Items in Sep, 2008
Filters: Year: 2008 × Month: Sep × Sorted by date
The only down side is everyone I’ve talked to at Freebase seems pretty solid on this being their proprietary secret sauce, because a good, fast scalable open source tuple store might actually jump start a real semantic (small-S) web after all these years.
— Kellan Elliott-McCrea # 29th September 2008, 3:29 pm
We’ve found CSRF vulnerabilities in sites that have a huge incentive to do security correctly. If you’re in charge of a website and haven’t specifically protected against CSRF, chances are you’re vulnerable.
— Bill Zeller # 29th September 2008, 1:11 pm
Popular Websites Vulnerable to Cross-Site Request Forgery Attacks. Ed Felten and Bill Zeller announce four CSRF holes, in ING Direct, YouTube, MetaFilter and the New York Times. The ING Direct hole allowed transfer of funds out of a user’s bank accounts! The first three were fixed before publication; the New York Times hole still exists (despite being reported a year ago), and allows you to silently steal e-mail addresses by CSRFing the “E-mail this” feature. # 29th September 2008, 1:08 pm
A Brief Tour of Graphd. The secret sauce behind Freebase—a custom written graph server that models everything as a typed, versioned relationship and can churn through over 3,000 simple queries a second on a single AMD64 core. # 29th September 2008, 11:32 am
CSS Systems for writing maintainable CSS. Nat has published the slides and notes from her BarCamp presentation this morning. I’m really excited about her approach, which involves designing a “CSS system” of markup patterns and CSS that embodies the design of an individual site. Future maintenance can then take this overall system in to account, which is assisted by a defined ordering system and shared vocabulary. # 28th September 2008, 11:30 pm
James May’s Big Ideas: Come Fly with Me (via) The BBC made an hour-long documentary on Ekranoplans! It’s available for the next 21 days on the iPlayer (UK residents only). # 28th September 2008, 11:07 pm
Flickr Engineers Do It Offline. Flickr wrote their own queuing mechanism (in PHP), and currently run ten queue servers on dedicated hardware for tasks like pushing new photos in to indexes, denormalisation and “backfills” which move data between clusters and run bulk scripts against large numbers of existing rows. # 28th September 2008, 1:24 am
Wario Land: Shake It—Amazing footage! Some virals really do deserve linking to. # 26th September 2008, 4:46 pm
Cheap, Easy Audio Transcription with Mechanical Turk. Andy Baio’s in-depth tutorial on submitting HITs to Mechanical Turk. I hadn’t realised how straight forward and powerful the interface has become. # 25th September 2008, 6:37 pm
Reia. The most common complaint I see about Erlang is the syntax. Reia is a Python-style scripting language (with a dash of Ruby) that runs on the Erlang virtual machine. Looks promising. # 25th September 2008, 6:12 pm
freebase-suggest (via) A jQuery plugin that performs auto-completion against the Freebase JSONP API, and allows the results to be limited to specific categories or subsets. # 24th September 2008, 11:58 pm
html-whitelist (via) DeWitt Clinton’s web service wrapper aroud the html5lib HTML sanitiser, hosted on AppEngine. # 24th September 2008, 11:54 pm
Logout/Login CSRF. Alf Eaton built an example page (this link goes to his description, not the page itself) that uses a login CSRF attack to log you in to Google using an account he has created. Scary. # 24th September 2008, 10:18 pm
Secure mashups with dojox.secure (via) dojox.secure is brilliant and terrifying at the same time. It provides a full featured API for running untrusted JavaScript in a sandbox, by parsing and validating that code against a variant of Douglas Crockford’s ADsafe JavaScript subset. It could be fantastically useful, but it’s difficult to judge how secure this approach really is. # 24th September 2008, 4:08 pm
csrf_protect.php. A PHP class for applying CSRF protection to existing PHP applications, using output buffering to rewrite any POST forms on a page. Heavily inspired by Django’s CSRF middleware. Tell me if you spot any bugs! # 24th September 2008, 2:52 pm
Decorator to limit request rates to individual views. Neat piece of code for public facing web APIs written in Django. Update: some smart criticisms in the comments. # 24th September 2008, 1:13 pm
Mark Zuckerberg speaking at FOWA. The Future of Web Apps Expo is just a few weeks away, and Mark Zuckerberg is the surprise keynote. I’m chairing the developer track again this year. # 24th September 2008, 1:11 pm
Robust Defenses for Cross-Site Request Forgery [PDF]. Fascinating report which introduces the “login CSRF” attack, where an attacker uses CSRF to log a user in to a site (e.g. PayPal) using the attacker’s credentials, then waits for them to submit sensitive information or bind the account to their credit card. The paper also includes an in-depth study of potential protection measures, including research that shows that 3-11% of HTTP requests to a popular ad network have had their referer header stripped. Around 0.05%-0.10% of requests have custom HTTP headers such as X-Requested-By stripped. # 24th September 2008, 9:40 am
bpgsql. Barry Pederson’s pure Python PostgreSQL client library now ships with a Django backend. # 23rd September 2008, 11:42 am
Google’s Usability Research on Federated Login. Fascinating—suggests an approach to federated auth based on the Amazon.com “Yes, I have a password” login flow. Feels convoluted to me but apparently it tests really well against a mainstream audience. The more research shared around this stuff the better. # 22nd September 2008, 8:56 pm
Is your Rails application safe? (via) update_attributes(params[:foo]) in ActiveRecord is an anti-pattern. # 22nd September 2008, 8:28 pm
Yahoo could also have followed Gmail’s lead, and disabled the security-question mechanism unless no logged-in user had accessed the account for five days. This clever trick prevents password “recovery” when there is evidence that somebody who knows the password is actively using the account.
— Ed Felten # 22nd September 2008, 4:21 pm
Accessibility Experiment. Joe Walker asks what would happen if we threw away the idea of serving the same accessible site to every user and instead tried building specific versions aimed at different disabilities. # 22nd September 2008, 9:29 am
RestView—a class for creating a view that dispatches based on request.method (via) I finally got around to writing up a simple approach I’ve been using for REST-style view functions in Django that dispatch based on request.method. # 21st September 2008, 8:47 pm
backup_to_s3.py. I wrote Yet Another S3 backup script today. It’s a thin wrapper about boto that doesn’t do anything particularly impressive, but it fits my brain. # 21st September 2008, 6:51 pm
Introducing the Django Debug Toolbar. Another project inspired by DjangoCon: a component based debugging toolbar for Django. I like the architecture so far. # 21st September 2008, 6:32 pm
Django version 1.1 roadmap. Django 1.1 is due out in March, but the deadline for feature proposals is November the 7th. # 20th September 2008, 7:17 pm
Django’s release process. Django is moving to time-based releases, with minor releases (new features but no backwards incompatible changes) approximately every six months. # 20th September 2008, 7:16 pm
OAuth Playground (via) Neat OAuth API explorer from the Google Data APIs team. # 20th September 2008, 4:40 pm
Beware the time-eater: Cambridge University’s monstrous new clock. Beware the Chronophage, my son. # 20th September 2008, 4:18 pm