept. Official post will be on djangoproject.com soon.
Question: how do you upgrade servers when you need to pass new information between them? It's a fool's game to try to upgrade both servers at the same time. So you need a communication protocol that is not only backward compatible (a new server can speak the old protocol) but also forward compatible (an old server can speak the new protocol). Protocol Buffers provide that because new additions to the protocol can be ignored by the old server.